There's no other option, have to have manual outbound for that.

I actually just Forrest Gumped it and got it working. Dunno what the actual problem was, but i (yet again) removed all nats and rules and toggled the auto/manual creation on the outbound rule page. Thanks for you time!

If I understand you correctly, they want to use live IPs on the LAN. Nothing you really do about NAT in that situation, but you can setup pfSense as a transparent firewall. This utilizes the bridging feature in pfSense.

Ok I got it working now. Here are all the parts, (I include the firewall rules too for the full task): NAT Port Forward: If          Proto          Src. addr          Src. ports          Dest. addr          Dest. ports          NAT IP          NAT Ports          Description WAN          TCP      public_remote_client     *               WAN Address            80               remote_server       80         NAT 80 to remote server                                                                           (or a virtual IP,                             across VPN                                                                           in my case I DID) Outbound NAT: (this first rule has Do Not NAT checked) If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description OpenVPN   remote               *                       *                      *                     *                      *              Do Not NAT               network                                                                                                                             for remote subnet               subnet                                                                                                                              across VPN               across               VPN If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description OpenVPN     any                  *               remote_server           80                      *                    *               NAT for remote_server                                                         across VPN                                                                               on remote subnet across VPN Firewall rule for public facing interface, (ie: WAN) for public_remote_client to pass to remote_server across VPN: ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description                TCP    public_remote_client    *         remote_server        80               *               none                               Pass traffic to remote_server                                                                   across VPN And the final part for my saga… On the remote router across the VPN (siteB), I firewall the LAN interface there.  I needed to allow the "remote_server across VPN" to be able to talk to the VPN subnet.  I used a /30 netmask for 4 hosts, 2 usable since it's just a site-to-site, IE: 10.8.8.0/30. So a firewall rule for that would look like this: ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description            TCP           remote_server     *        OpenVPN subnet       *               *               none                                Allow remote_server across VPN                            across VPN                                                                                                                        Reply back to OpenVPN subnet. Hope this helps someone, it sucked for a couple days.  Thanks cmb and Jimp! The post doesn't look very good without a decent size LCD as it gets smashed on more lines and goes out of whack, fyi.

That seems the only part that was missing.  Thanks a lot!

Thanks, it isn't quite clear to me the difference between pfctl -i em4 -Fs and pfctl -i em0 -Fs -G gwip can you just elaborate a tiny bit more?

What you are looking is not 1:1 NAT imo. What you want to do would be better suited to Advanced outbound NAT. What you would do is go to AON and enable manual. It should create a rule for each of your VLAN networks. Just adjust each one according to the IP you want it to use. One other problem I see is that IP Alias and CARP must carry the same CIDR as the WAN interface. So instead of 227/32 it should be 227/28.

It's specific to pf, the packet filter we use, which comes from FreeBSD which brings it in from OpenBSD. m0n0wall uses ipfilter, which is different. Others might use ipfw, ipchains/iptables, etc. They can all act differently, you need to check the docs for each one to find out the expected order of operations.

you have to have port forward and rule both

You have to see if you need to forward the passive port range of FTP. In the FileZilla server you can set the passive port range from xxxx-xxxx. Then nforward this on pfSense. My FTP access works great btw.

To add in here, I did try to use a bridged connection on windows and that didn't even allow the packets from the NAT to be sent out.  There is no function of connection between the windows host and my PFS box. Somewhere on the NAT I originally had there must be something set up incorrectly… Still, if anyone has any input, I would gladly take it, otherwise I think I'm breaking a boundry here that could be added to the list of stuff not done with PFS yet..... IDK But let me know if you think I could try something!

There is no pptp-proxy, so it's not supported, at least "officially".

for example: tcpdump -ni wan_interface_name_eg_em0 host external_ip_address

Hi, I'm using a standard STUN Client-Server ,http://sourceforge.net/projects/stun/. I'm not sure if the info from the Stun client is correct. Thanks

I've now figured out why I was unable to connect using my 2222 NAT, and the reason is blocked ports at work (suddenly they only allow <= 1024) and thus makes it quite hard to verify my NAT rules at home. I'm ashamed to have believed that it depended on pfsense.

"My question is why is it NATing, and is there a way to keep it from NATing that packet?" Why is it natting?  Because be default pfsense is set to NAT.. If you just want to use it as a router, then http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F#Disable_NAT

@dimkyson: http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf I hope this will help you. Thank you man .