I finally found the answer… I had to setup CARP interfaces for each of the virtual IP's and then the NAT port forwarding worked just fine. BTW... I also found that I had to specify the same subnet mask for each CARP interface or it wouldn't work. For example: My main interface is XXX.XXX.XXX.98/27 My CARP interfaces had to be: XXX.XXX.XXX.99/27 to XXX.XXX.XXX.104/27

Great to hear so far.  I'm about to install this on a permanent box, and I'm hoping for the best. I have a range of about 13 IP's or so that I can dedicate to the students, so I may NAT their entire subnet to that range of IP's. I'm glad to hear that I'm not crazy and that others have had problems with FreeBSD freezing under heavy IPFilter loads as well.  I thought it was something I was doing wrong.

@cardinalweb: Hopefully someone can clarify, from what I can tell from the forum and other responses is it true that NAT Reflection will NOT work on Virtual IP Addresses that have been assigned through NAT 1:1, BUT it will work on any addresses you setup within NAT port Forwarding? that's correct. I'm locking this thread though, since it discusses issues about a year and a half ago it's largely no longer relevant to any currently supported versions. If you have further questions please start a new thread.

Not sure if you've figured it out (as title now says solved), but it occurred to me that you might have meant Proxy-ARP and not CARP by PARP. While CARP addresses should have the correct mask, Proxy-ARPs added as you show should have be added as 'single address' /32.

Maybe you don't even need VIPs. If you really just want to make one machine available to the public add a portforward with appropriate firewallrule (let it be autogenerated). I think you are overcomplicating things here.

@GruensFroeschli: do you want to 1:1 NAT or just normal NAT? normal NAT or if possible 1:1 NAT, i could try both and see which one will work better, thanks.

why do people post the same thing in two different threads? attached you can see an example of NAT and FireWall rule (which is autocreated when you create the NAT entry) the server that should be accessible has the IP 172.22.30.200 and runs on port 81. if you want to run your server on port 80 you need to change the webgui of pfsense to a different port. if you dont want to do that you can create a Virtual IP in your subnet on WAN and 1:1 NAT this VIP to your server. the server is then accessible via this VIP [image: freenas_webgui_nat.JPG] [image: freenas_webgui_nat.JPG_thumb] [image: freenas_webgui_fw.JPG] [image: freenas_webgui_fw.JPG_thumb]

Can someone put a screen capture of the NAT/rules and NAT/port_forwad  so I can reach my server inside the lan when I am outside. My router ip = 10.0.0.1/8 Pfsense Wan ip = 10.0.0.254/8 Pfsense Lan ip = 192.168.1.1/16 My web_server ip = 192.168.1.101/16 The PC from which I want to reach the web_server is = 10.0.0.7/8 Thanks …

Sounds like a pretty standard port forward setup - look at the NAT menu.

There is a pfSense package available for NTOP (system, packages). Have you verified DNS resolution from the firewall? Do you have the ftp helper enabled on the LAN interface?

Thank Everyone , solve it , like dotdash said it all automatically nat only me do some careless mistake. shreckbull thank for the info

i think the gui only checks when you have 2 rules of tcp or 2 of udp or 2 of tcp/udp but not a mix but its not a problem the first rule wins the other is never seen

Everything except DNS is TCP, not TCP/UDP, so I would change your rules for SMTP/POP, etc to use only TCP. Then it should work with NAT refection on. I would think a better solution would be to use Internal DNS servers with the private numbers, or do split DNS.

As long as the client is configured properly for the custom port as well, shouldn't be a problem (doing the same thing on my setup).  Are you sure you have the correct ports forwarded for passive mode as well?  Is the ftp helper enabled?

@SecureMe: …via a manually entered "Static Route" in pfSense... So Chris - have I made it more confusing? Oh boy, I was busy recently. Didn't realize that I was that far off the track… Of course, a static route in pfSense makes perfectly sense and is the missing brick I was looking for. Thanks Jason for your rather long explanation! Even I got it now. I shut up now and and have some sleep...  :-X

@bgbearcatfan: Sorry, i don't understand the wording of your question. OK sorry  :'( "why one should all the firewall rules" i forgat the word delete. so it should say "why one should delete all the firewall rules". I thought that was not nessesary. And indeed it was'nt. I didn't have the forwarding rule for the passive ports  :-. Everything works fine now. Thanks for the help. Rgds, Hellsblade

I had the same issue while trying to receive incoming calls from my sip provider to my asterisk server which is nat'ed behind a pfsense box. What resolved my issue was setting up my asterisk server to refresh it's connection to my sip provider every 10 sec in sip_nat.conf. "externrefresh=10" thus avoiding the expiration of the udp session which occurs every 30 to 60 seconds. I think the same thing can be done with an ATA or VoIP telephone, by setting "Nat keep alive = yes" and "Use DNS SRV = yes" Hope i was helpful.

@cmb: http://wiki.pfsense.com/wikka.php?wakka=StaticPort perfect post that solved my problems. Thanks for all the info guys.

@sullrich: I have some serious reservations about folks running 1.0.1.  1.2 even in beta stage has thousands of fixes not included in 1.0.1. Right, but remember that it is still beta and some folks aren't keen on using that. The latest stable release for now is 1.0.1 so I would guess lots of folks (still) using it. However, this will change with the release of 1.2 stable. The beginning of this thread showed that it would be helpful to have something like a 'big picture' of pfSense. What, where and in which order would be great! Recently you suggested a nice Web drawing tool… What do you think? Chris

Really? Thanks, I'm going to upgrade!