4.5 edit manual outbound nat rules setting both LAN3 rules to "NAT Address" of ippublic2.

I also have some more questions that I'm hoping someone can help with (in particular i'm interested in UDP behaviour, but if you know of TCP based behaviour and any differences with UDP, that would be much appreciated!): 1. What is the behaviour of the NAT timer resets? (i.e. are timers reset only by outbound packets using a specific NAT binding or, only by inbound packets, or packets in either direction?) 2. Would I be correct in saying that by default, pfSense implements Symmetric NAT? 3. If yes to question 2, can it be changed to a restricted, port restricted or full cone variant of NAT? 4. If not, does it use a port restricted NAT? (From it's behaviour, I'm guessing it does not implement restricted or full cone NAT) 5. Does the NAT used in pfSense attempt to preserve the local host port during the binding process, if so, how rigorously? (i.e. does only the most recent request from of two local hosts on the same port bound, or does it produce separate bindings for each host?) 6. Is the NAT behaviour the same for all bindings (i.e. primary, secondary and tertiary bindings)?

ok its a certificate issue, i had to spoof the old wan's mac address onto the new wan interface card

Hate to talk to myself, but I just realized this could be potentially moved to the gaming forum. It also sounds like they have the solution over there.  Apparently the default pfSense behavior of "dynamic port" outbound NAT causes the problem.  UPnP still needs to be enabled, but it isn't the magic bullet that it was with the 360; the static port NAT option has to be turned on for the XBone. https://doc.pfsense.org/index.php/Static_Port Why the XBox One has problems with this and the XB360 does not, I have no idea (or maybe the 360 does, but the NAT tests it performs are just less thorough). I'm probably going to enable it for all of my Xboxen just to be thorough.  :)

I cannot for the life get it to route on OPT interface via manual outbound NAT to VIP on WAN parent interface…. Nothing works. Inbound is fine and routing as it should. Outbound is only via WAN. In the same second you switch outbound nat to VIP IP then it hangs outbound. Inbound still works...even routing on the VIP's.

here's an update. pfSense work if the website is in static html pages but if you place a wordpress cms behind pfsense then NAT starts to fail. This is what i have encountered.  For some reason there should be a specific port that need to be enabled for wordpress be available to the public. Right after wordpress  setup connects to mysql - boom - page turns white. I did a curl -a www.mywebsite.com and it return nothing. Just to add to the mix. I also setup a drupal behind pfsense and it is rock solid. No glitches after set up (connecting back to the database) Anyone who has experience in fixing this?

Greate!!!!!  It's working perfectly with solution 1 Thank you very much!

Doh, after a bit of googling it appears I've answered my own question. I had to enable the TFTP helper to get it to work. This setting is located at System > Advanced > Firewall/NAT and selected the "TFTP Proxy" for the LAN interface (from the perspective of where my VoIP phones are at my home office).

The CARP configuration is correct and works as designed. The issue is the private WAN link between the internet router and the CARP pair. The secondary needs to source it's address as part of one of the public VLANS which are owned by the Master CARP box. This is causing some kind of forwarding/NAT problem.

@cmb: Nothing in your post to suggest anything. Go through the troubleshooting steps. https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting If your 25444 forward is the same as your 25565 forward with the exception of being a different port, it's most likely #2 or #4 on the common problems list. for some reason accessing CMS through NAT does not work (period)!!!!

What do you mean when you say it's interfering?  Practically everyone in the world is behind a NAT'd connection these days.

I was afraid of that. I highly doubt Charter will even give me a /30, so a preferable /29 is probably out of the question. With the proxy server, wouldn't I still run into the same problem since I only have 1 public IP? Any domain I assign to my public IP would just show up as my IP with no other identifier?

no idea, but some how if i access the same server 1 from the 10.170.2.X's address its green. so i am guessing its filtering my traffic somehow

It's not currently possible. You may only have one enabled at a time.