OK, Additional information after looking into logs from old behavior (previous firewall) and new behavior(PFsense). It appears what is happening is that we are seeing timeouts (port closings) for approx 3 minutes in between account checks for our email. Email config is Outside = Google. Internal = Linux server. So fetchmail starts up, accesses Gmail for account 1, username/pword passes, email is pulled, And then we see time out for ~3 minutes. I think this is when the system closes the initial connection for Account 1 and prepares to move to account 2. When it requests the port open for account 2 I believe there is some sort of default behavior that pfsense is doing that closes the port for X amount of minutes before allowing another connection to be made. Which in the end equals 70ish accounts averaging 1-2 min per account to pull email + 3~ min time out between each account + 16.6 minutes (1000 seconds) for the default time to run fetchmail at the end of all accounts being pulled = a whole long time to pull email. If someone can shed some light I would appreciate this. I have found looking around under System>advanced>firewall a couple time out options. But I didn't know if they are related to having a time out on the ports, also there is a NAT reflection mode timeout. I don't believe that is related to what i need or not. After a meeting this afternoon we are in the process of purchasing the  VK-T40E firewall/Router on the hardware page, but i will need these configurations setup for that one as well.

I've helped myself. Obviously I had to restore outbound NAT rules. I don't know if I deleted NAT rules while playing or the NAT rules couldn't be built if the LAN interface is disabled. Resolution: I reinstalled pfSense with 2 interfaces. I've setup everything including OpenVPN. Then I switched outbound NAT rules from "Automatic outbound NAT rule generation" to "Manual Outbound NAT rule generation" and then changed Source addresses from LAN subnet to the subnet where the WAN interface resides. Also NAT Address has to have value "WAN address". The final step was to disable LAN interface. Now if I create OpenVPN tunnel I am able to access servers which are in the same LAN as the WAN interface.  

So I've read that pfctl doesn't support adding or deleting a rule like iptables does. Is that still the case? Is there a way I can dump the rules, modify them, and then reload them?

You should switch the router in bridge mode if this is possible and configure your public IP on pfSenses WAN interface. In your setup you do double-NAT and the are issues if you want to reach a host behind from the internet. You may also switch your pfSense in bridge mode, but when do so you cannot use services on pfSense like captive portal or VPN server.

Why don't you kick the router away and let pfSense do the whole work? If you want to use DHCP and captive portal on pfSense it would be inevitable to have different subnets configured at its interfaces, so it will have to do NAT also.

This can occur if the overall table entries exceeds the configured maximum table entries. pfBlocker uses some huge tables, so it will be required to increase this value. You can do this in System: Advanced: Firewall and NAT.

Glad to hear that I was of some help :)

I went through something very similar recently. It was regular NAT, not 1:1 NAT, but the same principle. My internal users couldn't access our email server or web server using the public server names.  I too ended up using Split DNS just as KOM describes it. While I would like to know why NAT Reflection didn't work for me, I am very happy I went with the Split DNS setup. In fact, it took less time to convert to Split DNS using BIND than I spent on messing around with NAT Reflection.

What do you have in your port forward list?

http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.networking.doc%2FGUID-A9287D46-FDE0-4D64-9348-3905FEAC7FAE.html

Hi, mattb253, you've mentioned you're quite good in asterisk. I'm new to asterisk and have an issue, I wonder whether I can run it by you and see whether you can help. Regards, Aldulaimi

In general, you need to enable NAT reflection to access internal serves through the firewall's external interface, or run split DNS (you run an internal DNS server that resolves everything to local LAN addresses). As for Minecraft, if you can't seem to figure out what's going then do a packet capture when trying to connect and see what gets blocked.  I also run a Minecraft server but I do it via Linode.

Workstation on LAN accesses Webserver on VLAN by way of domain.com, dns call goes out to determine IP of domain.com = 24.111.111.111. Server should think request is from IP 24.111.111.110 (pub IP of LAN). Perhaps this should be accomplished with a static route?

no body?  :-[

I am finally able to call in both directions,  :), the final problem was the STUN which is needed in my case; without STUN the phone registers with its private IP. Unfortunately the forward is not working as yet. I'm not sure if I should open a new thread for that or not. Here is the description: Cisco phone is configured to forward all calls to a cell phone calling the Cisco phone redirects to the cell phone, but it's either   - not ringing, instead I get the "switched off behaviour", which is voice-mail in this case   -  ringing once, then goes to voice-mail. If voice-mail is not activated, the message is the "The phone.. is currently switched off". My ISP says the call get redirected correctly to the cell number.

You also need a firewall rule on your WAN port allowing that traffic to traverse from outside in.  Do you have that? If you do have the rule turn logging on for that rule then check the firewall logs to see if the connection shows there.

Sometimes topic owners edits the subject (or a moderator does it), and adds [Solved] to the beginning, but I don't think it's a written rule that says you must do so.