@bardelot: You could try UPnP instead of static port forwards. Hey bardelot, Thanks for your response ….. I dont believe UPnP will fix this issue, as i think the problem is outbound only ..... however I will try and get back to you.

Port forwarding by NAT gateways doesn't touch packet content. The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)

Well, I haven't confirmed that wasn't changed for any 2.0.x version, I only checked the latest development version. EDIT: Same for 2.0.x.  I don't really know what is going on; in firewall_nat_out_edit.php it should not be able to know the difference between "interface address" and "any" for the translation address, because in the current state of the code the HTML will always have those two fields set to the same value.  I've even tested it and the configuration comes out the same. If you select "any" for translation address and save the rule, is it still selected if you edit it?  If so, either you must have a modified version or we aren't talking about the same page.

You are not going to forward directly to 192.168.0.22 from the cisco. You have double NAT, so you are going to have to make sure you adjust for that. So, create a VIP on WAN and set it to 10.0.0.22. In the port forward rule, source and source port is any. Destination IP is going to be the VIP (10.0.0.22). DPORT will be 8800. Then you set the NAT ip to 192.168.0.22 on port 8800. I am not sure how you have a gateway with a port. LAN does not usually have a gateway set at all in pfSense. But for your LAN PCs, 192.168.0.2 is a good gateway so long as the PC at that address has a default gateway of 192.168.0.1. Since that just looks like a proxy, and not even a transparent one, I would set the gateway of all the machines except pfSense (which will only have a gateway on WAN address) to 192.168.0.1 and use browser configs to set the proper proxy address.

I had to use AON too for SIP sucessful registering. Best Kostas

After days of working on this I found a guide I understood .. http://www.packtpub.com/article/pfsense-configuring-nat-firewall-rules they have a sample webserver setup using pfsense and exactlly what I was trying to do. Hope it helps someone. I had a lan address in the destination box, when it should have been "wan address" works perfect now. ** Solved **

Hi Brian, My apologies for resurrecting an old thread, but if you're still around I'm curious as to what you wound up using for a Session Border Controller. Thanks, Phil

its not helping. tryed to kill all active states then apply nat rules but i have the same problem. the truth is my box is not a fresh install, first i have the 2.0 version, then i started to upgrade to 2.1 beta versions, but then i rollback to the 2.0.1 stable. probably this is what cause this issue. i dont know

No problem dude - what I'm here for.  Common issue really, I would suggest you look to moving to bridge mode on the device from your isp, or get a new device that can be set as just true modem. Double nat is not a ideal setup, sure it can work - but it clearly is not ideal to be sure. Have fun with pfsense - your going to love it!

Looks like you have multiple issues. One you have several IP conflicts there from the "ARP moved" logs, switching between Ubiquiti and Apple MACs, between Ubiquiti and HTC MACs, and others. The increased CPU usage is just a symptom of some other problem is my guess. What do your traffic graphs look like at those times? Rebooting can temporarily clear up so many problems internal to your network that it's not necessarily indicative of a firewall problem. An IP conflict on your gateway IP would be cleared up by a reboot temporarily, amongst other possible issues. What a packet capture on the parent interface of the VLANs shows when it isn't working would be telling.

Upstream ARP cache. The IP won't move back until it's cleared or times out, which takes several hours by default on every router. 4 hours on Cisco, similar on others.

There is no gateway IP from the ISP with a routed subnet, your provider routes it to one of your existing IPs, so you don't waste IPs with an entirely unnecessary gateway IP, and you have more flexibility in how you can use the additional subnet.

Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.

Do a search in these forums and find several good write ups on setting up bridges. I made it as short as I could … you could to the first subnet as a /30 but you would still need the second to be a /25 ... not that you could not make quite a few networks out of 159.1 - 128 ( the first /25 broken into multiple subnets and used for different things).

Well, this is because NAT reflection is off. Personally, I would use split DNS so that server 1 would get the internal address instead of the external and having to rely on the reflection. You want to make sure you are testing from out side to make sure any rules are working from WAN to LAN.

by default all ports would be open outbound, you prob need to setup a port forward.  What ports does your dreambox use?  I believe this can be changed. So you have 2 dreamboxes?  Why are you listing 2 different IPs? Once your sure what port you need to forward - then following http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

Yes please start a new thread and be sure to include details.

I'd say set up you FTP server to go out only on one WAN (outbound rule), that should fix the problem. @hunters: Another thing is that i read a lot aroud about an FTP Helper to be enabled/disabled on the interfaces but i don't found anything on PFSense 2.0.1 about it. May be it have been removed or somethink like this. Can you give me any help about the issue? I think this is now here: System: Advanced: System Tunables : debug.pfftpproxy

Can you elaborate on your question? I am not sure what information you are looking for.