oky, the reason is that on the linux machine i have not jet configured the proper gateway!

solution: delete all nat and ftp rules (ftp related) reboot add one first ftp nat, save auto created rules and apply reboot add one second ftp nat, save auto created rules and apply don't reboot different 2 ext. and 2 int. fpt server accessed.

Thanks for your advice, but I think it will redirect whole IP address not just one port. I think somethink similar what is implemented in e.g. ZyXEL ZyAIR G-2000 plus router (firewall with WAN-to-WAN rules). I do not know if it is possible to do in pfSense firewall.

Ufff!! :) i´ve found the problem :) if i have the captive portal active … the nat rules and upnp dont work ... What do i have to do ? Sorry guys .. and thank you :)

Guess something like that would be needed: http://www.openbsd.org/cgi-bin/man.cgi?query=tftp-proxy&sektion=8&manpath=OpenBSD+4.0

Rules are always applied incoming at an interface, so if your smttp/pop3 clients sit at lan this rule has to go to firewall>rules, lan tab at the top of the list.

Your question has already been answered.  Search the archives.

You can create custom NAT mappings at firewall>nat, outbound tab. Just enable advanced outbound nat and create only the needed NATs. Everything not specified as outbound NAT rule will then simply be routed.

I just setup Filezilla ftp server here on Win XP and it worked fine with any ftp client I threw at it. However the exact same (I think!) config on a remote site just got me a login, but no data connection. I could even make directories, but no LIST. Filezilla client did the same. I then tried leap FTP client to connect to the remote Filezilla server and it works fine. ftp://ftp2.leapware.com/pub/lftp276.exe I have no idea why Leap works and the others fail. :-( Moral of the story: its probably your ftp server config thats the problem, not the firewall.

resolved 1.0.1 update. thanks.

Sorry I didn't notice the reply until now, I had to set aside pfSense and temporarly use something else to get a IIS site up. First, I'll try to keep in mind the 'order of operations'. Second, I'm glad I was able to help find a bug.  I hope the fix made it to 1.0 stable. I plan on testing 1.0 in the near future. Thanks to all who replied.

It's (unfortunately) a bug. You won't have to reboot with version 1.0.1. This bug doesn't appear always and with all configurations which made it a bit hard to find but it's already fixed.

natreflection doesn't work for 1:1 nats. If this is only a mailserver and you only need few ports (25,110,…) turn off the 1:1 nat and use a combination of protforward and advanced outbound nat for this and enable nat reflection at system>advanced ( at the very bottom of the page). Other option is to set up split DNS like you suggested.

@bobvan: On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.  (Thankfully, I seldom run Windows.)  If I get UPNP working, I should probably add firewall rules that allow only the XBOX to talk to miniupnpd. This is a common misconception that doesn't stand up to analysis. The fact is, if you have malware on your network, on a typical firewall it's fully capable of opening up any outbound connections it wants. UPnP does allow it to open up inbound ports too, but only in a limited way. Is there anything that can be done with a upnp inbound connection that couldn't, technically, be done through an outbound connection? No. In fact it's probably far easier and less likely to be detected (and certainly more reliable) for malware to create vulnerabilities through initiating outbound connections and local network sniffing. The reality is in a lot of cases UPnP is a lot more secure than alternatives like static inbound mappings as the ports are only opened when required. They are also (if the upnp IGD is capable) loggable and monitorable. Sure, you don't want UPnP on a typical corporate network, but there's certainly a big place for it on home networks and even SME networks. Cheers, Keith

@mickrussom: Is there a way for the public to file bugs? You can create bug tickets at http://cvstrac.pfsense.com/ but pleaso only file tickets when you are absolutely sure that you found a bug in the LATEST version or after you have been told by one of the devs to create a ticket. First discuss at forum or mailinglist to make sure the problem is not caused by misconfiguration or whatever.

Problem solved. Thanks

Make sure your dyndns update was successfull. Also are you talking about portforwards you created at WAN or to access directly to the pfSense? If you try to reach portforwards you need to enable nat reflection at system>advanced (very bottom of the page).

Do you see the traffic being blocked at status>system, firewall? Also what gateway do the clients at the bridged OPT1 use?