I do many trials & errors, finally I solved this problem , basically is simple to setup NAT IP LAN to LAN translation with a few steps!
I described below:

**After setting up IPsec tunnel add many Phase2 you need to reach from local admin to remote station.

On site A
_Add P2
Mode "tunnel"
Local Subnet "LAN2"
Remote Subnet "192.168.0.0/24"

Add P2
Mode"tunnel"
Local Subnet "LAN2"
Remote Subnet "192.168.1.0/24"_

On site B
_Add P2
Mode "tunnel"
Local Subnet "LAN1"        
Remote Subnet "192.168.2.0/24"

Add P2
Mode "tunnel"
Local Subnet "MODEM"
Remote Subnet "192.168.2.0/24"_

Next step is: Add virtual IP on remote station, one for interface you need.

_Virtual IP address "192.168.0.99/24"
Interface "MODEM"
Type "IP Alias"

Virtual IP address "192.168.1.99/24"
Interface "LAN1"
Type "IP Alias"_

I set my virtual IP outside DHCP range.

Thrid step for allow routing between subnets trought virtual IP NAT,
Basically "Auto rule" for Outbound NAT, not translate any IP address so you need to "force" translation for specific host , when it refuses to reply to any request from different subnets.

Well Mappings section will appear and ready to add manual mappings.
_Interface "MODEM"
Source "192.168.2.0./24"
Source Port ""
Destination "192.168.0.0/24" Destination Port ""
NAT Address "192.168.0.99" NAT Port "*"

Interface "LAN1"
Source "192.168.2.0./24" Source Port ""
Destination "192.168.1.0/24" Destination Port ""
NAT Address "192.168.1.99" NAT Port "*"_

I used entire /24 block for define this rule , all work good, now I can reach multiple host under site B. redirected to virtual IP on remote interface side.

Piba-NL from #pfsense IRC channel Adviced me, for eventually you can trim the size of subnet to /32 for improving security if you are only single host to manage. Thanks a lot for your advice mate :D

Last step is checking about firewall rule, you can adjust according to allow traffic you want to pass, in my case I set a basic "Any to Any" rule on all interface (apply default LAN rule is fine)

Well you are done. Now you can "talk" to all devices under remote subnets, even if refuses to reply to other subnets request, by this "trick" traffic is redirected to a virtual IP on interface side, before routed trough VPN IPsec tunnel. Very Nice man.

Hope this micro tutorial is useful for others folks. Goodbye!

Finally sorted this problem.

Just in case anyone else encounters a similar issue, for us it was our Untangle server, which in our config sits behind the pfSense system on the LAN side (Untangle using transparent bridge mode) that we use to add first-round anti-spam and anti-phishing protection.

The anti-spam lite module has a control option under "Advanced SMTP settings" for enabling/disabling use of TLS, labelled as "Allow and ignore TLS sessions".  Ticking that option corrected the problem - we now see the expected STARTTLS option advertised on port 25 again.

@gunnarsniels:

Separately, if I run an nmap port scan against my external IP, I should see the ports that I've forwarded as being "open", correct?

Yes if done from outside of your network (aka from WAN) and the port is also open on the end server.

Check the firewall log on pfSense / do a packet capture to check if the traffic is even arriving at your pfSense at all. Might be that AT&T is blocking incoming traffic.

Ah.. thanks for the update.. Off the top of my head, not sure why it would do that though.. hmmmm.

If had to guess related somehow to this
https://redmine.pfsense.org/issues/4723

@LBP Not sure what your exact setup is, but I found that going from 2.3.4 to 2.4.x broke my long-working setup. You can find my ramblings here:

https://forum.pfsense.org/index.php?topic=138457.0

Maybe it helps you too…

SOLVED!

The problem with my setup was that I was using Proxy ARP for my VIPs. Obviously, as noted earlier, Proxy ARP has worked flawlessly up until the 2.4 release. Once I changed Proxy ARP to IP Alias, things started working again. For my Proxy ARP setup, I used to create the VIPs as /32. With my new IP Alias setup, I have adjusted the VIP to match the WAN subnet provided by my ISP.

For closure the answer is–

Windows 10  and Server 2016 (and probably other versions) automatically disable ping at the inbound firewall when the Windows device has a local IP (like 192.168 etc).
This is true, even if the active network profile is domain.  This was my issue.  Once I enabled echo at the Windows inbound firewall, ping forwarding worked Wan to LAN.

Ping is defaulted ON in Windows for the domain network profile in non-local IP situations, so I didn't check the Windows firewall until evidence from pfSense tcpdump showed the echo requests successfully arriving at the Windows box on the LAN.

ICMP from the WAN to local network is included in 1:1 NAT and can also be enabled through Port Forwarding (by selecting ICMP).  Both methods work.

Thanks to viragomann for leading me in the right direction.

well you can just make a default rule that any device other than listed on the alias will restrict their internet access after the specified time. It's not really that hard, no mac spoofing can bypass it, but a VPN can easily bypass it but there's no free VPN service out there that offers lag-free gaming so your kid needs to pay for it or you can just blacklist the possible VPN IPs that he uses, until he rans out of option of free VPN. Just dont block port 80, 443 and 53, you dont want your kid interrupted while doing a legitimate school homework overnight.

your kid might try to spoof your whitelisted mac addresses though

if everything fails, isolate his PC on a entire subnet :P

Well why didn't you say that from the get go?

The correct solution then is to just use pfsense as transparent firewall.

This seems to be a problem with browser sending wrong info.. There have been few posts like this as of late.. there is no MAC address anywhere in a port forward.. So your browser is sending bogus info that yeah messing with the form..

Clear your browser cache..

I asked about what the "security reason" was, but he could not tell me..:P And he instructed me to use port 8080 instead.. which is as much spammed as port 80 I guess.. They do not state in their website that any port is blocked by default or any thing about security for that matter.. I have put in a special request on opening port 80, we'll see how that goes..

As for my buddy, I don't really know, probably don't have the latest update is my guess.

i have now setup each servers interface with the wan-ip

example Server1:
IP: 85.245.122.50
Gateway: 85.245.122.49

I have configured a 1:1 NAT external IP 85.245.122.50 to internal IP 85.245.122.50
this works. Is this not the same like FULL NAT?

when a computer from the local network 192.168.1.1/24 is going in the internet, the WAN-IP-Address should be always 85.245.122.54. how do I have to do this?

After installing 2.4, the rules seem to be working again.

Port forwarding works fine and has for years and years and years. It's you. It is not a bug.

Really (really) check everything on the list here. Don't just look at it and say to yourself, "that does not apply."

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Really check everything.

Really.

Really.