~~Create two rules:
1: allow, source 123.123.123.123:any, destination 10.10.10.10:80
2: allow, source 111.111.111.111:any, destination 10.10.10.10:80

Of course you have to delete the autocreated firewall rules. Otherwise anyone will be allowed.
For the source you could also create an alias containing all the sources you want to allow and then use this alias as source.~~

edit: i see now what you mean.
I dont think this is possible with the gui.
But why would you want something like that?

You could stop using 1:1 NAT.
Simply forward normally the ports you need and create your own advanced outbound rules for your server.

Basically, it really is as easy as "Option 1", in the top sticky.

Set up the "helper" on the WAN interface.

Forward FTP using NAT rules, to 192.168.0.200.

Done.

If that doesn't work, what do you see, from the FTP client perspective, your FTP server, and in the pfSense logs.

Cheers.

i already got it.. now it is working the problem is i didn't enable the NAT Reflection under Advance setting.. hahaha! really simple thing, but i learned something.

If you had another network interface, you could connect the server to this other interface and use your port forward rule and it would not apply to the server's outbound connections.

Hmm, thinking about it, there are multiple things that aren't available for port forwards but are available elsewhere that could be useful.  Options like source address or schedules could be potential solutions in this scenario if they could be used on port forwards.  It seems like the available options may have been decided mainly based on how it would be used on the WAN interface, though.  It probably is very uncommon to be forwarding to a different internal address based on the source address from the internet.  As far as schedules, the firewall rule can block connections that would go to the port forward on WAN during the scheduled period, so it probably wasn't considered that people might want to have schedules for the port forward rules themselves.

Yes, I do have one FW at home, the other one wt work and both pfsens' 1.2.3 RC1
At work, Aterisk is behind pfsense. Port 5060 is nated and FW rules are set as shown on pictures.

Asterisk has SIP_NAT.CONF configured correctly to show external IP on outside.

Phone is Astra 57i and uses port 5060 as the extension on Asterisk - 5060. Why that line can't register with Asterisk.

Aastra 57i –----pfsense-----WAN-----pfsense------ASterisk

SIP can be max twice nated so it is. It should work..... it should..... but it does not. If you can provide one working example that I can compare and check WHY and WHAT is wrong with mine configuration would be great.

MST

pfhome_fw_rules.JPG
pfhome_fw_rules.JPG_thumb
pfhome_nat_in.JPG
pfhome_nat_in.JPG_thumb
pfhome_nat_outbound.JPG
pfhome_nat_outbound.JPG_thumb
pfwork_fw_rules.JPG
pfwork_fw_rules.JPG_thumb
pfwork_nat_in.JPG
pfwork_nat_in.JPG_thumb
pfwork_nat_outbound.JPG
pfwork_nat_outbound.JPG_thumb

Firewall > Rules > LAN > add new rule
Set the action to Pass
Set the Protocol to TCP/UDP

Click Advanced Options
Set the Simultaneous client connection limit to 100 and click save.

Then create a new firewall rule after that one to block all of the traffic. This is because once the connections are maxed out for that rule, the traffic continues through the firewall rules.

I got this working by adding an extra line of localnet in sip_nat.conf

Mine now looks like this:

nat=yes
exnternip=xx.xx.xx.xx#(my static ip)#
localnet=10.0.0.0/255.255.255.0#(subnet of asterisk server)#
localnet=10.10.10.0/255.255.255.0#(subnet of lan where sip phones are)#

Hi Jimp,

Thanks again, after verifying that the gateway being used was indeed the firewall and then deleting and creating carp ips, everything works now for suree. The only problem now is that we use to have a mail server that would receive and send mail back out, however it does not work, however I think thats a topic for a different trend, so once again thanks much

siproxd does not work either.  I am beginning to think it may have something to do with TFTP, after taking a closer look at the phone config.

What baffles me most is that these phones work with out of the box installs of m0n0wall, and any consumer router I have tried from Belkin, Linksys, Netgear….

What is the fundamental difference?

Is anyone using pfense with Spirit Telecom's products?
http://www.spirittelecom.com/voice_sipflex.php

With NAT off, you are not doing NAT and thus dont need the "static ports" option.
Without NAT the pfSense is not rewriting the ports.
Did you make sure you have appropriate firewall rules in place?

try rebooting.  i know it isn't windows, but still…

Thanks for your help!

The problem seems to be solved after I have applied the hint from Perry. The SDSL line is a SIS NIC, but than the internal net to the webservers is a Realtek 1GE NIC and it seems it has exactly the checksum problems. After disabling Checksum Offloading is seems to work fine.
I suppose there is a incompatibility between CISCO routers and Realtek NIC's, because I have figured out there are CISCO routers at the endpoint from the customers.

Thanks a lot!

@danswartz
I saw a lot of the rules.

pass in quick on sis0 reply-to (sis0 141.16.150.XX) inet proto tcp from any to 192.168.10.250 port = http flags S/SA keep state (source-track rule, max-src-states 10000, max-src-nodes 100) label "USER_RULE: NAT http Website"

Yes the ADSL is the default gateway. I think today I will switch it to the SDSL line, because I have another problem binding openVPN to the SDSL interface. (I'll start another thread soon :-))

well what to say they where for eastern Europe  ;D

So that means that i fucked up using 100.0.0.0/8 ???
then please accept my apologize

point was to use address pool that no one uses ….

But, im playing little bit now with no name/some cheap routers with 4port lan switch and one wan interface (pppoe routers), and with NAT turned off they can route 100.0.0.0/8 :bag:

I dont have to say that im on PFS from 1.0 version, and so far i can only say that PFS can get only 5+ from me !

btw, it is off topic, but what is minimum hardware req for 6x PCI NIC 1GBPS ?
i found this
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

3ghz+?
i think i didnt get it right...

And, Gruens, Sir, thanks!

got it..
might try to play with it, but will probably have to update all my rules and be on location in case something goes wrong

Please use the search function. This has been covered many, many times.

OK, so far i manage to ping from LAN to DMZ and to WAN.
Apparently, when I assign 3 VIP to the DMZ interface, ifconfig only shows the last VIP, not 4 (it should be the original DMZ IP and 3 VIP). Reassigning DMZ IP work (but only 1 VIP)
I still can't ping DMZ and Inet from other network connected through LAN network.

Do you have a NAT network behind your pfSense? Is your surf computer in a translated network? Can you draw a little network diagram?

so you want xbox to use 3rd connection for Internet  but still access other videos on other lan(s)?

the easiest would be to have it on its own network (due to the 2 wans load balancing), let it access only the wan3 and the lan. this only works if you can add another inf to pf. theres another way but its harder.