It is working now.  The windows box at that IP had it's subnet mask set to 255.0.0.0 in stead of 255.255.255.0.  Not sure why.  I changed it to 255.255.255.0 and I can access that machine through the vpn with that outbound NAT rule disabled.  Thanks for your help on this.

huh?  Please post up logs of what your seeing and why you believe you shouldn't be seeing it.

When you say your seeing blocks to a port that is suppose to be open, I would guess your seeing out of state traffic is what your seeing.  Do you see flags on the block like A or FA, or RA, PA, etc..  Or do they show S for SYN?

@johnpoz:

Why would a rule that is not set to log be logged need a description ;)

If something is not suppose to be in the log, why would the log need to show its description… So I would say its expected behavior to be honest..

Because it was set to be logged and is still in the log - at least until the log rolls over.  Sure, if the rule had been deleted, no description available.

However, the rule IS still there, with its description (and pf label), so why have the display of the description depend on whether logging for the rule is currently disabled or not?

Perhaps it is by design but I'd never noticed it before, so I thought I'd ask.  Day to day it's no big deal.

@viragomann:

Just put all your the subnets into an alias (Firewall > Aliases).
Add an outbound NAT rule for the corresponding interface, check "Do not NAT", at destination select Network and enter the alias name.
Put this NAT rule to the top of the rule set. Now outbound NAT is disabled for the subnets contained in the alias.

That's the trick… Thank you very much. Works great.

I had set up my pfSense interface on a particular LAN subnet that was different from the modem/router's default interface.

Yep, that would do it.  You can't have the same subnet on both sides of a router.

draw your network… if you do not have a transit network I can almost promise you have asymmetrical..

If you have this its asymmetrical!  unless you host route on each device in the 192.168.1 network.

2nd pic is non symmetrical

asym.png
asym.png_thumb
nonasym.png
nonasym.png_thumb

I'm not sure what you're trying to do. Both mentioned networks are private. pfSense works on the assumption that at least one interface is "WAN" (has a gateway address to the rest of the world) and at least one is "LAN" (no gateway address). I assume your router connects to the rest of the world. And from your description it's doing NAT to translate the public IP to your first private network.

Do you have more than one public IP address, and is it static or dynamic?
Why are you connecting your first network to the pfSense box via wireless?
What do you mean by remote network?
With port forwarding, where are you coming from, and what are you trying to forward to?

You really should have only one DHCP server per network. And these days just about everything that has some sort of smart networking function (routers, modems, firewalls) includes a DHCP server, and it's on by default. Check everything and turn off the extras.

The way DHCP is setup is there's a pool of addresses. The default is to assume an 8-bit subnet (last octet is 0 through 255, and a mask of 255.255.255.0). In any subnet you can't use the first address (0) because it's the networks address. And you can't use the last address (255) because it's the broadcast address. Also the device itself is typically using 1. Therefore the default setup for a DHCP pool is 2 through 254. You should be able to set that down smaller–for example 128 through 254 (half your addresses in your pool). Then you have 2 through 127 (the other half your addresses) available to assign as local static addresses--for example one of them to your pfSense box, another to your LAN server, etc.

Best of luck.

How would disabling the resolver accomplish that??

That's a normal behaviour with a proxy server. On the destination device you only see the IP of the proxy and that is the interface IP of pfSense which is facing to the destination device. What else?

To see the WAN IP makes no sense over all. The WAN IP may be the origin destination IP but never the source IP.

Thank you very much! It works now!

@viragomann:

Have you configured the DNS resolver to listen on localhost or all interfaces as suggested in the doc?

No, I missed that. Thanks for pointing out. That solves the issue.

pfSense 2.2? Upgrade.

See Also: https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

@ScottyDM:

Perhaps they've gotten better, but in the past cheap routers couldn't reflect at all.

With 2 ISPs perhaps you should run your servers on one ISP and connect the rest of your LAN on the other. A bit extreme, but it'll work. Or look into getting a block of static IP addresses. It'll cost, but much cheaper than running a 2nd ISP. Generally, with a block of IP addresses the ISP knows and expects you to run servers. So no terms violation. Which ISP has the best uplink speed? And for a game server, which has the lowest latency?

The only reason I got 2 ISPs is because someone in our household wants to watch specific tv channels and they only offer that as a whole package with cable internet included, we never or barely use it, besides…. it's downtime is ridiculous, it's only available 73% of the time, upload is terrible, download is a little less than decent, and the latency spikes are all over the place. Anywho I've only hooked it up onto my pfsense machine because I could and in case our primary ISP (Which is Fiber.) ever goes down, which is never.

You prob need to charge your flux capacitor, its most likely low..

Come on guy - there is zero info to even guess to what your problem is.

"other versions have this error." - What error???

Sounds like your mail server crashed - I would suggest you contact the maker of said mail software, or their support forums.

@viragomann:

The source port has to be "any", only dest port is "DNS".

This. Applications source ports are usually random ports. And are in the case of DNS.

Sorry I didn't mention that.

For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS.

I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router.

I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work.

This is my version information: 2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26
2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7  And it's still not working.

Thanks a million.

System_Advanced_Firewall&Nat_NetAddTrans.png
System_Advanced_Firewall&Nat_NetAddTrans.png_thumb

Update pfSense to a current version first.

I think the easiest solution is to just force IPv4 with the client (ssh -4).  This avoids the long delay.

How is it that your downstream clients would have internet via pfsense if your downstream switch didn't have default route pointing to pfsense?

Lets say client sent ping to 8.8.8.8 to its gateway on the switch at say 10.50.50.1, if switch didn't have default route how would of it sent that traffic to pfsense for those clients to have internet?  So when you say your client and server had internet - how was that working without switch having route?  Where they set to use a proxy on pfsense at 172.20.2.20?  So the switch knew how to get there?