Hello, i tried a lot configuration. But i think i made a mistake. None of your suggestions can bring the goal. So i tried to paint a picture from my network. i can resolve the DNS name sip.htp-ngn.de on my pfsense. But an other PC can't do that. The pfsense got an IP-Address over the WAN interface. This interfaces will be the default Gateway. The network interface OPT1 is an VLAN with ID 10 and is re0. From this interfaces i got per DHCP the configuration for VoIP (IP-Address and DNS-Servers). [image: 20170109_Netzwerk_%C3%BCbersicht.png] [image: 20170109_Netzwerk_%C3%BCbersicht.png_thumb] [image: 20170109_Netzwerkkarte_LAN.png] [image: 20170109_Netzwerkkarte_LAN.png_thumb] [image: 20170109_Netzwerkkarte_OPT1.png] [image: 20170109_Netzwerkkarte_OPT1.png_thumb] [image: 20170109_Netzwerkkarte_WAN.png] [image: 20170109_Netzwerkkarte_WAN.png_thumb]

Firewall > NAT, Outbound tab. Switch to Hybrid mode, then Save. Make a custom rule, check "Do not nat" and then match the source network you want to leave without NAT.

Where did you get the idea that ftps is any different than ftp for pfsense and no proxy?  ftps does not normally use 21, it normally uses 990..  Did you forward 990? The point is that ftps wouldn't work even with the proxy/helper because pfsense can not see the control channel to even forward the data ports for you - so when using ftps you would always have to manually configure the correct ports when using passive.

Hi, please can everyone help? Best regards Alex

Really. what is the point here? Just block the traffic if you don't want to let it out. Stop mucking with NAT and breaking everything else. The keyword here is ANY, not WAN net. Block 80/443 from LAN to ANY (or, NOT your proxy). No need to ever touch hybrid and god knows what other outbound NATs.

Yeah my bad in not pointing out the built in way ;)  I had pfblocker on my mind from some other thread.. hehehe Derelict is pointing to the better way that is for, no offense to bcan but the pfblocker package has gotten a bit bloated ;) I need to fire up pfblocker again though.. Do some playing with latest version.. one thing that curious is pfblocker can use HUGE sets for aliases… But the built in alias says to use small sets.. Use only with small sets of IP addresses (less than 3000). the US listing from IPdeny has almost 50,000 rows of cidr blocks.. http://www.ipdeny.com/ipblocks/data/countries/us.zone Can that be used with the built in aliases or will that cause a problem?  pretty sure pblocker is another interface into the aliases.. So either he breaking suggestions from pfsense for the size of these aliases or the text should prob be updated to the actual value that can be used.. There is the table IPs url and this allows for 30K listings, but you can only use 1 url?

So I ended up having a similar requirement with virtual KVM software that allowed me to answer my own question.  The redirect to my printer did not work (I think) because I was trying to do all routing within the same subnet/interface.  When I moved the printer to another interface, everything worked fine.

There's only one state table and every single packet that is possible to filter gets compared to entries in that table. There are no separate NAT or filter rule tables by interface either, they are all global and rule matching uses the interface information in addition to the IP header information.

^ exactly!!! So now do the same test you did where you see the traffic on your wan.. Do that same sniff on you lan where pfsense is suppose to be sending the traffic..  Does it send it?  Does pfsense even have an arp entry for this IP your suppose to be sending too.  If your behind a double nat - then no you will not see this arp entry.. Diagnostics, Arp Table.

Hi, Actually, a bit of poking around - it seems that round-robin DNS may be just what I'm after. I think (but could be wrong!) that Unbound supports this … does anyone know for sure? Thanks!

I solved it (sort of)  on my phone server I put in my WAN IP for registration vs my DynDNS host (it's always worked in the past)  The dyn host is resolving to the same WAN IP but for some reason the phone system is deciding to pull my LAN IP when I am using DYnDns in the phonesystem … oh well odd issue for another day. I did go out and rip out all of the specific rules as well, phone works like a champ. Next mission, setup my sip trunks on my hobby asterisk box (hopefully that won't break my work phone lol)

All of your infrastructure should be on one or more VLANs with the customer bridges - the actual access network/SSID - being on others. Looks like Ubiquiti gear from what you have said. Should be no problem doing that. What's the issue there? 1:1 NAT does not require that the last octet match. It just means that if you have a range of 64 addresses it has to translate to a range of 64 addresses. You can translate 64-127 to 128-191. You can make, say, a 192.168.2.0/23 and 1:1 NAT to 192.168.2.0 using 192.168.3.0 for infrastructure. Lots of ways to do it. Sounds like you really have a layer 2 problem, not a pfSense/layer 3 problem.

Thank you for your reply. I just wanted to report back in case others in my situation have an issue similar to this. So I did look at that pfsense document KOM posted but it turned out that pfsense was not even what I had to configure. Since I run Server 2012 R2 domain in my house my entire LAN has its DHCP & DNS services handled through my AD DC. The way my cctv thing works is it has a program on it that does dynamic dns. It gives me a url that just maps to my public ip on a certain port and the program keeps it updated in case my public ip changes. So what I needed to do to fix it was create another forward lookup zone in AD DNS for the public domain of that url. Then I just created a host (A) record for the exact url and pointed it to the IP of the dvr box inside my network. So when inside my network my devices, when browsing to that url, will just communicate through the LAN to the DVR box and when outside my network it will come in through my firewall for which I have port forwarding rules setup. Thanks again for the reply KOM.

IP Alias is best use for this. Check this for reference: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses