@jimp: It's been there a long time… mmh, seems I must put my glasses off. Yesterday and last time I haven't seen it when opening this page…  :-[ Thanks ;)

@johnpoz: there is really only a handful of protocols that use a specific source port..  Off the top of my head, ntp comes to mind.. quite often this can be clientip:123 –- serverIP:123, you sometimes see zone transfers in dns be setup so source port is also 53.  But I don't think that is default or standard. Really the only one of the top of my head were you see sameport -- sameport is ntp.  While normally with ntpdate command you will have client be a randomport to 123. In a ftp active connection, yes the server will come from a source of 20, but the client will tell it what port to connect to - normally something random above 1024, since users should not have the rights on the client box to listen on ports < than 1024 since those are privileged ports. So your working now? Yes!

I have two sets of IP, first one is just one pack of static and the second of is 5 pack of static. SO i set up using only my one pack.  my WAN IP as X.X.32.58 / 30 with gateway of X.X.32.57. works fine. i went to VIP, sent up IP Alias X.X.222.226 /29 now when i setup NAT1:1 everything works fine. i can set up IP ranges from 226-230…... Now going back to my original problem. for the the single IP the X.X.32.58. I changed the WAN to X.X.222.226 /29 with a gateway of X.X.222.225, works fine, I DELETE VIP. i got to 1:1 NAT setup X.X.225.228, works fine, X.X.225.229 works fine, X.X.225.230 works fine. but still when i do X.X.225.227, my computer loses access to the internet. local works, This is the problem i am having. why am i losing one STATIC IP? More INFO. Changed the WAN IP to  X.X.222.230 /29 with a gateway of X.X.222.225, now when i setup 1:1 NAT  X.X.225.226, X.X.225.227, X.X.225.229,  everything works fine... Does anyone think this is a BUG, when i setup WAN to be the first IP of the pack 226, i lose 227, but 228, 229,230 works. if i setup WAN to be 230, i can use 226,227,228,229. basically everything.

@johnpoz: Where did you come up with anti syn flood??  From the nonsense you tried to apply to the lo interface, I have a hard time believing you even know what a syn is to be honest ;) Do you have a link to this gameserver software that is in english?  That I could take a look at?  Like I stated I can not seem to find anything about XJSJ Now Do you have a chat messenger. For example skype or yahoo. So I can contact you for help

AWE CRAP!  Just noticed there is a whole forum on here devoted this  :'( Well…that was a day i will never get back...but on the bright side...I did learn alot ! Perhaps there is still some value in updating the NAT doco. though as others may also not immediately assume there is a game forum on here which holds the solution.

I have the same question, I can't figure out how to edit the firewall rules for using an external separate transparent Squid machine :) In the old fashion, there is a need for a prerouting, a postrouting and a forward rule. I have tried the same scenario as ndboost mentioned above, seems not to work. P.S. i've tried this on pfsense 2.1 L.E. As I discovered on http://lukasz.cepowski.com/devlog/10,setup-squid-as-a-transparent-cache-proxy-for-lan, it seems that there is a bug with forwarding one port into another in the same lan subnet. And indeed I've checked the squid access log, and it was empty all the time (meaning it received no connections at all). Following the guide on that page, i cannot follow it because port 80 is already used by other process, so I must find a new workaround (or setup a new computer … more energy consumed haha)

I used an IP Alias.  I think that might be where the confusion came from in the terminology.

Not sure. Problem was definetely there already before we switched devices. Also, swhitching devices somehow helped. Seems that broken connectivity (either upstream device or pfSense down) caused 1:1 NAT to stop working. But why?

Try advanced, nat, enable reflection for 1:1 nat.

And have you read and used https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Look on the packages listing. Squid3 can do reverse proxy, there is modsecurity package for reverse proxy.  I believe HAProxy can do it as well.  Varnish maybe, etc.

You're right, but until now I only thought about the scenario with NAT, because I didn't knew better and did not take the possibility to do it without NATting in account. Perhaps I will rethink the whole thing, but as for now that everything works great I don't have to bother about it. But thank again for the hint!  :D Greets Gunnar

From the looks of your update on Twitter this is working and it was an upstream ARP cache issue. The bug you noted that I entered would only break access from a LAN 1:1 IP to another system in the WAN subnet, general access to the Internet is fine in that case. The customer who noted that bug had a server outside the firewall in the WAN subnet and he couldn't communicate with just that one server.

Sure that works fine. In that case it's best to bind OpenVPN to Localhost or your LAN IP, and setup port forwards for udp/1194 and udp/53 both on WAN to point to the actual IP where OpenVPN is listening (e.g. 127.0.0.1 for localhost, or your actual LAN IP) The newer versions of the OpenVPN Client Export package have a choice for automatically building a config that includes all port forwards targeting a VPN server, so it could create a client configuration for you to use that would try both ports.

Well when you actually provide some details to work with, happy to help you solve your issue.

And is your wan IP address even public? Details dude - I can not help you without details..    Is your firewall on 192.168.1.4 allowing for rdp from OUTside its own network segment.. Are you seeing traffic on the wan of pfsense – these things to verify and check, that take all of couple of minutes to do..  For all I know your 192.168.1.4 is not even listening for remote desktop. Or your behind a double nat and pfsense has a 192.168.2.14 address on its wan, etc..  Maybe you have lan rules that are blocking traffic outbound on 3389. You need to go through the troubleshooting info and figure out what your doing wrong.  If you can not figure it out from that, if you PM me I would be happy to team viewer into one of your boxes that has admin rights to the pfsense and take a look see.  tmrw is turkey day so that is out - but rest of the weekend is open for me.. Happy to take a look if you want.