It will show that in the log, but the state table should show it getting NAT applied. Still, a NAT rule like that with a source of any is an awful idea. Match the traffic more precisely (source = your WAN IP address, destination = any, port 69) Though TFTP is a mess of a protocol, it'll still probably need some other nonsense to make it work.

Hi CMB, Thanks for the reply. I have already tried the NAT without the rule, with no success. Perhaps something with the ProxyARP IP address. It does seem to work OK directly on the WAN ip address

Hi cmb, Thank you for your reply. My ISP had provided me with the WAN IP and /28 which is supposed to be routed as you said …. I'll follow up with them. Regards.

huh??  If you want pfsense wan to have internet it needs to point at the gateway that gives it internet.

Brilliant! I removed the 2 NAT rules I added earlier, and added a new rule for the WAN interface, with the source as the /26 network, and selected No NAT.  I switched it over to hybrid, and made sure the server was still online and that NAT was disabled for it (using a cURL command to send a request to a public IP return service).  My backup LAN device still wasn't able to get out, but I looked down at the automatic rules and noticed that even though they included the LAN network in the source (all interface networks, actually), they were set for only the WAN interface.  I created a new rule on the LAN interface with the LAN network as the source, and selected Interface Address for the translation address.  Now the LAN device can get out on the main IP and the public routed subnet works fine also. Thanks, this was helpful.

Packet filtering and address rewriting are two separate processes in PF. Regardless of the address rewrite method you have to allow access with packet filter rules and the filter rules will be identical in both 1:1 and port forward NAT cases assuming that the goals are the same in both cases when it comes to access.

Quick note-  If you really are using 172.0.0.1 as your LAN you shouldn't be-  Unless your using AT&T uverse and have public IP addresses on your stuff. Private space starts at 172.16.0.0 Lookup Result for 172.0.0.1 | IP Address: | 172.0.0.1 | | Host of this IP: | 172-0-0-1.lightspeed.brhmal.sbcglobal.net | | Organization: | AT&T U-verse | | ISP/Hosting: | AT&T U-verse |

Thank you! It is incredibly helpful getting re-pointed when feeling stuck in the middle of a problem. And overlooking what should have been an obvious cause. (Trees for the woods etc).  :) Confirmed packets were going to PBX and I had completely missed the integrated firewall. Silly mistake, but hopefully this may help another. Thanks Again.

Ok, you're right. I will keep them in one topic for future problems. I don't think I can merge them myself. Any idea how I can solve the NAT problem?

@boss_001: If i want to use vip, what type do i use and how do i make roules in the firewall and/or outgooing NAT? Type  ? IP Alias, CARP, Proxy ARP or Other? Depends on your situation. Usually IP alias. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

Found the solution in this topic : https://forum.pfsense.org/index.php?topic=43507.msg225529;topicseen#msg225529

Found the solution in this topic : https://forum.pfsense.org/index.php?topic=43507.msg225529;topicseen#msg225529

So the packets don't reach your WAN interface obviously and it will not be a pfSense issue.

You were both right on the money and after disabling the default rfc1918 rule I'm up and running.  Thanks!

This was a Elastix issue and not related to pfSense. Mods can close/delete thread.

That list covers just about everything it could be. You'll probably have to start looking at packet captures to see where you went wrong.

your dest shoudl be 22.. Agreed you don't know what port the traffic will come form.. But you do know it will be going to 22..

@johnpoz: All you need to do for this is simple port forward, clickity clickity done..  It will auto create the firewall rule for you - the only thing you might have to do is move the rule up the wan list if you had something that would block it. Forward your ports 80 and 443 to whatever IP 192.168.1.25 Then test from outside.  If no work then check the troubleshooting doc https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting And by that, do you mean create the PF under the NAT Tab? If so, I already tried that and had no luck. Is there anything that I need to setup extra on my IIS Server? EDIT: Added screen shot of Port Forward rule: https://postimg.org/image/wbsh0fs3r/

Thank admin, This is my config, IT's WORK ! Steps: #1/ FIREWALL->NAT 1:1 [image: 838964524c9f49adafe47126a298492c.png] #2/ FIREWALL->NAT OUTBOUND: [image: fb4ebdad5da141a786e10838329e6c9d.png] [image: 81c80cd831e84a14a379e862fbdffd60.png] #3/ FIREWALL->RULES->WAN: [image: 18f97722b9ff45a48d8ab0af00689c95.png]