Your Default GW is WAN. Try switching the gateway under the advanced button in a rule to move traffic from A > B over Gateway: Red3. If it's sitting at default then I think it's just going to push everything over that, unless you set the RED3 as default so you would only have to change the routing rule for machines that actually need to traverse the WAN GW.

@geminux: But when I want to access the same service from internal (lan), it no longer works. I guess that since connection come through LAN interface, it does not go through the port forwarding… That's the point. Use an internal DNS and set up a host override. You may use DNS Resolver or DNS forwarder installed on pfSense found in Services menu. You may also activate NAT reflection + proxy in the NAT rule to resolve this.

"or internally ," If you can not even dig to your NS when your on the same network..  How exactly do you think it would work externally? So your NS is on 192.168.1.12/24 - get it working working so you can query it from 192.168.1.0/24 then worry about externally. Running your own NS on the public internet is normally a BAD idea.. Unless you fully and completely understand all of the implications that brings!  Which since your here asking why its not working - this seems to not be the case. You show that your ip is suppose to be .12, then why is your netstat on the same NS box showing its listening on .36? Netstat output from below: tcp 0 0 192.168.1.36:domain . LISTEN 1156/named udp 0 0 192.168.1.36:domain . 1156/named

A picture is worth a thousand words. The attached picture shows the different packet-flows of the two methods. However, pure NAT will succeed if the destination host is in another network segment than the requesting one and pfSense is the default gateway in both. [image: pfSense_NAT_reflection.png_thumb] [image: pfSense_NAT_reflection.png]

we have 8 internet connections with different ISP (two lines of them are of the same ISP), with different speed, some with dynamic IP via PPPOE, some with static IP we also have a /29 subnet.. one of those IP I have used on wan interface of pfsense pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan? yes And this is the same ISP that your other router is dynamic wan IP? no

your interface is lan - that is wrong.. Your forward interface would be wan!!

1:1 takes precedence over outbound NAT. You are probably going to have to post what you have done instead of a description of that you think you have done. We have a 2nd Static Block coming through same WAN (182.x.x.x /28). Not sure where to configure except as a Virtual IP which I have yet to do Is that routed to an address on 70.x.x.x /28 or is it somehow on the same interface. If it is routed you can do anything you want with it. Use it as VIPs. Put it (or a portion of it) on an inside interface, disable NAT, and assign addresses from it directly to inside servers. Route it (or a portion of it) somewhere downstream. If it is not routed and you are not yet using it, I would ask them to change it. There are no downsides and lots of upsides to having a routed subnet.

Watch this and change rdp to http :- https://www.youtube.com/watch?v=1LM6PdwSAaY If your external ip address starts 192.168.x.x your ISP is handing out rfc1918 private IP addresses for your WAN so NAT would be taking place further up the chain.

Thanks for your help! @viragomann: Nothing. WAN net ist the subnet configured on the WAN interface, not the whole internet. WAN address is the WAN interface address. The whole internet is "!(RFC 1918 networks)". So add all the addresses you want to permit access to an alias and use this in a pass-rule as dest.

What about a script to change the Address Pool every X hours?  Then I can have 1 Subnet active per hour and rotate them through each.

I am on tmobile phone and it doesn't get an IPv4 any more just IPv6. Mine too.  My cell carrier uses 464XLAT to provide IPv4 support. Giving a school back in the day when internet first started a /8 was not forward thinking ;) heheh Of course, that predated personal computers, tablets, cell phones etc.  The 32 bit addresses were intended only to be for a demonstration, with larger addresses when "officially released" at least according to Vint Cerf.

Hi Derelict, Thanks for chiming in. Yes, I was experimenting with the Phase2 settings and was able to make things work!  :) Thanks again everyone for your thoughts and suggestions. pfSense rocks! Cheers, Armen

Yeah. AT&T are idiots who do 802.1x authentication of their gateway, so you can't even buy a standard VDSL modem or hook up your own router to the ONT (Fibre) Their IP pass-through mode still subjects you to NAT table limitations and that like, unfortunately. And I recall reading something about blocked ports. I read something about extracting the certificate and the private key from the AT&T gateway with an exploit. Obviously not endorsed by AT&T though. This looks interesting. I don't have AT&T so I can't comment but it might work. Don't know if pfSense has an ebtables equivalent. http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits

Ok, removing the source port numbers has made mail flow, however i still get no mail to my android unless disconnected from the wifi…. Suggestions? Also my computer tells me i have no internet access, in network & Sharing Center, as well as on my task bar??? I do have network connection, it just says i don't???