Hello everybody, Thanks a lot for this post, it finally worked great for me too !!!  8) Never have guessed it could deal with LAN gateway… Very good job ! Does anybody know where this behavior come from ? What's the link between LAN GW and NAT Reflection ?  :o Thank you for your answer... and the fix ! Pierre

It depends on what the application expects from the NAT. PfSense by default allocates a new source port at the WAN interface for each new outgoing (LAN to internet) UDP connection. This apparently breaks some applications that expect that each client IP-source port pair on a LAN host would retain the same port number on the WAN interface for all outgoing traffic that comes from the same client IP-source port pair, in addition solving collisions automatically between clients that use the same source UDP port (I believe this is what is called "cone NAT"). The solution on pfSense is to use static-port on outbound NAT but it has limitations, you can't then have two hosts on the LAN use the same source UDP port for outgoing connections because they would collide on the WAN interface.

Apologies, All. I'll need more time to test. I don't think I'll be able to get back to this and/or provide logs until this weekend. I'll reconfigure my local pfSense so that there is a spinning disk device to which it can log. I'll then look at what's going on. I do have a very large pfSense built out of an Dell 1850 Series 2 at work. It is an egress router for our 100Mb/s service in front of 6 TMG Gateways. It does have 2 of it 5 nics configured for NAT, however nothing is currently attached - they are for testing. I'll attach a simple linux device [likely CentOS 6.5x64] to it tomorrow and see if I have trouble rsync'ing there. I was going to complain and say that rsync works through the Dell 1850-pfSense [and subsequent TMG firewalls], however its configuration through which I'm rsyncing at work, is only routing, and not NAT. I need to test rsync through NAT. Again my apologies. I'll have some relevant testing for you guys to look at either tomorrow night, or this weekend. Thanks for your patience. Ryan

Yes finally got it working. Thanks a lot.

That isn't possible with IPsec, unless on the Phase 2, the site A side is defined as 0.0.0.0/0 to send all traffic back over IPsec (at least from a source of 10.10.20.55) It's possible with OpenVPN and has been described several times around the forum and mailing list. It requires assigning the OpenVPN interface and moving some rules around but it works fine.

Hi there, I'm a little confused by your question, is 192.168.3.x your LAN network, WAN network, something else? What's wrong with typing 192.168.3.50:8000 in your browser? If you can give us a better description of your network (post a simple diagram), maybe we can help.

Hi chpalmer, point your devices to the siproxd or to the providers sip server? can you please provide some screenshots of your firewall rules and NAT settings? That would be great!  :P Matthias

Unless you miss typed it in here, your gateway is not in the same subnet as your network. Because of that, it won't route. The gateway should probably be 192.168.1.1 or the LAN/OPT ip address of pfsense.

With IP Aliases you can assign each IP you got from your ISP to your WAN interface. However, this isn't necessary for your goal, since you have assigned the hole net segment (/28) to WAN if, but it's an advantage in clarity for handling the IPs in pfSense, I think. And it's recommended. With 1:1 NAT and port forwarding you can handle incoming traffic (into pfSense), but you want to impact outbound traffic here. So you will need to configure outbound NAT for your requirements. On the outbound tab in firewall > NAT select "Manual Outbound NAT rule generation" and click save. Then you should see a list of automatic generated rules for all your assigned subnets under mappings. Edit these rules or generate it manually if they don't exist, under source, choose the subnet you want to handle,  leave protocol, source port and destination to any and at Translation address you can select the IP Alias you have defined before, if you don't select Other Subnet and enter IP and mask below. Leave the translation port to any.

@dotdash: Go to NAT, Outbound. (If you are not using advanced outbound NAT, change and save.) Make a rule on the WAN with the ip of the mail server/32 as the source and the NAT and the NAT address the public IP you want it to use. Move this rule before the auto-created LAN-WAN rule. Thanks… I forgot to mention that I was already using 1:1 and IP aliases. My problem was that the incoming IP was on one WAN and the server was assigned the other WAN as it's outgoing gateway and therefor was using an improper IP. I added an alias to the server on the other WAN and now it is using the proper reverse. @chpalmer: Your showing your paygrade!  ;D ;D Thats because your reverse DNS does not match your servers "Banner" or welcome message..  We bounce people for that as well. use mxtoolbox.com and do an smtp test on your server. If your behind a dynamic address then you will continue to have problems. Otherwise you can- 1.attempt to get your ISP to change your reverse dns to match your servers banner or 2.change your servers banner to match your reverse dns. This is not a pfSense problem. If you are determined to run your own email server Id recommend you either hire an outside firm to help you get it set up properly or take a crash coarse in email.  :)    There are many aspects of running an email server that can cause you to pull your hair out that are not readily apparent. One misconfiguration and your an open relay. Just wait when you try and come back from that! As for this… I wont get into an argument about mail server setup and which rules and guidelines who follows. You hacked around and got to me after I put my temporary fix into place. I handle the reverse and forward DNS for my domains and IPs. I handle the email server as well. mxtoolbox is reporting no errors or warnings for my mail domain and the one provider who was rejecting mail is now processing. Thanks all!

Speedtouch PPPoA-to-PPTP Bridge wow I have not seen or written those words in a long time. The default IP of the modem is actually 10.10.10.138 or see the manual for "ping of life"  procedure but don't use the 11.11.11.138 address! I think you can put them all in the same subnet. Once you have the correct subnet you will have to uncheck "block private networks" under the modem's interface.

4. use the siproxd package.

Yes, NAT+IPsec works fine on 2.1 and later. It's close to what you said: Select Type=LAN Subnet, and then in the NAT options directly under that choice, pick Network and then enter 192.168.70.0/24 Firewall rules would still refer to 192.168.1.x (rules after NAT, as always)

The rules are allways generated automatically. If you want to adjust it select "Manual Outbound NAT rule generation" and klick Save. After that the rules are displayed.

I used with network address only. Eg. 192.168.10.0/24 to 192.168.5.0/24.