all done @kom KVM Setup OS: Linux 3.x Bus: SCSI 0 Storage: local Disk size GB 50 Format: qcow2 cache: no Cache CPU: socket 1 Cores:1 Type: qemu64 memory: fixed size 2048MB Network: NAT mode model: Intel E1000 call up Installer Accept default settings Quick/Easy Install Standard Kernel reboot ============= then it start asking about VLAN y/n and about WAN port and so one and i use: pfSense-LiveCD-2.2-RC-amd64-20141211-0341.iso

So I had a buddy do a sniff with his xbox - and seems the only inbound port is 3074, the 88 is outbound even..  Which makes sense since the xbox would be logging in [image: port88.png] [image: port88.png_thumb]

ISPLAN y.y.y.y/26 are real public IPs. So you just want pfSense to route those, and not do NAT. Firewall->NAT, Outbound - switch to Manual and delete the NAT rules for that y.y.y.y/26 interface. For initial setup and testing put: pass rule on WAN to allow source any, destination ISPLANnet pass rule on ISPLAN allow source ISPLANnet destination any Now put a test device in ISPLAN, you should be able to get out from it to the internet. The ISP should be routing anything for y.y.y.y/26 to your public WAN IP, so get on the real internet and try accessing that ISPLAN test device. It should be reachable. Once you know the routing is working fine, then put more restrictive rules on WAN and ISPLAN to allow only what you really want, and setup the real servers…

How are you validating your port forward?  From pfSense WAN side or from Cisco LAN side?  Does the Cisco know about the pfSense box and routes its Internet traffic through it?

IT IS FIXED! =D Silly me, I was using [pfsenseuser]@10.114.113.131 to get to the other machine whereas I should have used [clientuser]@10.114.113.131. When I changed the command to the correct one, I was able to login to the ssh server running on the client machine (10.1.1.20). I implemented a different port for that client so that I could access both the ssh connection on the pfsense and the client machine. Everything is working now. Thank you so much for all your help, good people! =D

Dude - remove all your forwards.  Enable UPnP - does it work now?  What parts are in use. Disable UPnP and put in the forwards manual.  Or just leave UPnP on.. You do not need both for it to work.. either UPnP will work, or you correctly forward the ports.  You do not need both.

In Outbound NAT you can add manual rules - I would think you can add rules with source IP = internal IP of the server destination IP = any translation address = the public IP you want At least that will translate the internal IPs to the desired external ones. But I suspect the traffic will still all go out the default interface. Your ISP may or may not accept that???

I wish I could help more but I've never configured a reverse proxy.

Or just check Diag>States.

Thanks Derelict!!!!! The Changes were: NAT Rules - Static configuration from my LAN 172.16.0.016 to my Public IP. Rules: . If I want to reach any IP from my LAN Network, the firewall must be return the traffic to the switch. And also I must be change the LAN from 172.16.9.0/24  to 172.16.0.0/16. After these change my network are function correctly!!!! Very thanks!!!!!!!!!!

Thanks. I'll give it a go. Told you….I'm new to networking and especially pfsense.

so you have some rule on your wan that would block specific networks?  Or your port forward..  Post up your wan rules and port forwards.  Is there some route on it that would have it going the wrong place for specific networks? Can not ping it even..  Do you have ping allowed on your wan rules?  Doesn't ping from other locations either.

Sure looks like double nat issue to me as well, pfsense has 192.168.2 address on its wan?  You don't specifically show that. As tjsummers points out, your best option is to remove the double nat, ie bridge your isp device so that pfsense has public on its wan.  Or stop using lame ass software that does not support dns ;)

Hi, installed the haproxy-package and changed all LB-Jobs to the haproxy. Now everything is working fine again!

i need that the user will type 'ssh root@10.0.1.200' … so that the proxy will be transparent

Here's some things to look at. A packet capture is a real help with SIP.  You'll see your internal IP address in the "From" field.  Unless your SIP device has the capability to add a "VIA" field with your external router address, the far end typically will look at the SIP "from" field and send it there.  Unfortunately, that is the internal private address. One of the things Sipproxd does is rewrites that field so the return traffic knows to go back to your router IP address. Set your device for options keepalive to say 30 seconds.  This will keep the state up and will allow the incoming traffic in.

I had to re-boot to make my bridge work correctly after I installed it.  YMMV. Make sure you make an outbound firewall rule allowing that device to all on its new interface. Good luck!  :)

And you don't need to change outbound NAT - what you did will not break anything, but it won't help either, and when you add more LANs you would have to remember to add the manual outbound NAT entries for them. As Derelict says, post some screen shots of the Port Forward and firewall rules.