celtic, see:
http://wiki.pfsense.com/wikka.php?wakka=PortForwardTroubleShooting

Now I found the right thread: http://forum.pfsense.org/index.php/topic,1528.0.html - don't know why I didnt find it earliear when i was trying to solve the problem myself :( sorry for the trouble.

Thanks
Arno

I have similar problem. I can't do NAT on WAN2.
On WAN it worked all the time but for WAN wan't  :(
If I set it I allways have WAN IP.
I do VIP's as Proxy ARP, CARP but it never worked.
I try to set WAN2 ip as default route for few machines on LAN. Can somebody knows how to set this?

I'm not using bridge, until now I just named the interface..

The main issue with NAT'ing twice is protocols that are NAT-unfriendly. That includes some VPN client software, some VoIP protocols, FTP, amongst others. These protocols are a pain to deal with when doing NAT once, adding a second NAT into the mix makes it twice as difficult to make these things work right and troubleshoot when things aren't working.

It should be avoided if possible, because it's usually adding a layer of complexity that's unnecessary. In your case, I would see if you could use the modem as strictly a bridge and put the static IP on pfsense.

It doesn't affect packet size because NAT changes the source IP and possibly port (depending on the NAT implementation) on packets, it doesn't add anything to them.

udp reflection should work, the problem seems to be when using a single rule with "tcp/udp". We need to check this.

http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting

@hex2bin:

did you plug in WAN and LAN into the same physical network?

Jepp, the firewall just acts as a webfilter, so it is no security problem.

But it is a networking problem - your firewall can't have two interfaces on the same subnet, and it's never good to have both on the same broadcast domain.

What do you mean by web filter? What are you wanting to accomplish?

Yes.  Basically how IP works.

I musta been delirious from being out in the sun all muddied up yesterday or something because I just now tried this at our office and it's working fine.  I didn't change my setup  ???

Oh well, it works so I'm not gonna complain.  :P

Good to hear  :D

the error with  oracle listener nat, by default port 1521, was that i push the rules at the end, so, change , and push the firewall rules at top of list, and found OK.

pd: sory by my english boys.

sorry guys for asking that silly question I didn't really think through what I was doing. It is all sorted. Memory block  ???

sullrich, yeaaaa, thanks sr. just in the target *

more status on this issue as of today it is no longer working and this is with the other rule in place.

Here are the logs

Apr 23 18:04:39 pf: 10. 726712 rule 38/0(match): pass in on xl0: 192.X.X.X.123 > 207.46.130.100.123: NTPv3, symmetric active, length 48
Apr 23 18:00:32 pf: 156. 377540 rule 38/0(match): pass in on xl0: 192.X.X.123 > 192.43.244.18.123: NTPv3, symmetric active, length 48
Apr 23 17:57:56 pf: 23. 546766 rule 38/0(match): pass in on xl0: 192.X.X.X.123 > 192.43.244.18.123: NTPv3, symmetric active, length 48
Apr 23 17:57:32 pf: 86. 472199 rule 38/0(match): pass in on xl0: 192.X.X.X.123 > 207.46.130.100.123: NTPv3, symmetric active, length 48

Windows reporting time period exspired

Here are the rules

UDP  *  *  *  123 (NTP)  *  NTP Rule

LAN net  *  *  *  *  Default LAN -> any

Update

Removed the first rule and it looks to have returned again. I think I may have found something not 100% sure but it does fail on the first appemt but does complete on the second third and forth attempt.

Ok…

Disregard. I figured it out. The problem had was a bad route.

Yep!  Thats it!  I didn't realize (and i should have, im an idiot) that their is the implicit deny all.  A simple permit all allowed traffic to flow.

Thanks for helping a n00b out!

Aliases work for every input field with red background.

pfSense operates on the packet incoming to an interface which creates a state.

So think of it as incoming to a interface initially (SYN).