you may  do  run NAT off in bridged / transparent mode. I think I should be able to achieve

i ran a tcpdump on the wan interface to make sure the isp is not blocking the ports and they are open the wan interface are getting the connections its puzzling that pf sense is not matching the rules and forwards it.

Yeah - He knows that, but for unfathomable reason he doesn't want to do that.  Its strange but true.  He is well aware he could use the private IPs.  He just doesn't want to… Yeah - I know...  right?

To solve this more clean i would configure split DNS. Consider taking a look at this page: http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F The third option is about solving this in an experimental way when 1:1 NAT is in use.

@kejianshi: The only time I've seen pfsense drop connections willy-nilly is when packages were running to filter packets and cause them to drop.  Also seen connectivity killed when some equipment was running jumbo frames and other pieces were not compatible.  Bad connectors or cables?  Your configuration seems too simple to have big problems. Well, I was talking more about rogue packets (intercepted by pfSense instead of ASA) than lost ones. I do have 6-7 VLANs on my switch though, but if it the problem selvresolved after sometime so not it's difficult for me to track down the source of the problem.

Thanks, it works fine!

Yeah - ISPs… Those crazy guys - Just tuning our ports on and off at a whim.  It gets tiring. If its not blatant blocking its shaping that denies bandwidth thats bought and paid for. You should bill them $50 per hour you spent chasing your tail because of them.

Games usually use fixed ephemeral ports. That's why static NAT is required for some games. Thats also why it's sufficient to simply specify either just the source port or a known server and destination port in a rule and enable static NAT. Either one will match the game and will not randomise the ephemeral port.

Unfortunately due to some poor design decisions made before I arrived, certain servers need to go out via certain virtual IPs, so manual outbound NAT is a requirement in my case. @phil.davis: As well as having NAT rules to apply NAT on the way out to the public internet for packets with private IPs, you need firewall rules with the gateway specified to direct particular stuff to particular WANs. That completely answered my question, thank you very much for the help!

Not possible yet. May be in the future. See http://redmine.pfsense.org/issues/2118

Bump^

You have probably inadvertantly broken something on the LAN firewall or NAT that you haven't broken on OPT1.  Glad its working.

Yes First go to the Siproxd page "Services/Siproxd-Registered Phones". Look at the "Registered Phones" tab.  Your ATA's should show up there. Next look at "Status/System Logs".  Your phone calls will register there. siproxd[41072]: plugin_logcall.c:120 INFO:ACK Call: 36xxxxxx16@sipxxxxx.voipxxxxxxx.com -> 2xxxxxxxx6@sipxxxxxx.voipxxxxxxx.com

@jimp: make sure you have no rules in the list, then switch from auto to manual, without applying, and then switch back. What you will get in the screen after the auto->manual switch is the full list. Otherwise you can poke around in /tmp/rules.debug and read them there but it's not quite so obvious as when they're shown in the GUI Awesome! Thanks, Jimp.

Thanks for the info I did block some sites and services on the firewall so i add the IP of the Server Running Jungle disk to the exception list. Its now working fine. Thanks again

http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Oh - Yeah. That for sure qualifies as a firewall rule that will block FTP that comes before an allow rule… Why was that rule ever on anything other than a WAN?  Anyway... Glad its working.

Hi, i have pfsense 2.0.3 and i have the same issue: after 1 or 2 days SIP connection won't go and i must do a reset states to permit sip to connect as well. I have a manual nat (i've tried also a autoamtic nat, but same issue) with this configuration : Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN  172.16.30.0/24 * * 500 * * YES Auto created rule for ISAKMP - DMZ to WAN  WAN  172.16.30.0/24 * * * * * NO Auto created rule for DMZ to WAN  WAN  127.0.0.0/8 * * * * 1024:65535 NO Auto created rule for localhost to WAN  WAN  192.168.132.0/24 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN  WAN  192.168.132.0/24 * * * * * NO Auto created rule for LAN to WAN My WAN IP's cannot change because i'm using a line with a fixed IP. Waiting for your reply, Regards.