Looks like he needs a modem to bridge ADSL to ethernet. So either another ADSL modem without all the built-in crud like the wifi or the existing modem/router using only the modem feature.

Although the scenario that you are showing is a kind of messed up, just like people are mentioning above. But for whatever reasons, let's say you have a proper inter-vlan communication within each interface of PFSense. I am considering here that you have a switch behind each interface that has the .1.1 .2.1 and .3.1 vlans registered. Based on this, if you are having a problem in any of the vlans communicating through the switch then you must be having a routing problem (you should check the switch's configuration) OR, there might be something else, your Trunking configuration might be missing the 192.168.3.10 and 192.168.3.11 on the interface facing the gateway (PFSense).

Use HAProxy/SNI. https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

Again Thank you doktornotor! By enabling pure NAT, the LAN port forward works!  ;D

Look at the states to your ata device. Build a firewall rule on the WAN tab with your SIP server as the source and your ATA/VOIP device LAN address as the destination. Your ports may vary especially if your SIP server also does your actual RTP streams [image: SIPrule.jpg] [image: SIPrule.jpg_thumb]

MAC addresses don't exist on external (Internet) connections Actually, they might, depending on what's on the other side of the router.  Any "broadcast" type connection would use MAC addresses.  On the other hand, point to point links might not.

@firewire: Squid is configured in NOT transparent mode, because, with bridge, Squid seems  that does not work in Transparent mode. In case the OP is still alive, see this (Comment #5) https://redmine.pfsense.org/issues/1620#note-5 ; test with that line modified accordingly and report back. (Needs to be tested with 2.3.x, noone will ever fix anything for 2.2.x and the PBI crap.)

And if you don't want the filter rule generated turn it off here:  

thank you for the reply the blacked out ip is the external client ip.  The visible ip is the server behind pfsense. The wireshark was taken directly from the server. I'll come back later with more packet captures from the client side and pfsense wan.

problem "solved". I have changed the default gateway on the sandbox to the ip of our analyzing system and added the following iptables rule: iptables -t nat -A PREROUTING -s sandbox_ip ! -d analyzing_ip -p tcp -m tcp –dport specific_port -j DNAT --to-destination analyzing_ip

"So if you can, you may correct the guide" Correct the guide how.. There is nothing wrong with it.

Ok, thanks. I do know about subnets, at least enough to choose masks properly to set up a 10.x.x.x network, with different kinds of devices on the different subnets (we had four at a broadcast facility I worked at). I thought perhaps Pfsense might had some sort of exception handling mechanism to treat specific requests differently. The purpose of this project is to duplicate a manufacturing system we have (for testing purposes), with many unusual sensors and process controllers on one subnet, and the office LAN on the other. It's been proving to have some difficult lessons for me.

You might want to go to Hybrid on your NAT/outbound….

@phil.davis: If the Peplink port forwards are working then the pfSense WAN will be receiving packets with destination pfSense WAN IP 172.16.1.2 - you can check that with packet capture. Then it should just be a port forward from pfSense WAN IP 172.16.1.2 to the inside server 10.0.1.xxx - I don't think there are any special tricks with that. But make sure not to have "Block private networks" checked on the WAN interface. I am going to implement the same idea with Pfsense and Peplink 710. I will let you know what the result is. If already have the solution, please post it. Thanks.

You would normally do such a thing with a proxy that users auth too.