i will try to get more information from them, maybe they can clear this up. thanks for your help!

Looks like you rather want a multiwan setup than some freaking nat settings. I suggest searching the forum as this is a hot topic at the forum. Additional to this you can use advanced outbound nat to make some special things working (if it doesn't work right after setting up multiwan).

No documentation yet on this, feel free to write some.

Dear Tomba, you are setting things up wrong. I have FTP as well as other services working at OPT-Interfaces forwarded from WAN and I also configured an FTP-Server for someone at IRC that was reachable from OPT-WAN. I suggest you get to IRC this evening and try to contact me there. We can try to make it work together by remote administration.

@BugeyeD: i see BLOCK/DROP rules here, none of which are being logged. i do understand why they are there and what they are trying to protect against. what i noticed as being odd was that WAN (em2) is not represented here, whereas OPT1 (em1) is. so naturally i have to wonder if packets are getting dropped at OPT1 and not on WAN, thus breaking failover on OPT1 but not on WAN. but since logs are not being generated i can't tell for sure. updated to the new snapshot, still have the same situation and therefore the same question.

I updated to this latest snapshot and then tried to monitor my server via Server Watch and Qtracker and it still can't connect to it. It appears as though it is still not reflecting the UDP correctly at least for Quake 4.

You always need a VIP to make use of additional IPs on an interface. It won't work without. This is something that is different from m0n0.

Hoba, Thanks for all your help. It did exactly what it was suppose to. PFSENSE is a great product! SFM

I have that exact setup at home and even have ssh enabled at the pfSense itself. Add a log to the firewallrule that permits ssh traffic to the asterisk box. If you see a pass at status>systemlogs, firewall and also see a state for this connection at diagnostics>states the connection was allowed. Then it has to be something on the asterisk box. Btw, make sure your rules order is correct. You can't allow a connection somewhere at the bottom of the list when you blocked it somewhere above.

Just want to say thank you for this post. I was trying to figure this one out too, with no luck. Got my Kad in the Open state now. :)

Create portforwards at interface LAN, destination any for these ports and forward them to the internal IP of your proxy.

Try to add pass through IPs for these hosts as well.

@SFM: You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server) I don't get that part of your question but natreflection will work for all portforwards that you add if the range of the portforward is less than 500 ports.

Both ways of NAT run through the same firewall/filter. You have to add rules to permit traffic additional to the NAT and the rules are even the same like for using 1:1 or portforward. It doesn't make a difference in security.

There is no security issue with that feature as it just enables a proxy at your internal interface to reflect the connection back to your internal portforwarded client. It puts a little bit more load on your device and uses a bit more ram but besides that there is no problem with that.

@sullrich: #1 Make sure you are using CARP type ips for virtual ips #2 Make sure the port forward is for port "21" ONLY If you are on the latest version and follow the above it really should work. Sure ? I'm using a PPPoE connection on the WAN interface, and I can assure you that These two ones are running after reboot (and IP 24H 'hup'): /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1 /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1 This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply) /usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21 If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules). Am I saying wrong, or do I miss something? When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log). Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )

Woops.  Please test my latest filter.inc: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1

I have heared people say "latest" and they were months behind…

ServerNAT is 1:1 NAT in pfSense though you also can use a combination ot portforward and advanced outbound nat to do the same. However portforwards support the nat reflection feature if turned on at system>advanced. Which type of VIP you use depends on your needs and how your connection is set up. ProxyARP is basically the same type that m0n0 uses. CARP is for redundancy mainly but will work on a single box too. Using it's easier to add failover later. Other is accepting IPs but won't produce Layer2 messages for this IP. This usually works if your provider routes additional IPs to you without the need that the pfSense generates layer2 messages for it. If proxyARP worked for you in your previous m0n0 setup go with it.

It already is included in the latest snapshots: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/