Thanks, but it didnt help. But the problem is solved. I connect throu my LAN IP and my friends throu the WAN.

Sry was afk the last 2 days. Thx a lot it worked perfectly. ;D ;D

It just occured to me my last post wasn't clear. I need to forward RDP (3389) from different external IP's to different internal IP's. I tried setting up multiple rules after creating a single NAT rule, with different source IP's but it only hit on the first rule even if the source IP was not the same.

Are you using the FTP-helper? If yes: Disable the helper. You need to set up your FTP server to use a fixed passive port range and then forward this range additionally. What exactly do you mean that this is not port 21 specific? Do you see the exact same thing with logs on your webserver or whatever you're running on this machine? Are you source-NATing?

Ok - so I have a very similar problem to this but after applying your fix I still have no joy. My VoIP system is Microsoft OCS R2 and I can't get audio between an external client on the Internet and an internal client. PFSense should now be completely transparent but still I get no audio.

Thanks Drees, I put this system in production yesterday, and it seems like what you are saying is exactly correct.  I was just making sure there were going to be no surprises down the road, and since 1:1 and outbound are in different tabs, there was no way to "order" the rules to act like I wanted.

Problem solved in my ignorance I did not give the AP's a passthrough on the captive portal

Probably you just need to add outgoing NAT INTERFACE=WAN, SRC=10.1.1.0/24, SRC PORT=, DESTINATION PORT=, NAT ADDRESS=207.X.X.51, NAT PORT=*, STATIC PORT=NO

Well, port forwarding and websurfing seems ok now…except that the FTP forwarding causes problems. May the use of a load balancer affect the transfer stability ? My opinion is that DNS don't always resolve the same IP...

@GruensFroeschli: I dont think it's related, but: Are your VLANs all on the same switch? I see that you mix tagged and untagged traffic on the same interface. This "could" be a problem. Yes, they are. The interfaces on the pfsense box are in a vlan which is native on the trunk port on the switch. I dont think you can do with the current setup what you describe. Traffic would have to leave via one interface ( the /28), get NATed, reenter on the same interface and get routed to the WAN. Well, can I get "around" this by using another physical interface on the pfsense box for the PublicInternet, instead of using a vlan interface, and "moving" the rules to that interface ? If that would work, I'd (not really happily) do it. How does you ISP handle traffic on his side? Will traffic from your IPs be routed to your main WAN IP no matter where it comes from? My ISP routes all traffic to the /28 subnet via my public wan interface IP.  I assume that in their upstream router they have something like this: ip route A.B.C.192/28 0.0.0.15 D.E.F.21 and are exporting this route to BGP/OSPF/MPLS or whatever they speak upstream You could scrap the /28 VLAN and add the additional public IPs on the WAN directly with PARP type VIPs (CARP wont work since it's a different subnet). You then can use these VIPs in outbound NAT rules. I NEED the /28 VLAN; this is essentially where I can do "internet" testing directly, without having to make ruleset changes on the firewall. There's at least a half dozen boxes on that subnet now, and I do not really want to to make VIPS and manage  a constantly changing ruleset for each one of those boxes, some of which might be "foreign" machines with DHCP assigned addresses. If I can make this work by using a separate physical interface for the PublicInternet, I'd be happy, but have to forgo using CARP which I was "saving" the last interface for (its an ALIX)….

@GruensFroeschli: Can you show screenshots of your firewall and NAT rules? Did you enable advanced outbound nat? I have not touched the outbound NAT settings; it's still set to the default of Automatic Advanced. Here are the pictures (I have tried it with and without the aliases) [image: pfsensenat.jpg] [image: pfsensefirewall.jpg]

Thanks! That makes sense. Jens

http://faq.pfsense.com –> http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F :)

I'm sorry. I should have specified that I tried using port forwarding from both the WAN port and the virtual IP I created for my web server. No luck. I also tried a packet capture to see if the packets were being rejected by the firewall for some reason. After trying the website multiple times, I stopped the capture only to find no packets were captured. I think it has to do with my ISP.  I have a call in to them, but they don't work on weekends. Go figure. Essentially, I followed all the setup guides and then a guide I found at: http://www.digitalphotomac.com/PFsense/VirtualIP/, which seemed to explain exactly what to do.  But it still didn't work. The only difference was I am using a Cable ISP and he is using a DSL provider.  Seems that is the problem. I may have to purchase a different ISP to make this work, but that would be a last resort. Thanks for your help.

Here is the openvpn config File I'm using. So unless it is in some other file, I'd say no.  ;) client dev tun remote xxx.xxx.xxx 1149 proto udp tun-mtu 1500 fragment 1300 mssfix float reneg-sec 86400 resolv-retry infinite nobind persist-key persist-tun route-method exe route-delay 2 ca xxx.crt cert xxx.crt key xxx.key tls-auth xxx.key 1 cipher AES-256-CBC comp-lzo verb 4 ns-cert-type server auth-user-pass inactive 604800 ping 5 ping-restart 60

Ok i think it works :)

Hi GruensFroeschli! It looks like that PC has hardware problems (I'm hoping it's the hard drive) and that I'll need to reinstall… The web interface stopped responding for no reason and many of my logs seem to contain binary data which I'm pretty sure is probably not normal... I'll test 1:1 NAT as soon as everything is back to normal... Thank you! Nick

The picture did not show the entire network.  pfSense shares a LAN with a SonicWall that we are trying to replace and the SonicWall has more VPNs to more networks.  Trust me, I wouldn't just add static routes for the fun of it.