First, this is pfSense and not m0n0wall  :P Second, I assume the clients at OPT are using another default gateway that doesn't have a route back to your LAN subnet vie the pfSenses OPT IP. Masquerading would fix that but could cause other trouble on the other hand. Adding a route at the OPT's clients default gateway would be the "cleaner" solution imo. If you reall wan't to NAT enable advanced outbound NAT at Firewall>NAT and add a mapping for LAN to OPT with OPT IP of the pfSense there.

problem with outgoing ftp. ftp proxy is enabled on wireless. and nothing else it is working sometimes but is very slow and seems to stop working after about 15 minutes. still am a bit uncertian as to where to start lookking in respect to this. additionally pppoe clients seem to also have trouble with ftp as well.

Thank, I will try it. Can you add "Virtual Server" in NAT? so easy to make a server-port? :)

This is because of NAT reflection.  You have a few options. Disable reflection in System -> Advanced Change the webConfigurator port in System -> General How can you fix this now?  Do this from the console ( Option 8 ) : pfctl -d Now login and do one of the above options. Once you are done, run this from the console ( Option 8 ) : pfctl -e Please click, "Thanks, Solved" if this fixed you're issue.  Thanks!

I have portforward lots of times with diffrent versions of pfSense and have never seen that problem. Could it be that you have configured it wrong some how? Attach a screen dump of the portforward in question (an image says more than thousand words).

If you set it up this way, why do you need a firewall then? Here is how it works: (make sure first that your setup runs correctly with one real IP at the WAN interface, I'm confused by all the xxx in your IPs and all the /32 subnets. do machines from LAN get out to the internet and everything works fine?) 1. Add Virtual IP If your provider doesn't need ARP-Replies for the additional IPs try other If your provider needs ARP replies use proxy arp or carp. With carp you can easily add a failover machine later. 2. Create a 1:1 NAT mapping the virtual IP to the internal IP 3. Add firewallrules permitting that kind of traffic Keep in mind, nat is applied first, then firewallrules. Example: You want to have a Webserver running at a machine inside your LAN and want to have that reachable via the virtual IP additional public IP (virtual IP) 123.123.123.123 LAN IP that is mapped to the additional public IP 192.168.1.100 Your firewall rule has to look like this at the WAN interface: pass, protocol tcp, source IP any, source port any, destination IP 192.168.1.100, destination port http/80 Note that your firewallrule doesn't show the external IP adress but the internal one that is mapped to the external one. Do this for every machine inside your lan that uses one of your public IPs.

[FIXED] Uggg, At the moment, Im feeling really dumb. It was my fault, I had the digi's default gateway configured for the old router before I switched over to pfSense. Sorry about that.

No, it still does not pass email according to the rule in port forwarding in the port forward nat section. (does port forward work for outbound??)  On outbound NAT there is no pptp to choose from in the inteface drop down.  I guess this would be analagous to using squid and forwarding those packets somewhere.  Should I try editing the config file?

Usually you change portrange for every computer. EX: Lets say i have 5 computers behind a NAT router i usually forward mabye 10 ports to every singel one. forward to ->PC1 portrange->50000-50009 forward to ->PC2 portrange->50010-50019 forward to ->PC3 portrange->50020-50029 forward to ->PC4 portrange->50030-50039 forward to ->PC5 portrange->50040-50049 And then i configure all applications on every pc to uses that dedicated portrange. EX: all p2p programs listen to those portranges and icq,msn and souch. I  have never run inte problems by doing this, if the range is to narrow then open/forward maby 20 ports. But if you cant change listening range in the application in question then you get into trouble. Can you say what application it is? (easier to do any recomendation or find solution like special scripts and souch).

Have found the problem. every user has to put ftp://ip adress:21/ to connect. this problem is solved. and finaly…

Well changing the FTP helper status on or off will alter pftpx from running.  I'll check into the bogons piece.

http://forum.pfsense.org/index.php?topic=104.0

Did you create firewallrules to allow the incoming traffic? Only 1:1 NAT is not automatically passing all traffic (which would be a bad idea anyway). Let's say one of your IPs is a webserver for example you need a pass rule like this: protocol tcp source IP any sourceport any destination IP <lan-ip of="" mailserver="">(NAT comes first, then firewallrules are applied so you have to use the internal IP as destination) destinationport http (80)</lan-ip>

Not likely, we are not adding features.  We are only adding a new option when it corrects a bug.  Unfortunately this is not a bug and you can control it more tightly with firewall rules.

Help with docs is always appreciated. Good luck. http://doc.pfsense.org

Add the rules to allow ftp to talk to localhost.

@josmo: Ok here's the deal and it's got me very confused (By the way great job on this PFsense team so far this is great). My Config. LAN IP 192.161.10.1 with DCHP enabled WAN 70.89.221.233 / 8 wan gateway 70.89.221.238 now from internally I can view and ping most sites.  But There are a few I can't like.  stumbleupon.com (70.85.3.132) and suvault.com (70.84.208.122) I know this is an issue with pfsense or the way I have it set up because when I plug in the old linksys with the same wan ip and lan ip it goes to these sites just fine and I can ping them.  Anyone have any clue why this is going on????? Thanks, This looks like a Comcast business connection.  I guarantee that WAN is supposed to be /29.  I'm in the same 70.0.0.0/8 CIDR block (on two seperate connections) and /8 is NOT the correct netmask for machines attached to it. –Bill

OK … its working now in PREBETA2 ... so it should be working in the upcome release (whenever that will be) Thanks guys!!!