pfSense operates on the packet incoming to an interface which creates a state. So think of it as incoming to a interface initially (SYN).

"other" won't generate any layer2 messages. This can be useful if the IPs are routed to you anyway. If you need to answer with ARP for your VIPs you have to use ProxyARP or CARP.

This does not make any sense. Are you on the latest snapshot?    If so please remove all ftp port forwards and firewall rules for 21 and readd. Then do this from the console or ssh: ps awwux | grep pftpx I would like to understand why this work for you when clearly it should not (port 20).

Btw, portforwards work with natreflection, 1:1 nat not, only in case you need that feature.

Try a recent snapshot, FTP should work out of the box now. seems to fix all the problems people were having. http://snapshots.pfsense.com/FreeBSD6/RELENG_1/

As hoba said, 1:1 NAT is not a security issue unless you want to make it one. If you have as many IP's as internal servers, it's usually preferable to use 1:1 NAT over port forwarding.

Firewall -> NAT -> Port Forward

From pm discussion, I've confirmed those ports aren't really open on his firewall, and it's behaving as his shown firewall ruleset should, proving it was something to do with the network of the person who scanned him originally.

There is an ftp-helper build in that you can enable/disable per interface for these kind if situations. Besides that no other protocol is proxied to rewrite IPs.

Others have asked about this a few times in the past, and numerous times on the m0n0wall list, and nobody has ever been able to find a solution. It's certainly a desirable feature, if you can find a way to implement it I'm sure patches would be accepted.

Nice. Thanks for the feedback  :)

Now, i know what the problem is. My brother's isp is using SIP and ichat is also using SIP so there's conflict. I don'y know if someone have a solution ? Thanks!!

Please have a look at http://forum.pfsense.org/index.php/topic,4215.0.html

4/03 SNAPSHOT seems to have everything good to go.  Been working fine! Thanks

You can manually edit the config.xml and exchange the interfacename with the IP-Adress and reupload the config. Just don't touch this pool with the gui again and it should work with the newer versions.

That would be great if you found that solution for me. Of course changing the internal modem IP to be the same network range as the LAN, eg 10.0.209.2 is not a problem… Best regards!!

Think I solved my own problem: http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915

Search the forum for "static port". H323 can be as tricky as SIP.

I try to stay as far away from Appletalk as possible, but AFAIK trying to to encapsulate it in IP and route it somewhere is much more trouble than it's worth. Most of the old Laserwriters I have seen support IP/LPR printing. Just my 2c, but I think you would be better off getting rid of any Appletalk only devices and getting something made in the last fifteen or so years…

It works now with the latest snapshot (23-03-2007) !! but any chance to have a NAT 1:1 with apple talk compatibility ?