The option you are talking about is called "static port" in pfSense. You'll find it at firewall>nat, advanced outbound NAT tab. See http://forum.pfsense.org/index.php/topic,104.msg5876.html#msg5876 for the problem you have and how to set it up correctly.

Ok tested externally and all is working after the NAT rule is deleted!  Thanks.

The problem is not any source but the any destination that you have in your rule.

and there's no solution to use these clients form behind a m0n0wall/pfSense? its an BSD issue, isn't it? are there any solutions like m0n0wall or pfsense based on linux? pfSense is really great, but i need these clients more and more in future… :(

My modemrouter was crash while connections more than 200. But work well in client pppoe dial up.

@hoba: NAT is making problems with a lot of VOIP implementations as long as you don't have any kind of proxy or STUN server. I would suggest setting this up without NAT and simply route between OPT and LAN. If you want to add some security to your unsecured accesspoint enable captive portal at the ap interface and add the macasresses of your voipphones as passthrough macs. Thanks for the suggestions! Unfortunately captive portal just isn't secure enough, it would be trivial to spoof the MAC and gain access. I'll keep playing and see what I can come up with. I still think there might be a solution with static ports, just need to figure out how that works.

At system>advanced enable nat reflection (very bottom of the page).

Does the server you forward to have a firewall of it's own or uses a different default gateway than the pfSense?

Just posted this in package wishlist before running across this thread. Pound Revers Proxy http://forum.pfsense.org/index.php/topic,6.msg10126.html#msg10126

Finally got some time to play with the settings again as this is on a production box. I tried changing the use device polling settings but that didn't help and most the other settings didn't seem to apply. I'm not sure what the problem is. I really would like to know what the above error means and how to resolve that.

Hi Hoba, Thanks for your help and I know now why it didn't work. The situation is I got a WatchGuard firewall and I am testing and preparing the pfSense to replace the WatchGuard. I switch between the two firewalls by changing my gateway. The problem was that the NAT was not working not the gateway's on pfSense nor the the clients or DSL modems. It was much simpler and I just did not thought of it. I forgot that the gateway of the webserver was pointing to the WatchGuard instead of the pfSense so I got a syncblock. When I changed the configuration and put a second networkcard in the webserver I could route the traffic to the correct firewall. Life is a learning process so next time I will be better in solving these kind of things…....I hope ;D Marcel

Only firewallrules.

Can't make rule - all variant's not worked  :'( icmp 10.0.0.21:512 -> 194.87.11.112 0:0 tcp 10.0.0.3:80 <- 10.0.0.21:4977 FIN_WAIT_2:FIN_WAIT_2 tcp 10.0.0.3:80 <- 10.0.0.21:4979 FIN_WAIT_2:FIN_WAIT_2 tcp 10.0.0.3:80 <- 10.0.0.21:4990 FIN_WAIT_2:FIN_WAIT_2 tcp 10.0.0.3:80 <- 10.0.0.21:4996 ESTABLISHED:ESTABLISHED tcp 10.0.0.3:80 <- 10.0.0.21:3007 FIN_WAIT_2:FIN_WAIT_2 tcp 205.189.214.250:80 <- 10.0.0.21:3015 CLOSED:SYN_SENT tcp 10.0.0.21:3015 -> 10.0.0.3:50325 -> 205.189.214.250:80 SYN_SENT:CLOSED udp 10.0.0.21:3002 -> 10.0.0.3:51822 -> 192.168.2.20:53 SINGLE:NO_TRAFFIC udp 10.0.0.21:1103 -> 10.0.0.3:52415 -> 192.168.2.20:53 SINGLE:NO_TRAFFIC udp 192.168.2.20:53 <- 10.0.0.21:1103 NO_TRAFFIC:SINGLE udp 192.168.2.20:53 <- 10.0.0.21:3002 NO_TRAFFIC:SINGLE udp 192.168.2.22:53 <- 10.0.0.21:1103 NO_TRAFFIC:SINGLE udp 192.168.2.23:53 <- 10.0.0.21:3002 NO_TRAFFIC:SINGLE udp 10.0.0.255:137 <- 10.0.0.21:137 NO_TRAFFIC:SINGLE udp 10.0.0.21:1103 -> 10.0.0.3:62050 -> 192.168.2.22:53 SINGLE:NO_TRAFFIC udp 10.0.0.21:3002 -> 10.0.0.3:53304 -> 192.168.2.23:53 SINGLE:NO_TRAFFIC udp 10.0.0.21:137 -> 10.0.0.3:53734 -> 10.0.0.255:137 SINGLE:NO_TRAFFIC Rule NAT interface:WAN  src:10.0.0.21/32  dst:ANY trans:INTERFACE ADDRESS all ports=any(blank) This rule i copy from default and change src

@hoba: a) 1:1 NAT actually does modify IP adresses but only in one direction like any other natting solution does too. It is just a combination of portforward and advanced outbound NAT. b) yes, it's working as designed and this is not a limitation. I think you have a wrong understanding what 1:1 nat does. Allright, so I see the argument for a) as working correctly. Sounds like there's no other workaround for b) though. Thanks for the info hoba, it's MUCH appreciated!!

I did setup something similar using 3com APs and all is still working perfectly. What I did is : Vlan conf on NIC rl1: SSID 1: Vlan 4 SSID 2: Vlan 5 APs conf: APs mapping each SSID on the correct Vlan, Administration of the APs enabled for wired access only, no vlan on the "admin" link. Network interface on pfSense: RL1 : 172.16.1.0/24   network for monitoring the APs so each AP got an ip in this range RL1/VLAN4 : 172.16.2.0/24 network for first SSID, the public one unencrypted and broadcasted(DHCP and captive portal enabled, limited traffic by firewall rules) RL1/VLAN5 : 172.16.3.0/24 network for the second SSID, the private one that is encrypted (WPA2 PSK AES) and not broadcasted (DHCP enabled, all trafic alowed) So I've got a network for the APs themselves, usefull for monitoring it ;-) and two other networks for each SSID. Firewall rules prevent public traffic from going to private networks.

As your WAN is a private IP-Adressrange make sure "block private IPs at WAN" at interfaces>WAN is unchecked (it's enabled by default). In case your firwallrule was autocreated when adding the NAT i doubt that the problem is at the pfSense end. You might want to add a "log" for the rule that covers this NAT. You should see a pass event at system>systemlogs, firewall logs when trying to establish the connection. If that doesn'T happen it most probably gets stuck in the router in front of the pfSense.

Just for fun, does it make a difference if you create the NAT and firewallrule to allow tcp and udp for this port? How do the nat reflection rules in /tmp/rules.debug look like?

Make sure you have entered some dns servers at system>general (if you WAN is not DHCP or PPPoE). Nothing to do next. LAn clients are now able to go to the internet and everything incominng at wan is blocked by default. Everything else depends on what you want to do but you already have basic connectivity.

thnx for all :|