No problem - Glad it was an easy fix for you.

Philander, glad you have it working. I doubt the 8700-8766 & 5000-5084 rules are doing anything. I ended up using a different brand firewall which works with my setup, not ideal but my old firewall was failing.

Post images of your current firewall and NAT rules.  Don't change anything.

i see. that simplifies it. thanks for the reply and help

Solved its create correct My fault

True…. :P Now ping working, but openvpn no... i change setting of ovpn client to connect to the public IP. But the client not see it. here my config for openvpn: dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote 196.XXX.110.105 1194 udp lport 0 verify-x509-name "XXXXXX" name auth-user-pass pkcs12 pfsense-udp-1194-aziz.p12 tls-auth pfsense-udp-1194-aziz-tls.key 1 ns-cert-type serv [image: FWrules2.jpg] [image: FWrules2.jpg_thumb]

So in the destination IP (where I would normally enter the LAN IP address), I should enter the remote SSH server's IP? I assume that if I need to connect to multiple SSH servers, I would just create an alias with the lists of IPs?

You need to configure the NAT proxy. You'll find it in the "Advanced" section. System >> Advanced >> Networking The last section ( bottom section ) has a drop down menu with the settings you need. If you do not was to proxy all traffic you can set it as per the rule. The settings are at the bottom of your NAT rule.

Ok.  Thanks. I foolishly did not include the APs IP in the "allowed IPs" which bypass the captive portal.  I did allow a whole range of IPs to bypass, which included the APs, but altered the range recently, excluding the AP in error. For the proxy, I have now excluded private address spaces from being cached. Now working, and now disabled, now I know it works  :P It's always so obvious! Thanks for the help!

You need to enable NAT Reflection to access external port-forwarded resources from LAN like that.

It was impossible for me to get this working . I ended up just going with SSTP , I was trying to avoid buying a certificate . I port forwarded all the correct ports and IP protocols and it just didn't work. The only firewall I have used the does this correctly is Astaro…but is sucks compared to pfSense.

Hi, did you manage to resolve this issue? I have the same problem but mine says "Internet connection is not available". I have Upnp enabled and even manually set the ports. The DDNS doesn't update my ip adress to the domain name… edit It seems that it was a different issue, hyper-v was enabled and therefore the dns settings where not correct. Now it is running!

Thank you for your message. I will test that when I have enough time and give feedback.

Thanks for answers, but a solution was very simple :) I use addresses (as you can see) from RFC1918 and the pfSense default blocked this IP-s on a WAN interfaces. I disabled this block feature in menu Interfaces\WAN, then my forward rule is work perfectly. P3R: the source port of course: any Best regards Cofee

Thanks for the reply kejianshi.  I have not done any thing related to rules or NAT definitions for ISAKMP or port 500. I was just reporting early on that I saw that traffic in the traces.  I found out that my problem was not on the firewall but on the server I was trying to RDP to.  It has an Internet-facing interface and internal interface. The DG was defined on the Internet-facing interface.  When I removed that and configured the DG on the internal interface all was well.

Update:  Just reversed this whole configuration and tried using a CARP-IP on my primary WANs scope and still no luck, same results.

@johnpoz: so you only have 1 device on this opt interface - can it ping pfsense IP on that interface? When you switch from auto to manual – all the automatic nats should be listed.  But yours looked to be all manually configured.  There should be stuff for the local to wan, and there should be statics for the 500, etc.  So lets verify you didn't typo a mask or something or have something overlap? Auto really should just be left on unless you have some really oddball stuff to do, etc. So what does this device do when you do a trace.  What do you see on a sniff of the interface, etc.  Does the device mask match? etc.. Okay I got it fixed. I deleted all of the NAT rules that I had, and then re-enabled aon and I saw all of the rules you mentioned. I tried with it set on aon and I tried automatic still didn't work. Reboots in between each setting change, nothing. I found a backup from before I followed this guide. http://www.retropixels.org/blog/use-pfsense-to-selectively-route-through-a-vpn and now everything works when set to automatic. I believe that the order in which I added rules manually was why the automatic rules weren't displayed. Thanks for you help. Not sure if this is a bug or not? It was like the rules didn't really reset or something when switching back to automatic.

Could this post have anything to do with it? https://forum.pfsense.org/index.php?topic=80872.0 As soon as I have more than one active gateway pfsense seems to ignore the default and send traffic via the VPN. I'm wondering if this is why it is getting lost…