Did you manually create the firewallrule or was it autocreated when adding the nat entry? In case you created it by hand let us see the rule please. Make sure the host behind the client has no own forewall and uses the correct gateway. You also have to test this from the outside  (in case you try this from the inside it won't work without natreflection turned on but this might cause issues with your webgui if it still listens at port 80).

@Rockyboa: Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule. Martin Block incoming on LAN to 127.0.0.1.  That will kill it.

Check your ssh-client for a keepalive setting. Other option is to raise the default statetimeout for this connection by editing the advanced option for this firewallrule.

That didn't help either.  Regardless of what I do, I can loopback into the SSH box, but the printing only works from external sources. Would any sort of diagnostic output help?  Like I said earlier, I'm very new to pfSense and really don't know how to diagnose these problems.

My homebox has 2x intel fxp onboard (ibm eserver). I don't see any issues with it. Not a zero in/out error. Same at the nexcom at our office or 2 other nexcoms that I have out with intel nics. However these drivers have support for several intel chipsets, so the problems might only arise with really new chipsets like in your hardware.

well, the problem was the protos i configured in the mappings were tcp/udp… i modified it to tcp now and now its fully working

What I would like to do is similar, but, just a single host IP:port (the pfsense LAN interface address actually) to an internal LAN host:port (port being the same for both). What I am trying to do is have LAN:25 (and ONLY LAN:25) being redirected to the internal:25.  All other WAN destinations:25 would be unimpeded. I have tried a LAN NAT rules with the "external" source the LAN interface IP and any port to the internal IP port 25.  But, as you might guess, it only works when you are on the pfsense shell such that you are coming from LAN interface IP.  I am sure there is some way to do this.  Maybe it takes more than one NAT rule to do.  Not sure.

I have answered my own question it was infact working, however ftp was still showing up as the firewalls interface ip, ticking disable ftp helper on all the interfaces fixed this. I had to do it on all interfaces. WAN -> DMZ shows clients ip DMZ -> WAN shows dmz servers ip LAN -> DMZ shows lan clients ip LAN -> WAN shows firewalls wan ip

It was the default gateway :) Thanks!

I tried re-installing (I took the snapshot this time) and it didn't work, a little more details about my network: [image: mynetworkbr7.th.png] as seen in the picture Server IP: 192.168.2.2, Laptop ip 192.168.1.2, All traffic from DMZ(192.168.2.1/24) to LAN (192.168.1.1/24) is blocked! Now If I try SSH or Telnet to any service to example.org (by domain name, so My laptop will get it as 2.0.0.2) the connection will be closed after 3/4 seconds of inactivity! however if i use SSH/Telnet but this time to 192.168.2.2 (by ip) then the connection will stay open… any solution ?? Thx

Do it works if I have traphic shaper on, and it manages p2p traffic by QoS?

To help you (I hope ^^) : I've got a 360 connected to lan. And the only thing I had to do to make XboxLive! work is to set up a nat on the following ports : 3074 TCP -> 3074 TCP 3074 UDP -> 3074 UDP (and not 2074 like you said ;) ) 88 UDP -> 88 UDP (From WAN, TO the 360) Sometimes when I'm running the Live! test on my xbox, it tell me that its Strict, but often it tell me that its OPEN. So I suppose that its OPEN in all cases and its just a bad detection from the 360 :) And don't forget to make the rules to allow this traffic in your firewall ;)

@sdale: You need to also change the webgui port to use a different http port, ex 8080, or change to https. Https is better anyhow ;) Only if you try to access the webgui on the external IP. If you come from LAN and try to access it by it's internal IP it will still work.

@Piplfox: If          Proto        Ext. port range  NAT IP  Int. port range  Description                                                                                                            WAN   TCP/UDP 5800                      192.168.2.3    5800                                                       (ext.: any) Try setting the External address to 'Interface Address', instead of 'any'.

Your description of your problem is not totally clear, but here is how the NAT should look for RDP: If  Proto  Ext. port range  NAT IP  Int. port range  WAN TCP 3389 (MS RDP)   Internal PC    3389 (MS RDP) The firewall rule will then look something like this: Proto    Source      Src Port      Destination IP    Dst Port TCP  Any                *  Internal PC        3389 (MS RDP) If you chance the NAT Internal Port Range, you have to modify the Firewall rule Dst Port to reflect the same change. In other words your Int Port Range, NAT IP in your NAT and the DstIP, Dst Port in the firewall rule must always match. The only other problem that I can see is that the machine running terminal server is listening on 3390 instead of 3389. Do a google search on how to change this back to 3389 if you need to.

I moved the wan to our live t1 so I could log more traffice. I added NAT rules + auto FW rules for HTTP I see passed packets for port 80 and tons of block still for 53. Thanks!

thanks, I 'll try to do that (router used are linksys wrt54g with a modified firmware dd-wrt) Chady

i've done what you're trying to do in the past. i suppose you've set up 2 virtual interfaces. 1: virtualNIC1 –> bridge to PfsenseWAN virtualNIC2 -_> bridge to PfsenseLAN now you should bridge the virtualNIC1 to a real NIC. 2: the pfsenseWAN should now be able to get a IP from your DHCP on your network. now you have to forward the ports to the IP of your PfsenseWAN IP 3: you can set your virtualNIC2 to dhcp and activate on PfsenseLAN the DHCP server. your virtualNIC2 should now get an IP from your pfsense. at last you have to set up port forwarding rules. your virtualNIC2 will now be able to recieve traffic from the ports forwarded from the outside :) i hope i helped. good luck