Hi, oops! didn't realize there was a gaming section.. My Lan rules were default from fresh install :)

"=honestly i don know how to check this" Sniff on lan where your zimba is in pfsense on diag, packet capture.  Then try to talk to your zimba from some box on lan 2.. Do you see the SYN go out, do you see the syn,ack come back or do you just see a bunch of syn and retrans? This is really basic network troubleshooting 101.. if you do not see any syn leave pfsense to your zimba box.  Does pfsense even see the syn.. Packet capture on lan 2 interface this time - repeat the test.  Does pfsense see the syn??  If not then your device on lan 2 is not sending to pfsense as its gateway, etc.. If you see the syn come into lan 2 but not go out lan 1 - then pfsense either is not allowing the connection or is sending it elsewhere - like out your wan for example because you have maybe a gateway set on your lan 2 rules? Post up your rules and we can look..  Can lan 2 talk to other devices on lan 1?  If so then its a zimba thing.  Can lan 2 device ping the lan 1 IP of pfsense?

That's not as trivial to do. It's better you let this do the network engineers. You can check if the VLAN is assigned to pfSense in Status > Interfaces. The VLAN interface should be listed there with its subnet and mask. A VLAN has to be terminated at two sites. One can be the pfSense, the other site can be a switch or a computer. So as you say, the device which owns 172.16.40.1 is connected to a VLAN, so is the VLAN set on the device itself? Have you set it yourself?

@johnpoz: Turn off nat reflection.. That did the trick. Thank You very much Close out as solved…

OK, thank you all for helping me out, and especially for goading me into finally setting up the  openvpn server.  Particularly johnpoz, goader-in-chief, it wasn't as bad as I feared, I managed to stop the bleeding from my ears fairly quickly and got it running without too many problems.  And even doktornotor, thanks for trying even if we didn't quite communicate adequately, I apologize if I got I got a bit too irked.

You mentioned you are running your LAMP server on customized port, but if I check your pic earlier, the port listed in HTTP. What's the port you are using on your LAMP Server? What's the URL you use to hit it internally? What's the URL you use to hit it externally? Rather than doing NAT for internal access, use a DNS override as it works much smoother and removes a connect to the pfSense router and back. As a side note, I wouldn't really put my WebGUI available on the WAN, I'd just configure OpenVPN or something and connect via that route as it's much more secure.

Check: https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks https://doc.pfsense.org/index.php/1:1_NAT

Can anybody plz help me out.. :(

Probably one of the things in this list: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Check: https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

The first DNS settings look to the firewall. The next is Google DNS and then VerSign. To my knowledge I have not had any other issues.

Not sure why you would want to do that to be honest - not getting what that buys you at all..  But sure go to outbound nats and change to hybrid or manual mode and create the nats you want. To be honest I think I have gone over this sort of thing before when user needed to source nat from their openvpn connection, etc. I am on the road for work, and be much easier to put together pictures and how to do it between my multiple segments when I get home - if you can wait til say tmrw morning when I should have some time to do this I can put an example of natting between local segments.  But I still don't see the point??  What aspect of natting are you trying to simulate to the internet?  To test what exactly?

"it from wlan and going on a port testing site " So your going to a port testing site from your phone??  That wouldn't work - it would be testing your phones IP for those ports ;) So your wan rules show some hits on 21 and 27015..  But no current states - so something hit those rules.. Which could mean where your forwarding is not listening, or firewalled or not even the correct IP.. Or pfsense can not talk to it, etc. Go through the port troubleshooting doc..  All the info needed to figure out what your doing wrong is in there.. It really takes all of couple of minutes to find the problem.  Either the traffic is not even getting to pfsense, or the client is not listening or has its own firewall, not using pfsense as its gateway - or your sending to the wrong IP, etc.

@johnpoz: I still say is PEBKAC You should turn your chair over to someone else who can alleviate that problem. @johnpoz: …we have yet to get any actual details of why there is such a transition.. The OP did explain that. @johnpoz: I really don't understand this use case. Then stop making personal insults regarding something you don't understand. @johnpoz: As you can see from my test the instant I transition it uses the dns query it makes on that network. No I cannot see that from your test.  The only test results you have presented was invalid.  As I pointed out earlier.

Same here. No need to set diffrent ports for each computer either, the app seems to be using random external port to the same 4242 local so that cool too.

Well you gave me and idea, I did have these 2 rules, both have been in place a while: deny 0 10.0.1.0/22 1-65535 (Preventing any device from taking ALL external ports, including overriding other port forwards) deny 3074 10.0.1.0/22 3074 (there is a reason and xbox never had a problem before) I deleted both, of course UPNP restarted (which I had done before a few times manually). Then on the Windows 10 system restarted iphlpsvc (IP Helper) which is responsible for teredo and UPNP for it, and it registered its port fine, re added the rules restarted the service again, and again it registered it fine. Tested it a few times with and without the rules, seems to work either way now. No idea why that worked but it did. Thanks for the idea. Ill keep and eye and report if it stops working again.