@SFM: You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server) I don't get that part of your question but natreflection will work for all portforwards that you add if the range of the portforward is less than 500 ports.

Both ways of NAT run through the same firewall/filter. You have to add rules to permit traffic additional to the NAT and the rules are even the same like for using 1:1 or portforward. It doesn't make a difference in security.

There is no security issue with that feature as it just enables a proxy at your internal interface to reflect the connection back to your internal portforwarded client. It puts a little bit more load on your device and uses a bit more ram but besides that there is no problem with that.

@sullrich: #1 Make sure you are using CARP type ips for virtual ips #2 Make sure the port forward is for port "21" ONLY If you are on the latest version and follow the above it really should work. Sure ? I'm using a PPPoE connection on the WAN interface, and I can assure you that These two ones are running after reboot (and IP 24H 'hup'): /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1 /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1 This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply) /usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21 If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules). Am I saying wrong, or do I miss something? When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log). Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )

Woops.  Please test my latest filter.inc: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1

I have heared people say "latest" and they were months behind…

ServerNAT is 1:1 NAT in pfSense though you also can use a combination ot portforward and advanced outbound nat to do the same. However portforwards support the nat reflection feature if turned on at system>advanced. Which type of VIP you use depends on your needs and how your connection is set up. ProxyARP is basically the same type that m0n0 uses. CARP is for redundancy mainly but will work on a single box too. Using it's easier to add failover later. Other is accepting IPs but won't produce Layer2 messages for this IP. This usually works if your provider routes additional IPs to you without the need that the pfSense generates layer2 messages for it. If proxyARP worked for you in your previous m0n0 setup go with it.

It already is included in the latest snapshots: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/

The option you are talking about is called "static port" in pfSense. You'll find it at firewall>nat, advanced outbound NAT tab. See http://forum.pfsense.org/index.php/topic,104.msg5876.html#msg5876 for the problem you have and how to set it up correctly.

Ok tested externally and all is working after the NAT rule is deleted!  Thanks.

The problem is not any source but the any destination that you have in your rule.

and there's no solution to use these clients form behind a m0n0wall/pfSense? its an BSD issue, isn't it? are there any solutions like m0n0wall or pfsense based on linux? pfSense is really great, but i need these clients more and more in future… :(

My modemrouter was crash while connections more than 200. But work well in client pppoe dial up.

@hoba: NAT is making problems with a lot of VOIP implementations as long as you don't have any kind of proxy or STUN server. I would suggest setting this up without NAT and simply route between OPT and LAN. If you want to add some security to your unsecured accesspoint enable captive portal at the ap interface and add the macasresses of your voipphones as passthrough macs. Thanks for the suggestions! Unfortunately captive portal just isn't secure enough, it would be trivial to spoof the MAC and gain access. I'll keep playing and see what I can come up with. I still think there might be a solution with static ports, just need to figure out how that works.

At system>advanced enable nat reflection (very bottom of the page).

Does the server you forward to have a firewall of it's own or uses a different default gateway than the pfSense?

Just posted this in package wishlist before running across this thread. Pound Revers Proxy http://forum.pfsense.org/index.php/topic,6.msg10126.html#msg10126

Finally got some time to play with the settings again as this is on a production box. I tried changing the use device polling settings but that didn't help and most the other settings didn't seem to apply. I'm not sure what the problem is. I really would like to know what the above error means and how to resolve that.

Hi Hoba, Thanks for your help and I know now why it didn't work. The situation is I got a WatchGuard firewall and I am testing and preparing the pfSense to replace the WatchGuard. I switch between the two firewalls by changing my gateway. The problem was that the NAT was not working not the gateway's on pfSense nor the the clients or DSL modems. It was much simpler and I just did not thought of it. I forgot that the gateway of the webserver was pointing to the WatchGuard instead of the pfSense so I got a syncblock. When I changed the configuration and put a second networkcard in the webserver I could route the traffic to the correct firewall. Life is a learning process so next time I will be better in solving these kind of things…....I hope ;D Marcel