;D Problem solved. Windows VPN behind NAT how to do it? Don't connect to public ip.

You need "NAT Reflection" turned on. Even then, I would not use it. I would instead use split or internal only DNS resolution. It is much faster and less prone to problems.

Phil, In a way, I have to say that this is excellent news, at least from the standpoint that it explains the situation. And honestly, my intention wasn't for NAT rules to be automatically generated. I really just wanted to understand why it automatically made the rules in manual mode and not in automatic mode. In the end, if the rules have to manually entered, then so be it. At least it would be consistent. So thank you again for your time and for starting a bug report. I'll keep an eye on the progress. Best regards, Mike

Thanks all.  I'm not sure what been going on, but going back to the old method of manually creating the rules after making the NAT seems to work. We're still seeing issues with the CARP and it's only occasionally. Mar 13 02:36:37    kernel: lan_vip4: link state changed to UP Mar 13 02:36:34    kernel: lan_vip4: link state changed to DOWN Mar 13 02:36:34    kernel: lan_vip4: MASTER -> BACKUP (more frequent advertisement received) Mar 13 01:23:17    kernel: lan_vip4: link state changed to UP Mar 13 01:23:14    kernel: lan_vip4: link state changed to DOWN Mar 13 01:23:14    kernel: lan_vip4: MASTER -> BACKUP (more frequent advertisement received) I'm starting a new topic relating to that.

Sounds as if you are having a port routing issue with the DVR / CCTV setup itself , these ports can be found by accessing the unit locally in the network settings. Many units have different port settings, so please check with your specific unit before adding any port forwards. Make sure though you have a static DHCP reservation to the DVR Insure proper ports are forwarded on the WAN to the static IP reservation There will be at least three ports - that will need forwarded Mobile - many times :15961 Server - many times :10000 HTTP - generally :80 By the looks of your screenshots, you should not be natting these ports to  :80 - they should simply be forwarded to the DVR on the same port the unit is setup to accept. Just forward the ports from WAN, to the DVR

Solved:  Turns out that sometimes if you go through the setup too fast you can end up setting the LAN interface as the default gateway …  Fix is deleting it from System: Gateways.

Thanks phil, I was not aware of that. I am thinking squid was not the problem anyway, as I had the reverse proxy turned off, and I don't think the web cache part of squid binds to an http port, but I could be wrong on that. My web services are still up, I don't have a clue what happened.

Could you post a traceroute screen shot from one to another? From another post where someone got it working, so I thought I would ask here. Is the Windows firewall disabled?

Check the source. You probably have a routing issue resulting from not NAtting the original connection. Just a guess though. I would perhaps try a 1:1 NAT instead. Then again, I have never tried something like that with pfSense.

Maybe a problem with your PASV mode settings?  Typically FTP over NAT needs PASV mode with additional ports set up.

@jswj: You welcome, Michael. Also, I play around a little bit with Packet Tracer to simulate your situation, I hope this is what you are looking for: [image: routing101_zpsa75feee7.jpg] Like I was mentioned before, you need to sort out routing on each device, specially on the Layer 3 switch inter vlan. The configuration above works ok, from the PC on each VLAN are able to connect up to the MODEM WAN interface. Do not mind the right side of the modem, as I only try to pretend that the WAN side is the internet. Dear Julius , Once again thank you for your time and your reply . The problem believe me in not the cisco devises ! I can configured them to do whatever you  want .  Routing with any protocol you want , swiching at any level  , pbr , sla , etc …. my problem is with the pfsense box ...  it doesnt make any sense at all ! i am able to configure an asa in 5 minutes , and i cannot configure the pfsense just not to do nating the whole week . xa xa xa xa it is ridiculous . Anyway once again thank you for your time .

DHCP in settings for host-only adapter is turned off, but it is on in pfSense, yes. I will try to play with that when I get some time (day or two) and see what comes up… Thanks for your help till now, I'll report results. edit: yes, you were right, two host-only interfaces were the problem...thanks again

Have you created firewall rules specific to the ports / IP's you need to access ? Did you create a virtual interface ? Aside this why could you not simply access the modem via IP Doing this seem futile unless you have more than one public IP then you'll need to create a 1:1 nat or otherwise.

Hi, I have the same problem, I searched the forum and there is some info but not a precise way to solve this issue. What I cannot understand is the reason why there isn't a way to add this feature " clear all states when WAN IP recover" officially However, if anyone has news on this it will be appreciated. The only topic I found that's interesting, but I have not tested the solution yet, is this: https://forum.pfsense.org/index.php?topic=65004.0 I don't know if this can help

after making any changes, there should be a button on the top saying "Apply Changes".

you need to set up forwarding the port number of ekiga to you ekiga server, which I believe its inside you LAN. as you already have the list of ports, go to the NAT page, on the port forwarding set as follow: rule 1: source: any port: any destination: WAN Address ports: 5000-5100 type: udp destination: ekiga LAN IP destination port: ekiga port 5000-5100 UDP rule 2: source: any port: any destination: WAN Address ports: 3478-3479 type: udp destination: ekiga LAN IP destination port: ekiga port 3478-3479, udp rule 3: source: any port: any destination: WAN Address ports: 1720 type: tcp destination: ekiga LAN IP destination port: ekiga port tcp 1720

Client DNS IP should point to the gateway address as well, this in turn pfsense will have dns forwarders to resolve the FQDN. Set auto outbound NAT and disable/remove all nat mappings, also remove static route entry. Make backups of the current config before trying. I have similar setups set on auto nat, no nat mappings, no static routes, only WAN has gateway. On each LAN interface firewall rules are to allow all traffic generating from the LAN subnet to any destination, tcp and udp, any port.

I have reconfigured the Asterisk server to include both "externip" and "fromdomain" values, this did not make a difference. I think the issue is with pfsense and how it's handling the 1:1 NAT. In the states table I see the following. SIPProviderIPAddress:5060 <- InternalIPAddress:5060 InternalIPAddress:5060 -> CARPIPAddress:5060 -> SIPProviderIPAddress:5060 I suspect that the CARP not being seen in the state for both directions of traffic is the issue here. Is there a way to force all traffic using the CARP IP to use that IP in both directions and have it shows in the states? The other item that may be an issue is the Single:Multple and Multple:Single under the "state" column. If I can sort out how pfsense is delivering a class C IP to the SIP provider and get it to send the CARP IP I want to use I believe this SIP / Asterisk setup will work without siproxyd.