I have answered my own question it was infact working, however ftp was still showing up as the firewalls interface ip, ticking disable ftp helper on all the interfaces fixed this. I had to do it on all interfaces. WAN -> DMZ shows clients ip DMZ -> WAN shows dmz servers ip LAN -> DMZ shows lan clients ip LAN -> WAN shows firewalls wan ip

It was the default gateway :) Thanks!

I tried re-installing (I took the snapshot this time) and it didn't work, a little more details about my network: [image: mynetworkbr7.th.png] as seen in the picture Server IP: 192.168.2.2, Laptop ip 192.168.1.2, All traffic from DMZ(192.168.2.1/24) to LAN (192.168.1.1/24) is blocked! Now If I try SSH or Telnet to any service to example.org (by domain name, so My laptop will get it as 2.0.0.2) the connection will be closed after 3/4 seconds of inactivity! however if i use SSH/Telnet but this time to 192.168.2.2 (by ip) then the connection will stay open… any solution ?? Thx

Do it works if I have traphic shaper on, and it manages p2p traffic by QoS?

To help you (I hope ^^) : I've got a 360 connected to lan. And the only thing I had to do to make XboxLive! work is to set up a nat on the following ports : 3074 TCP -> 3074 TCP 3074 UDP -> 3074 UDP (and not 2074 like you said ;) ) 88 UDP -> 88 UDP (From WAN, TO the 360) Sometimes when I'm running the Live! test on my xbox, it tell me that its Strict, but often it tell me that its OPEN. So I suppose that its OPEN in all cases and its just a bad detection from the 360 :) And don't forget to make the rules to allow this traffic in your firewall ;)

@sdale: You need to also change the webgui port to use a different http port, ex 8080, or change to https. Https is better anyhow ;) Only if you try to access the webgui on the external IP. If you come from LAN and try to access it by it's internal IP it will still work.

@Piplfox: If          Proto        Ext. port range  NAT IP  Int. port range  Description                                                                                                            WAN   TCP/UDP 5800                      192.168.2.3    5800                                                       (ext.: any) Try setting the External address to 'Interface Address', instead of 'any'.

Your description of your problem is not totally clear, but here is how the NAT should look for RDP: If  Proto  Ext. port range  NAT IP  Int. port range  WAN TCP 3389 (MS RDP)   Internal PC    3389 (MS RDP) The firewall rule will then look something like this: Proto    Source      Src Port      Destination IP    Dst Port TCP  Any                *  Internal PC        3389 (MS RDP) If you chance the NAT Internal Port Range, you have to modify the Firewall rule Dst Port to reflect the same change. In other words your Int Port Range, NAT IP in your NAT and the DstIP, Dst Port in the firewall rule must always match. The only other problem that I can see is that the machine running terminal server is listening on 3390 instead of 3389. Do a google search on how to change this back to 3389 if you need to.

I moved the wan to our live t1 so I could log more traffice. I added NAT rules + auto FW rules for HTTP I see passed packets for port 80 and tons of block still for 53. Thanks!

thanks, I 'll try to do that (router used are linksys wrt54g with a modified firmware dd-wrt) Chady

i've done what you're trying to do in the past. i suppose you've set up 2 virtual interfaces. 1: virtualNIC1 –> bridge to PfsenseWAN virtualNIC2 -_> bridge to PfsenseLAN now you should bridge the virtualNIC1 to a real NIC. 2: the pfsenseWAN should now be able to get a IP from your DHCP on your network. now you have to forward the ports to the IP of your PfsenseWAN IP 3: you can set your virtualNIC2 to dhcp and activate on PfsenseLAN the DHCP server. your virtualNIC2 should now get an IP from your pfsense. at last you have to set up port forwarding rules. your virtualNIC2 will now be able to recieve traffic from the ports forwarded from the outside :) i hope i helped. good luck

@dieselvw: Thanks, Hoba, I'll give those things a try.  One other thought that might help in diagnosing this:  if I use a Cisco router (such as a 2611) everything works perfectly.  An idea to explore, if someone here can do it, is what is unique about the Ciscos that makes them so compatible with these VoIP services?  There's a lot to dislike about Cisco – the cost, and overall their mean-time-between-failures leaves a lot to be desired.  So, what is Cisco doing that pfsense isn't? Thanks. Was this ever resolved?  I have exactly the same issue with the same VoIP provider.  Nuvio does use proxy servers on the connection from my phones to them, but my phone ringing is still sporadic.  I have 2 IP phones in my office and I have them set to 192.168.100.50 and .51.  I have enabled Advanced Outbound NAT and set up a rule for static port on the WAN interface for 192.168.100.50/31 which should cover me, but that does not seem to be a total cure.  I was using a Snapgear router (based on Linux IP Tables) and did not need any special settings for things to work.  I do not mean that as a knock, I just think there is maybe something simple that we're missing here. Anyone have any other thoughts? Also, related to this, are Advanced Outbound NAT and Enable IPSec Passthrough mutually exclusive since they are on a radio button together?

Btw, scrambling ports during NAT is a security feature and not meant to piss people off. However some applications/protocols don't like this behaviour but you can work around it with the outband nat rules.

hi pfsense runnig well with xbox live … ! it is an simple trick what you have to do to get the result "moderate" at the nat test. at the firewall -> nat -> outbound sektion. choose the automatic generated nat rules. klick edit the enable "static nat" . save and , if you have the redirect rules , you have an working pfsense box. holger

Perfect…thanks!

It's actually a feature already built in to FreeBSD called tcpdump, I'm just creating the gui for it.

No it is not possible.  There is a bounty setup to add this feature.  Check out the bounty area.

Not sure if this helps for this condition but try to enable the static route filtering  option at system>advanced.