OK, so i finally had some time to dig into this. @johnpoz: According to your state table pfsense sent the syn, but your machine didn't answer..  Sure that machine is actually listening on 3070??  Great you opened the firewall, but if nothing listing never going to work. Oh man, that was it. These port checker websites of course assume there is already some application listening on the specified port. I tried PFPortChecker from Portforward.com (nice little tool btw.) and everything turned out to be working just fine :) Thanks for your help!

I'm not sure about that, seems to be what you need. I was just explaining how to make a rule to bypass your Nat rule. If you only want the proxy to be natted on port 80 then you can make that change in the outbound Nat section. By default PfSense will Nat the whole subnet.

Thanks Viragomann!  That was easy - confused myself because we have two WAN interfaces so I just added 4 rules.  I assume I don't need to worry about Default NAT rules in Sonicwall (only Custom) like default rule below when nothing is translated. Orig Source: Any Trans Source: Original Orig Dest: LAN Interface IP Trans Dest: Original Orig Srv: Ping Trans Srv: Orginal Thanks!

Your automatic mappings have an overlap 192.168.50/23 overlaps with 192.168.51/24 why are both listed there?  I would switch to manual completely and then switch back to automatic did that clear the issue..  You shouldn't be seeing both those networks in there.

Thanks much Derelict, I will try what you suggest. Thanks again.

You are SO right about that part!  Now that I just put none under upstream gateway for pfSense it now shows only WAN rules under the NAT.  Thanks so much for that!  I don't know why I had it like that.  Thanks very much for helping me!  I very much appreciate it!  I will test some stuff later and let you know!  

Filtering Bridge could be an option, maybe?

OK. Looks like all is working fine now. I think the only big change I made was on the OPT2 outbound rule. I changed it from "IP Proto TCP any" to "IP Proto any" and that seemed to do the trick. I'm actually not sure why I had that set to TCP in the first place, so thanks for looking things over guys. :D

There are two things you have to worry about: Translating the traffic and making sure traffic for the translated subnet returns back to pfSense 1. Add 1:1 NAT to map the LAN subnet to the translated subnet on WAN (interface = WAN, external subnet IP = translated subnet address, internal IP = your LAN subnet with the right mask, destination = the remote VPN subnet so it won't affect other traffic leaving) 2. Add a static route in the upstream device (not this pfSense box!) to send that translated subnet to the WAN IP address of pfSense Since it hits the VPN on the next hop up that should still only end up being one layer of NAT

I am also confused… What are you doing here?? 1  PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1)  0.211 ms  0.181 ms  0.196 ms 2  PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1)  0.301 ms !H  0.289 ms !H  0.276 ms !H Why would you have 2 hops going to the same IP? Trying to nat reflection is a bad idea.. if you have outside IPs that your natting to inside IPs that is fine..  Why would you try and traceroute to the public IP from inside pfsense or even from pfsense if that IP is directly on pfsense? With muswellhillbilly here - drawing and full info is very helpful in helping you do what ever it is your wanting to do.

@johnpoz: Well how are you going to access your other interfaces if your sending all data out your wan? This first statement made me go d'oh! Thanks, this was a very easy fix!

Nothing significant changed there. Proxy ARP VIPs still work for NAT like they always have. At some point in 2.2.x there was a problem people had where using Proxy ARP VIPs could crash the OS, but that was fixed in 2.2.5 and wouldn't have altered the functionality of Proxy ARP VIPs. Without more info to go by, it's hard to speculate as to what might have happened.

Yeah I am curious what logs as well.. What do you mean you have them set to maxium size??  There is no setting in pfsense gui for log size that I can recall.  You can set how many lines of the log to display.. What are these logs filling up with??  Noise?  Maybe look to reducing the noise logged, or just plain reducing the noise its seeing by fixing whatever is causing the noise. What else are you running on pfsense - what packages?

The source address in your rule shouldn't be WAN, it should be 'any'. Not sure about how your router is set up so if you need to make any adjustments there, you're on your own.

If you have to obtain them via DHCP, that's your only option.

I get what your saying and that makes total sense.  Thanks!

OK, I figured this out.  I set the IPSec DHCP to run from 192.168.5.50 to 150 then I set the OpenVPN interface to run at 192.168.5.192/26 which leaves the DHCP at the top end of that /24.  I am now able to OpenVPN into the box and cross over into the IPSec VPN.