Thought you stated that when you go to ipchicket from your public wifi it shows the correct public IP. My guess would be as it is suppose to do pfsense is caching the entries it gets from opendns on the filtered sites.  opendns does not respond with nx on something that is filtered it responds with a different IP for that record pointing to their block page right. So lets say your looking for blockeddomain.com that on the public resolves to 2.2.2.2, but this is filtered in opendns to resolve to 6.6.6.6.  Now when someone from your public wifi asks pfsense for blockeddomain its say hey sure I have a cached entry for that 6.6.6.6 Are you using the forwarder or resolver?  I assume the forwarder if your forwarding to opendns, you could maybe use the resolver for your public wifi users and have overrides in it for the local stuff you need them to resolve.

Sorry was on my mobile last evening when i replied here. The Gateway is only configured on the WAN Interface. You want to add an OPT Interface for each additional IP and configure them as normal but with /32 mask for each IP and with no gateway set. In the VM Settings within ESXi you set the MAC addresses accordingly on each interface.  Do not use the MAC spoofing feature within pfSense, we had issues with that. With that setup the traffic of your additional IPs should origin from the according MACs and the switch of your ISP should be happy.  We had this setup running for about two years without any issues.

Some specifics of things with PPTP are unreliable on many things. But port forwarding the TCP 1723 and GRE is no issue. Connecting out to a server from a single client also no issue.

@Cq171d: Oddly, once I removed that rule it was still accessible until I eventually restored from a previous load. One thing a lot of people don't seem to quite grasp is removing a firewall or NAT rule will not yield instant results, especially with stateful connections (e.g. TCP). You will have to reset the states in Diagostics > States > Reset States which will kill all connections coming/going through the network and cause the system to re-evaluate each connection as if it were a new one against firewall rules.

Hi farion Your dropbox-links are annoying, because they are no longer available - and therefore other users can not benefit from this post: your pictures are missing now :-( It would help if you just attach pictures to your posts as other users are doing. Thanks a lot in advance, kind regards, Tom

That port alias bug will be fixed in 2.3.1_2.

Figured it out. Was the NAT 1:1. Need to set the Translation to the correct static IP. All is working now. Sometimes just laying it out pulls out the answer

Could be something to do with your firewall rules or outgoing tab under NAT in pfSense. Do you have it set to manual or automatic?

That is done automatically when you install pfsense, change pfsense lan IP to be the network you want and there you go that would be natted to your public IP.

Your telnet to port 80 is likely going to squid, and then failing because squid can't get out (no default gateway). Activate Default Gateway Switching under System > Advanced, Miscellaneous.

Answer my own forume ;) This issue is solved by using Firewall Aliases & firewall Rules Firewall Aliases & Firewall Rules -  Firewall Aliases -  IP > Add -           Properties                   Name = (Aliases Name)                   Description =                   Type = Host(s) Host(s)                   IP or FQDN = (Domain IP Address)                   Description= - Firewall Rules     - Lan > Add                 (Leave everything else as normal except Destination)                 Destination =                                     (Single host or Aliases)  /  (Aliases name) - Advanced Options - Gateway  ( Chose WAN interface) Click save

Thank you all and a Big thanks to johnpoz  for the extra help

What's works. Thank you very much

Sounds like your getting your firewall when trying to get to a service via your public ip. You need to Set the nat reflection on the rule to Enable (Pure NAT)

Post screenshots of what you have done.

do you have limiter? it kills NAT reflection im sure that squid in transparent mode does not kill it unless its new on 2.3 im running on 2.2.4

Hello, Thank you for your reply. The fire wall rules are as follows: With specified gateway: Protocol: TCP/UDP, Source: vlan3098, Port: (meaning any from my understanding), Destination: * , Port: (of destination), Gateway WAN_PPOE, Que: none With none specified: Protocol: TCP/UDP, Source: vlan3098, Port: , Destination: * , Port: (of destination), Gateway *, Que: none i have tried it both ways since posting and it still does not work for vlans only, When setting up a normal interface it’s all working fine, hence why i am at a loss. Please help if you can. Thanks again. Kr01c

Just as an update; this has fixed it. I assigned interfaces for all the different varieties of OpenVPN (dial-in, clients) and created explicit NAT rules for them, and voila it works. Thanks viragomann