The easiest way (without touching the config.xml doing a copy/paste and replace interface names) I can think of is to use the [+] icon in the line you want copy and then just change the interface name from wan to your optx. This works for firewall rules and for nat. however you have to click them trough one by ine this way but you only have to modify one dropdown for each rule.

after several times reset to default and recreate the rule at firewall.
also reconfigure my ftp server setting, download/upload is running smoothly.

thanks a lot…  :D :D :D

System -> Advanced -> Disable Firewall … but this will disable firewalling as well.

or

If you want to simply deactivate nat visit Firewall -> Outbound -> Enable advanced outbound NAT and then remove all rules for advaned outbound NAT.

I beleive that was explained here : http://forum.pfsense.org/index.php?topic=725.msg4419#msg4419

Can't.  I'm doing the utmost evil and running a beta release at a production site 3 hours away.  I can't upgrade until I go down there, not because it won't work, but because my sleep better at night knowing that I'd be there "just in case".

Don't worry, I'm going down on friday.

First, this is pfSense and not m0n0wall  :P
Second, I assume the clients at OPT are using another default gateway that doesn't have a route back to your LAN subnet vie the pfSenses OPT IP. Masquerading would fix that but could cause other trouble on the other hand. Adding a route at the OPT's clients default gateway would be the "cleaner" solution imo. If you reall wan't to NAT enable advanced outbound NAT at Firewall>NAT and add a mapping for LAN to OPT with OPT IP of the pfSense there.

problem with outgoing ftp. ftp proxy is enabled on wireless. and nothing else it is working
sometimes but is very slow and seems to stop working after about 15 minutes.

still am a bit uncertian as to where to start lookking in respect to this.

additionally pppoe clients seem to also have trouble with ftp as well.

Thank, I will try it.

Can you add "Virtual Server" in NAT? so easy to make a server-port?

:)

This is because of NAT reflection.  You have a few options.

Disable reflection in System -> Advanced

Change the webConfigurator port in System -> General

How can you fix this now?  Do this from the console ( Option 8 ) :

pfctl -d

Now login and do one of the above options.

Once you are done, run this from the console ( Option 8 ) :

pfctl -e

Please click, "Thanks, Solved" if this fixed you're issue.  Thanks!

I have portforward lots of times with diffrent versions of pfSense and have never seen that problem.

Could it be that you have configured it wrong some how?
Attach a screen dump of the portforward in question (an image says more than thousand words).

If you set it up this way, why do you need a firewall then?

Here is how it works:

(make sure first that your setup runs correctly with one real IP at the WAN interface, I'm confused by all the xxx in your IPs and all the /32 subnets. do machines from LAN get out to the internet and everything works fine?)

1. Add Virtual IP
If your provider doesn't need ARP-Replies for the additional IPs try other
If your provider needs ARP replies use proxy arp or carp. With carp you can easily add a failover machine later.

2. Create a 1:1 NAT mapping the virtual IP to the internal IP

3. Add firewallrules permitting that kind of traffic
Keep in mind, nat is applied first, then firewallrules.

Example: You want to have a Webserver running at a machine inside your LAN and want to have that reachable via the virtual IP
additional public IP (virtual IP) 123.123.123.123
LAN IP that is mapped to the additional public IP 192.168.1.100

Your firewall rule has to look like this at the WAN interface:
pass, protocol tcp, source IP any, source port any, destination IP 192.168.1.100, destination port http/80

Note that your firewallrule doesn't show the external IP adress but the internal one that is mapped to the external one.

Do this for every machine inside your lan that uses one of your public IPs.

[FIXED]

Uggg, At the moment, Im feeling really dumb.

It was my fault, I had the digi's default gateway configured for the old router before I switched over to pfSense.

Sorry about that.

No, it still does not pass email according to the rule in port forwarding in the port forward nat section. (does port forward work for outbound??)  On outbound NAT there is no pptp to choose from in the inteface drop down.  I guess this would be analagous to using squid and forwarding those packets somewhere.  Should I try editing the config file?

Usually you change portrange for every computer.

EX:
Lets say i have 5 computers behind a NAT router i usually forward mabye 10 ports to every singel one.

forward to ->PC1 portrange->50000-50009
forward to ->PC2 portrange->50010-50019
forward to ->PC3 portrange->50020-50029
forward to ->PC4 portrange->50030-50039
forward to ->PC5 portrange->50040-50049

And then i configure all applications on every pc to uses that dedicated portrange.
EX: all p2p programs listen to those portranges and icq,msn and souch.
I  have never run inte problems by doing this, if the range is to narrow then open/forward maby 20 ports.

But if you cant change listening range in the application in question then you get into trouble.
Can you say what application it is? (easier to do any recomendation or find solution like special scripts and souch).

Have found the problem.
every user has to put ftp://ip adress:21/ to connect.
this problem is solved. and finaly…

Well changing the FTP helper status on or off will alter pftpx from running.  I'll check into the bogons piece.

http://forum.pfsense.org/index.php?topic=104.0

Did you create firewallrules to allow the incoming traffic? Only 1:1 NAT is not automatically passing all traffic (which would be a bad idea anyway).

Let's say one of your IPs is a webserver for example you need a pass rule like this:

protocol tcp
source IP any
sourceport any
destination IP <lan-ip of="" mailserver="">(NAT comes first, then firewallrules are applied so you have to use the internal IP as destination)
destinationport http (80)</lan-ip>

Not likely, we are not adding features.  We are only adding a new option when it corrects a bug.  Unfortunately this is not a bug and you can control it more tightly with firewall rules.