OK thanks, that's answered my question.

I have to assume that you have a WAN rules to poke the necessary port openings as holes in the firewall? Those rules are pointing to .150 on the LAN. Are you monitoring tcpdump on the firewall to make sure they are getting to the firewall? That would be where I start.

If your hosting websites in IIS. Do some research on IIS Host headers. You will then only need to open up port 80 to your IIS box and the DNS does the rest. You wont need to keep doing xxx:85 or 86 etc etc. Much more clean and professional.

Oh my bad.  Read rdr as rdp.  :-[

But create yourself internal domain with a-host to that internal ip. host that dns sameplace as your ics.local other than that i can't help you. try even on host file on your computer to use that projects.icsanalytics.com to internal host.

if I do the same on another host on the lan it works. the only difference is that the not working one is the KVM host where pfSense runs as guest.

@jimp Thanks for your answer! Although it wasn't the solution but I could rule out that it was not a bug or limitation of the current release as I've installed version 2.1-BETA1 x86 in parallel and set it up in the same way. The advanced option you've mentioned is available in the current 2.0.2 Release x86, too. But as I've already mentioned it didn't help. There were 2 problems in my setup. One problem was with the OPT1 interface because the flag "Block private networks" was set and once it's set all the firewall rules that are created on a private IP (OpenVPN 10.x.x.x) are simply getting ignored by pfSense. That's a little bit confusing because I'd expect a different behaviour or at least a warning. The second problem was easier as there was a personal firewall (silly, I know ;) ) that was forbidding the connection from a non-LAN IP to local services. Now after many hours of headache it's working like a charm and I like pfSense again  8) So in general with pfSense and my setup you have to be careful to not activate the "Block private networks" flag on the OPT1 interface and to switch the outbound NAT Mode to manual and create NAT rules on interface OPT1. The easiest way to do this is to simply copy / modify the existing LAN interface rules. In addition you need to copy/create the LAN -> OPT1 "allow LAN to any" rule. That's all. And as a hint it's better not to get confused by other guides on the internet where people say that you need to create OpenVPN and WAN rules, e.g. because that's simply not needed if you're using an optional interface (OPT1) - at least that was my experience. I've added some screenshots of the required rules: OPT1 IF: [image: bd9ae.jpg] Outbound NAT: [image: 8ks1h.jpg] Firewall LAN Rule: [image: kli9i.jpg] Firewall OPT1 Rule: [image: gi78m.jpg] Firewall NAT (Port) Forward Rule that belongs to the OPT1 FW rule: [image: lu2xw.jpg]

Thank you :)

The alias contains the hostname, then the alias is used to forward a port.  Just in case the IP of the hostname changes.

I initially had difficultly setuping up VLANs on Netgear Prosafe switches. Never an issue on others like 3COM, HP, Cisco, etc. My issue had to do with PVIDs. Could be yours as well. Lee StormForge Technologies

You never change outbound NAT. You have to have two outbound NAT rules, one for each WAN, if using manual outbound NAT.

Did you setup an allow rule in the OPT1 firewall settings? By default no rule is added and will thus block all connections.

I am afraid we are going to need more information. How have you currently setup NAT? What ports are you setting where and what IPs where? Please send along some details.