Not sure what changed.  I just ran through the Setup Wizard, entering all the same stuff that was already there.  And then it started working.  Maybe it just needed a reboot?

"Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address." then pfsense has nothing to do with that traffic.  You only talk to pfsense if your wanting OFF the 192.168.1.x network. If you don't have SSL cert, then no your webserver can not serve up SSL.  If you want to access SSL from outside pfsense, then you would need to forward 443. But again if your just talking between 2 clients on your same 192.168.1.x network - then pfsense is not involved in that conversation.  Unless you were bridging to interfaces on pfsense, and one machine was connected to 1 and other connected to other interfaces on the pfsense bridge.  Other than sort of setup - no pfsense is not involved in local network traffic.

Yes, it was firewall, not NAT! cheers!

No your IP address would not be changing if you were using squid on your pfsense..  You only have the 1 IP address don't you!  Now your source port would change as you created new sessions. Now they might not of liked the whole proxy thing in the first place - and blocked you since you were using a proxy.  Many people might be trying to circumvent/hide using a proxy. The only way your IP could of changed would of been if you had your squid chained so it was using a different proxy upstream from you and sending your traffic there.  Then you would of had your IP, and then that IP.

@Tweeteh: I'm trying to open 3 ports for my cod4 server. They are 20800, 20810, 28960. When I go to check if the ports are open on canyouseeme.org, it always says connection timed out. Try: Firewall > NAT > Outbound Source: 10.0.0.34/32 Destination: ANY Reset pfsense Let us know.

Thanks for your help. Wikus

The only problem with the segmentation would be the browse list would not work.. you would only ever see boxes on your own network with a browse list. But that browse list has NOTHING to do with sharing of files - nothing! Glad you got it working.

Well if your not doing NAT, How do you expect it to work in how I understand your configuration. Does firewall 1 have a route to 10.10.10.x ? So lets say box on the 10.10.10 gets ip 10.10.10.47 and his gateway is firewall 2 at 10.10.10.254.  This fw2 says ok I don't have any interfaces on where your trying to go public IP..  So let me send it to my gateway (fw1) at 10.10.1.254.  BTW I assume you have a /24 or something these networks to distinguish these 10.10.10 and 10.10.1 networks? Now does fw1 lan rule allow traffic on its lan from that network?  Even if it does and says OK, lets send on that traffic to the public IP.  When the response comes back - where is fw1 suppose to send it..  Even if he has state in his nat table that hispublic relates to 10.10.10.47 He doesn't have any interfaces in that network - so why would he know to send it back to 10.10.1.26 ? Lets say your trying to access host in 10.10.1.x at .56 – so fw2 sends on that traffic and the host at 10.10.1.56 gets it.  But he is going to say well 10.10.10.47 is not on my network - so he sends his response to his gateway fw1 -- fw1 says, I don't have any network or route for 10.10.10 - so he would just send on that traffic to his gateway (internet) So you can either do NAT at your fw2 so any traffic behind it just looks like traffic from the 10.10.1 network - or you need to configure the routing for that network on fw1 or hosts in 10.10.1 to know how to get to 10.10.10 If you using masks so that both 10.10.1 and 10.10.10 look to be on the same network, say a /8 or /16 then you have other issues where its not going to work either.  Because traffic at fw1 from 10.10.10 is going to look like its local to fw1 interface and again it would never send responses to fw2 interface in zone 1

very true, unfortunately, other providers will set what they fill suits them best, and often costs them less resources / money. i will say thought, i have hasd pretty good luck myself, and i am located in Costa Rica, but we have a ISP linked direct into Miami.

You must create the proper NAT rule for the 2nd IP, set static port NAT and create firewall rules to ensure the traffic is routed through the correct gateway. Then forward inbound the port 35300 as requested by the installer. You should not have to forward the UDP port range inbound, unless either the PBX or carrier is not properly handling the NAT, but normally ensure there's no firewall rule that will block/reject the traffic. In the case you believe you need to forward the ports, ensure you have set Log packets blocked by the default rule under Status > System Log > Settings and then watch Status > System Log > Firewall while placing test calls.

i would think with that many sessions you would be looking into some high end equipment from cisco or someone…. vs open source and a self bought server.. or are you planning to use some proper "server" grade hardware

@peterpf: am not sure if i clear understand your config - but - host only Network on Vmware means "host only" - like an internal network - no packets out. bridge your vms Networkcards out to the wire, let the pfsense do dhcp or give the vms itselfe the adress you want. If you bring no paket out of the vms that is nothing happen to pfsense. This is the easiest way to do it, and almost the proper way to do it really.

VLANs ?

Firewall - NAT - outbound NAT manual mode you assign the internal LAN ip to go out over the Virtual IP's / WAN IP;s you have assigned in the system.

Reverse Proxy. the reverse proxy hands all incoming connections and based on HTTP headers would direct to the LAN server you set it yo.

basically what both packages do is create a "reverse" proxy to which you then can use "headers" to determine what traffic goes to what web site. (i beleive) If you have the "same" site on all 3 servers, then you need to set up your web servers with 1 single "virtual IP" which then tries each web server and responds on the firsts one. This all depends, are you web servers on linux or windows IIS ?

Well for starters your behind a NAT on your wan, so you can forward all day long on pfsense its never going to see that traffic unless you forward to the Pfsense wan IP 192.168.1.103 on the device that is giving pfsense that IP. And then the next thing I see wrong with that setup is your WAN IP is actually inside your LAN ip scope.. You put a /16 on your lan, which makes your want a subnet of your lan address space - not something you would want to do.

The main reason I don't want to change my IP range at home is because I am a geek.  I have about a dozen or two devices (depending on what you count.)  About half of them are dhcp, while the other half are servers.  I have two windows AD domains, a virtualization infrastructure, redundant dns servers and dhcp servers, I serve an openvpn mobile vpn server for when I'm on the road and want to VPN into my house.  I have site-vpn's with other companies, where I would need to reconfigure both my pfsense, and also other companies' firewalls in order to accommodate the IP change, etc blah, etc blah. I estimate renumbering my home to be around 1 day of work.  I am, in and of myself, a small company. In any event, I think this thread is done.  The conclusions are: At present in 2.0.5, pfsense can't do NAT before IPSec vpn, but it can for ovpn, and it might be able to do NAT before ipsec when 2.1 gets released If I need to do the NAT before VPN at present, I can daisy chain two pfsense firewalls.  Let one handle the VPN, let the other handle NAT I was actually able to workaround, by adding a NIC to pfsense.  Assign an IP on a subnet that doesn't overlap my internal LAN, and put both subnets onto the same wire.  (would have been even better, if I had a separate LAN or vlan).  So I don't VPN directly from the LAN to the remote side - Any internal machines at my end that need the VPN shall have a second IP address in the second subnet, and a static route to reach the VPN via this second subnet.  I'm currently using this solution, it works. Thanks everyone for your help and suggestions and ideas.

you mention lan client, just so we are clear - your trying to run your PPTP server on this 2008 box that sits behind your pfsense and you want to allow clients from the internet to get to it. Or are you saying your wanting a client behind pfsense to get to a remote PPTP server? pfsense can act as the PPTP server, and be your endpoint - this might be a better setup then an endpoint inside your network.

A donation has been sent. [Clink of beer glasses] Cheers! Thank you very much for you help. Randy