Ok, with that last bit of information I got to digging deeper, and discovered it was a secondary issue. pfSense can deal with my situation perfectly, however, I use namecheap and was updating a @ record. Based on http://forum.pfsense.org/index.php?topic=67013.0 it seems that handling of those type of records has changed. I removed @.example.net and just used example.net, and it worked perfectly.

because there are multiple malicious accesses.. Ok thank you, i'll try pfblocker

My bad - those were edits and must of missed them ;) about using squid – well its sorted so all water under the bridge now ;)

Yes… alias, i didn't think of that.. the IP i want to allow is not necessarily in sequence, they're like 10.0.1.5, 10.0.1.59, 10.0.1.151 and so on... So alias it is ... Thank you very much !

Yup vlans would be the solution here.. Do your switch(es) support vlans? Or why not just renumber or even just change the mask from 192.168.1.0/23 would mean you could use 192.168.0.1 to 192.168.1.254, you would not have to renumber anything just change their masks.  If they are dhcp this would auto happen. Or if you changed mask to /21 you could use 192.168.0.1 to 192.168.7.254 Do you have a lot of static IPs?  If your network is dhcp all that is required for a renumber is simple release and renew of the lease - or just simple reboot of everything.

Did you bother to read the text of the entry?

Horribly slow/aint worning from outside the pfsense… From inside/behind router... works perfect...

@javerleo: I will capture SSL traffic on OPT interface to be sure that data packets are allowed through pfsense into next router. And that there is answer back ;)

" But i have got additionally external static ip and will do 1:1 NAT for this purpose" How does 1:1 Nat solve your problem?  Other than just sending ALL unsolicited traffic to your ftp server - sounds like a REALLY bad idea to me ;)  This works for passive - but how would it work with active if your ftps client is sending private IPs because he is behind a NAT? If you want passive to work, no helper it is very simple.  You need your ftp server to hand out its public IP address..  See below example of this setting.  Along with using a specific port range that you forward to the ftp server. For active you just make sure that source port of 20 is allowed outbound to any port it wants. As to running both normal ftp and ftps – most ftp servers allow this, they are different ports and sure the server should be able to listen on both at the same time. [image: passiveftp.png] [image: passiveftp.png_thumb]

Thanks for your reply.  I forgot to mention that I have another interface on pfsense that has the IP of the gateway, but as you point out, it will never try to talk to it.  Even adding a static route on 172.16.c.d won't help if it still thinks it's local to that subnet. Is there anyway to do this then?  I really want to avoid re-addressing.

Does not matter where the port forwarded is added, its the route the box your forwarded too takes in answer.

No you can not forward to 2 different IPs from 1 public IP to the same port.

@gderf OMG thank you so much, I've been struggling with this for weeks trying to get this to work correctly !

I am a volunteer working with INF in Nepal - buy a Christmas gift for someone from our catalog at http://secure.inf.org/gifts/usd/  :)

There you go. Ping uses icmp and dns uses udp. Glad you found it. Steve

You could try assigning an actual interface to the OpenVPN client - then it will become OPTn. Then you can put the manual outbound NAT rule/s specifically on this OPTn interface and it should then apply only to the OpenVPN client link, and not be mixed up with the Road Warrior server.