Oh you mean the clicking random shit like nat reflection use 1:1 didn't fix it ;) heheheh  But going down your setup and checking it point by point to find out where you made a mistake.. That worked – who would of thunk it ROFL Have fun!

Sometimes pfSense need to be rebooted to get the outbound NAT to function after config change.

For anyone wondering what I ended up doing was setting up DNS entries for the different servers. Externally, they all point to the same IP, internally, to the different servers. As I get my hands on the devices with the old config, I'll update them accordingly. Since it's all going off a single IP, the external devices which I can't updated would work just as well with domain.com as with server01.domain.com when it comes to the port forward externally.

This isn't a pfSense issue, so much as a basic NAT error. Firewall rules apply from the top down, so your NAT rule will only work with the first entry the ruleset encounters. You're trying to port-forward using two different ports mapped to the same internal port, so the first one in the ruleset will apply. I believe you might be able to get around this by binding a second IP to the WAN NIC and setting your port map to that NIC, though I haven't personally tested this. What would probably be more likely to work would be introducing a second WAN NIC and setting the port map to that and the other port forward to the former NIC. Though from the sound of it, the more elegant solution would probably be the suggestion you made concerning a customised dialplan.

What do you WAN and LAN Firewall->Rules look like? You might try temporarily turning on logging of the rules you think should be applied to see if they are getting triggered at all. As always, try and change one thing at a time and test…...

Not sure why you would need to know this?  The openvpn wizard will auto create your nats for you for your tunnel networks.

Thanks a lot for your replies apparently i was doing right but applying the NAT in the wrong interface i didnt tried yet, but for sure this is my mistake Thanks

Just a suggestion, but it may be worth considering an OpenVPN link to bypass all this. If there are 15 random "Good Companys" then it might not be feasible, but if you're talking < 3 I think it would be worth the effort for the added security. Just my $.02

I had some problem when upgrading from a 2.1.x to 2.2.x, if you feel like trying then maybe you could try this. In System < Admin < NAT Set "NAT Reflection mode for port forwards" to NAT + Proxy Checked "Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks"

The first rule with the source port 563 is probably doing nothing. There is no such thing as a bi-directional rule on an interface tab.  They only match traffic being received by that interface. The firewall state is created which automatically allows return traffic for that connection.

What is your subnet mask for your DSL ip range? Ah! An excellent question. I had the default value of /32 configured for the WAN_DSL.  Every time I edited the Gateway page for the WAN_DSL, it threw an error saying that the .1 was not in the range.  The gateway was defined in the WAN_DSL Interface page (accepted it withoput error).  Then I was looking at dhcp for the WAN_DSL (not enabled) but it showed a really short range. I switched the subnet mask for the WAN_DSL interface to /24 and the gateway came back to online. Small piece of the puzzle fixed. Sadly it did not resolve the problem of the complete blocking of all traffic on the WAN_DSL.  Before redoing this from scratch, I had it working and I've done something, or missed something that will probably open this up. Thanks for your help.

You should be good actually, i misread and didn't see where you had specified the ports on each device. In that case a proxy is not needed. Its when it's using dynamic port ranges that it has issues.

Thank guys. I do have different hostnames already, but I didn't think on doing multiple dynamic dns hostnames, that may be easier. Also I was thinking on using a reverser proxy for SSL termination on owncloud, so may as well go ahead set it up to handle everything else

I could say the same, do you know the OP personally I am not the one claiming he still has the problem which our suggestions didn't solve. however creating an argument about others opinions and thread is not really helping anyone, no sure what the point of such comments. The only 'argument' here is between people who have a history of knowing what they're talking about versus those who don't. I'm just sharing that I personally tried those "well known" solution and still have the issue. Then I guess you are cursed, or you don't have the same problem, or you screwed up the solution.  Can't tell based on you saying 'it doesn't work'.

Thanks Johnpoz, That worked , I had entered the info as described in the picture  except I entered the source address rather than leaving it blank, as soon as I cleared it, it worked. Thanks very much for your help Nick

@doktornotor: Here's an idea repeated about 378,264 times: stop using the goddamn NAT reflection clusterfuck. Noone cares how slow it is. It certainly still is faster than you wasting days and weeks or months with such nonsense instead of setting up things properly. If it's slow for your, then get faster and fix your configuration to point things to where they exist and listen. @doktornotor. I understand your position. But I am also a developer. I am not satisfied with things that "just work" or "just don't work". I am here trying to understand why it is slow and if people that uses it for a long time or the developers are aware of it. But I still don't have an answer. People are trying to solve my problem, or show information that is clearly described in the documentation. Telling me how idiot and stupid I am because I am trying to understand the minor workings of a resource that nobody likes or recommend to use. I appreciate all replies, but this is not what I am looking for. IMO, it is up to the each sysadmin to decide what is the best configuration to their network. If someone wants to use NAT reflection for whatever reason, I think we should ship a good solution that works the best it can. My current experience is showing that "NAT + Proxy" option is suffering from a very unusual overhead in comparison to "Pure NAT" option. I understand the differences between these options, and I know that a performance difference should be expected between them since one work in a lower layer than the other. But I still think the overhead I am experiencing is very significant to be caused only due to the service characteristics. I was able to reproduce this slowness in a idle server running simple queries to a database. My guess is that there is something wrong with the Proxy service of NAT reflection. For example, if you tell me that "the Proxy service of NAT reflection is badly coded, nobody maintains it for years, and everybody hate both the programmer and the proxy", maybe I try to put my hands on it and code a faster one. Or if you tell "the Proxy service of NAT reflection suffers from a high overhead because it works in a high network/application layer, we already optimized it to the best we were able to, but there is really nothing much to do, there's no free lunch, really", maybe I stay quiet and satisfied with the answer.