See reply to other post. http://forum.pfsense.org/index.php/topic,19664.0.html

Thanks for the reply. Since I am knew I thought I had to use NAT. Can you explain how I can your PASS rules?

I will try that when I get home, thanks.  I am not sure how that will work though, since the tivo needs to get to the outside world and does have a private IP, so won't "no nat" keep that from working?

No, I am sorry, but it seems that UPnP is not working for me. Anyone else maybe can help me ? Come on, guys, there must be some way of doing this.. Please don't let me down :)

@capsmet: PS: I considered trying sipproxy, however because I'm running on an embedded system I can not run packages. Update to a 1.2.3-RC3 snapshot, then you will be using NanoBSD and can install packages, including the SIP proxy.

By default, pfSense will not NAT between internal subnets. You can customize this behavior by using manual outbound NAT rules.

fixed. not sure how, just glad it is! i've made so many changes in the last 2 days over so many reinstalls i can't be sure what fixed it but nevermind

Oh sorry i forgot to mention that i am using pfsense 1.2.2 Thu Jan 8 22:30:24.

Replying a bit to my own post, but could this be done by simply externally rewriting the xml backup file and then restoring it? Presumably that would require a service restart? Thinking aloud, if that was done as part of a cluster would the new restored file then overwrite the configs on all FWs? That would possibly mean that the service as a whole stayed up all through the process? If that is all true then it would be possible to write an offline rule editor that could build the config from a DB produce the XML and then restore/export it to the firewalls? Any thoughts about that?

If I'm reading your question right, go into the NAT rules and enable advanced outbound NAT.  At that point, use the internal range of IP addresses for the 15 users (for example 192.168.0.16/28) and NAT them to one of your static addresses (using Virtual IP's set up in firewall menu), and then put a rule at the end for "catchall" using the final IP. For example, if your network was 192.168.0.0/24 and you had public range x.x.x.1-x.x.x.5 x.x.x.1 is the WAN address of your firewall x.x.x.2-4 are the 1:1 NATed ip's to maybe 192.168.0.10, 11, and 12 to give 3 users Static IPs (if using DHCP, make sure to map those MACs to 10,11,12) x.x.x.5 would have an advanced outbound NAT set up as 192.168.0.16/28 for source (use DHCP leases to give to those clients in that range from 17-30) Make your last NAT rule the one that NATs 192.168.0.0/24 to "WAN Interface IP" and you should be fine. Let me know if you need more specifics.

Two logs fro the same timeframe would be perfect: one tcpdumpfrom pfSense another one from remote CP. On pfSense: tcpdump -ni <wan_interface_name>host</wan_interface_name>

Then go ahead! do dumps and post them here.

Upgrade in 1.2.3 RC3…. now it is ok... finally : not all ok...

You have the addresses swapped.  LAN addresses should be internal (private (10/8, 192.168./16 and 172./12)) and WAN addresses are either DHCP or what your ISP defined for you.

Issue was resolved by performing a clean re-install. Did not tyr to restore previous configuration file on new install.