@Nullity: I wonder why tcp.first & tcp.open made an impact since I assume tcp.established should be the only relavent parameter. I'm too curious to leave it alone but I guess if it works, it works. Why did you change state tracking to sloppy (or none?)? ive switched it back to sloppy for the moment, if it still works set back to normal then i will move it there permanently, i set it that way in troubleshooting tho.

Thanks - just found the bug having established the connection! https://redmine.pfsense.org/issues/4326 That explains why it broke after the upgrade from 2.1.5 :-(.

@devert: Im running pfsense 2.3.2 on a Watchguard Firebox x750e. Sounds like it could be driver or hardware related, but likely work-around-able if you can figure out why its going for a loop.  Ive personally had very bad experiences on every piece of watchguard hardware ive ever had the misfortune of using, but thats mostly with their rom still on it, only twice with one that was pfsense loaded.(550e's not 750s) i know its a stab in the dark, but if you have it enabled, try disabling any of the offloading options.  I would lean towards it being directly related to the nic itself, or the driver in use.

Yeah! Magic or not, it worked immediately!! :) I'm super grateful for your quick help, Derelict!

What VM software you running on - there is some stickies on having to do some settings on some of them..

To map whole subnets should be possible in pfSense outbound NAT. You can add a rule for a source subnet and at Translation select "Other subnet" from the bottom of the dropdown and enter your public subnet below. Maybe you also need to select "Bitmask" from the pool options. If you need special mappings defined in a translation table, there will also be a way to script it. Go to Diagnostics > Backup & Restore, select NAT at "backup area" and download the XML file. Open the file in a text editor and take a look at the rules to get an idea how they are constructed. This way you may build up your additional rules and insert them in the XML in the <outbound>section and import the file after in Diagnostics > Backup & Restore.</outbound>

Did you find a fix? Tim

I have an identical setup apart from WAN2 is a dynamic IP. If you wanted to ensure at least one route IN to your network, you would (I presume) need to use some form of load-balancing outside of your network (i.e. on the internet) or a DNS provider who will try IP's in a round-robin method if one of them is down. There is nothing you can do inside of your network as if WAN1 is down, pfSense has no control of traffic coming from the outside to it. If you mean NATting internal to external, if you add both the gateways to a gateway group, the default behaviour is to load-balance outgoing traffic, so the internet will see traffic coming from two different IP's - this is how I have my system set up - it works fine mostly (i.e. I effectively doubled my download speeds when using multithreaded download clients) BUT it can wreak havoc if a website (such as an online bank) has security measures in place which detect a change in IP address. To get around this, I am "whitelisting" certain sites which I know don't like the multi WAN setup and using a firewall alias to tunnel that traffic over WAN1 (my primary connection if you will).

@Nullity: Yeah, I think a fresh start is a good idea. You never know what settings you may have changed while newbishly clicking random things (I've done this many times myself… dangerous). Ok I will try this out and see what happens. I have a 60GB SSD coming in so this is all some what of practice and somewhat of try, fail, try, fail… Hopefully it becomes a success. Alternatively I will end up buying solely a cable modem, even though i literally just bought this modem/WAP. We'll see! Ill update you guys. I really appreciate the help!

Thanks for the information! It seems that at least some of the ports are opened. :) Obviosly some of the ports opened right after client's restart so it might have been up to that. Let's see how will this work in the future.

I had a similar issue, and found this post helpful: https://forum.pfsense.org/index.php?topic=74241.0 Needed to add a LAN->LAN rule with default gateway set (not the MultiWAN that got changes in the default lan to any rule)

" clients get the public ip's from the vpn-provider." The client is doing no such thing!!!  pfsense gets an IP from your vpn.. So your vpn interface on pfsense if its sees traffic to 64603 it forwards it to your pflex server 192.168.1.8.. Here is the thing how does does rebooting your plex server have anything to do with that??  Nothing!! It has NOTHING to do with that.. You could reboot every device on your network and does not matter.  You set pfsense to forward traffic it sees on this interfaces IP on this port to this 192.168.1.8.. Doesn't matter if plex server is running or not.. As long as pfsense can arp for the mac of 192.168.1.8 it would send the traffic there. So what I would suggest is you figure out why when plex restarts your having whatever problem it is you think your having.. Again.. How are you trying to access plex server - from where??  Why don't you go to can you seeme.org and generate traffic to your IP that you have on your vpn interface.. To the port 64603.. Do you see this traffic at pfsense?  Sniff - does pfsense send it on to 192.168.1.8?? You got failovers on your multiple wan options, you have an overlap in your manual outbound nat.. So which one is getting used the /24 or the /26 etc. etc.. Since that would be an overlap for your 1.8 address..

Alright, looking at the IP of the Port Checker was the right call because it showed that the traffic on 10.0.0.51 was using the OpenVPN interface on the PFsense router. It should not have been doing that though. Maybe it's paranoid? In all seriousness thank you for the help!

In VM NAT reflection, on real network Split DNS. Leo

@doktornotor: Yeah, DMZ won't normally DMZ the webGUI port, otherwise you'd just get cut off. Bridge the DSL modem. Does not help? Check the ISP about 80/443 blocking. I feel really silly right now. I logged into the internet router (192.168.1.1) and noticed that port 443 was still configured for the servers old address prior to being moved to the pfsense network. I have removed the NAT config and left DMZ configured and everything works now.

@KOM: do you mean I need both NAT and rules ? I mean when you create a NAT it create automatically a rule on the WAN side? Yes.  Normally the associated firewall rule is automatically created unless you tell it not to. When your "WAN side is 192.168.100.20", obviously no forwarding will be possible without configuring the "upstream" router first. He mentioned LAN-side on the Cisco so I'm assuming he's trying to access from 192.168.110.x.  Can you clarify, Jamerson?  Which network are you trying to come in from? thank you so much guys, had to reboot the PFSENSE and stuff start working. probably after creating the NAT rule some hangs , the reboot fix it. much appreciate it your support