Yes, that was definitely the problem.  Thanks again!

"Disable webConfigurator redirect rule" needs to be checked, not unchecked. "Check this box to disable this automatically added redirect rule."

That  can happen if a couple factors are in play: 1. You have your firewall's domain set to your dynamic DNS domain 2. The domain the firewall is using is set for Wildcard DNS Under those circumstances, any short name query will return the IP of the WAN since that's what it's told to do with wildcard DNS active. The short name expands to <short name="">. <your domain="">since the domain is assumed in those cases, and then that query gets a proper reply since wildcard is active. To fix it, either deactivate wildcard DNS or change the domain name in use by the firewall to one that doesn't have wildcard DNS active.</your></short>

Can the datacenter provider assign a /30 for your WAN interface and route the /27 to it?  That'd be a lot cleaner. Otherwise: from the pfSense book (I hope it's okay to cut and paste small excerpts): Single IP subnet With a single public IP subnet, one of the public IPs will be on the upstream router, commonly belonging to your ISP, with one of the IPs assigned as the WAN IP on pfSense. The remaining IPs can be used with either NAT, bridging or a combination of the two. To use them with NAT, add Proxy ARP, IP alias or CARP Virtual IPs. To assign public IPs directly to hosts behind your firewall, you will need a dedicated interface for those hosts that is bridged to WAN. When used with bridging, the hosts with the public IPs directly assigned must use the same default gateway as the WAN of the firewall, the upstream ISP router. This will create difficulties if the hosts with public IPs need to initiate connections to hosts behind other interfaces of your firewall, since the ISP gateway will not route traffic for your internal subnets back to your firewall.

thanks for the answers. i'll choose the outbound NAT because i think the firewalls work should be done by the firewall ;) question: i made aliases for my static WAN IPs. do i need to tell pfSense somewhere that they belong to the WAN interface ??? the WAN interface has IP like x.y.z.98, the rest are 99-102 (97 is my gateway which is in the WAN interface configuration)

Yes, and it works at least for company machines name resolution for the road warriors. Best Kostas

I know what tcpdump is ;) and how to run it.. And again your saying its not there.. So lets clear up where your running it.. you have client – pfsense -- server where you telneting from client to server.. So which interface are you running tcpdump on?  the client side or the server side? You need to run it on the server side.. If your running on server side and you see packets go out to server.  And wireshark/tcpdump running on server shows it sending replies to that traffic but you don't see those reply packets on pfsense then 110% sure pfsense has NOTHING to do with your issue. All I can say is this takes all of 3 minutes to setup.. There is NO nat between local networks..  And its simple firewall rules to allow whatever traffic you want.  As I showed you when I changed my dmz segment to 172.15 I assure you that pfsense supports this setup so your doing something wrong in the config. Or you have something else wrong on your network. I would be happy to teamviewer in and take a look if you want. Back to the tcpdump -- if you run it on the server side and see the return traffic.  But don't see it on the client side of pfsense then yeah something is wrong with pfsense.  So which exact interface are you running the tcpdump on pfsense client or server labnet or homenet.. Where if can keep your networks straight homenet is the client side and your telnet server is on the labnet side.

Thanks, Phil, that was it. The rule was added to the bottom and an earlier rule blocked the traffic. Easy. Thanks for your help.

you may need to add a second phase 2 entry for your ipsec tunnel that enables routing to that subnet screenshots of your IPSEC configuration from the pfsense side?

solved it, by setting a default gateway in cisco switch to the pfsense box, thanks johnpoz for the help

Never mind. I found out how to do it with this video on YouTube using Virtual IP Alias' https://www.youtube.com/watch?v=zrBr0N0WrTY

Ok so what ports are you trying to use for http and this media port.. On the website they show using 8080 for the http and 888 for the media port. This would be the port I assume the rstp:// uses..  Have you forwarded this port as well for tcp and enabled nat reflection? What is not working do you not get the web page of the camera to login?  What is not working exactly.. And can you post up your nat rules and firewall rules.

I am wanting to open my nat on my xbox one, and I only have the one gaming console. I was looking through the forum and found how people have done this. I have tried port forwading with no luck!, I am now looking at the upnp as this is what seems to work for xbox one. one of the stages of this method was to change to outbound nat. previously my xbox360 had an open nat with automatic nat but I was under the assumption the xbone was different. cheers

Update: I found that if I change the IP address of the Virtual IP (IP Alias), one (and only one) machine in the appropriate access list will go out over that connection, but it is NATted to the IP address of the first Virtual IP. I also configured the two CableMODEMs exactly the same (with the exception of the IP addresses) and can get to both of them now.

Firewall > Aliases, add the IP addresses/networks of the provider. The in the WAN rules: pass TCP from (that alias) to (your mail server) port 25.

Since you are seeing packets leaving the WAN interface still with private LAN IPs, the firewall rules must be passing the traffic OK. Look in /tmp/rules.debug and see the rules that mention NAT. If you can't make sense of them yourself, then post them, along with a bit of detail on what IP address(es) are set on which interfaces.