anyone? please?  ???

Yes of course not.
On the WAN are already things running like the webGUI.
1:1 NAT is to be used with additional IPs.
If you want to forward ports from the primary WAN you need to use normal port forwards. (Here the same: you cannot forward already used ports).
Why do you need 1:1 NAT anyways?
Usually you can do it more elegantly with the use of aliases.

ok,
OCS 2007 could use NAT, DNAT and SNAT. With R2 those requirements changed. R2 will work with SNAT. Configure it with 1-to-1 and give it a try. Enable NAT reflection if you have problems.

Try it and let us know. If we get it working, we will document it.

You hit it.

That's what i originally thought when i was faced to this problem. As if the NAT thing would know about "public" ip ranges.

I will try to test this once more.

@blak111:

Use manual outbound NAT. Remove the rule that is translating traffic from OPT1 to the internet. Your ISP will have to be pointing to your WAN address with a route for xxx.yyy.zzz.0/28.

Thank you. Initially I used http://doc.m0n0.ch/handbook/nat-outbound.html to set up pfSense. Looks like it was some crazy NAT setting upstream. They never told me what happened but all of a sudden the problem was gone.

@GruensFroeschli:

Yes its not possible to NAT To different servers based on the source.
But this is something else than originally described in this thread.

Why would you need this?
Why cant you forward externally on a different port to the correct internal port?

Oh I can, it would just be nice (less options on the rsync command line and so on)

Sorry for the thread jacking!

I did setups like this (although only temporary as a workaround).
Yes you can enable AoN and create a rule to NAT traffic from the WAN to an OPT.

More importantly: Why do you need that, and what is your goal?

In my setup i had to access a manageable switch, but it wasn't possible to set a default gateway on this switch.
With this workaround (it's sometimes called "source NAT") it was possible to access the switch, since the visible source was the pfSense –> in the same subnet --> directly reachable without a default gateway.

i use ISPconfig for all other web pages, i dont know if i should do anything to that server as is operates with vhosting, and im not that good with vhosting. heh.
that said, how would you fix a problem like this? with a standalone reverse web proxy?

Its not Filezilla. Do a search on FTP how-to or look in the pfsense documentation. Pfsense is a little differnet that common firewalls are.

My main concern for this move is not security,

I have been using untangle as a spam filter, and it has been working great until recently (Worked great for about 18 months, last 3 weeks it has started to give problems). I've had to reboot it a few times. Because it sits between my router and my switch (bridged) when untnagle is being rebooted everyone looses web access.

I would like to move the location of untangle so that it is only filtering public / inbound traffic to exchange. I can not place it between exchange and the switch directly. I have many apps that send mail via exchange, and untangle will mark or deny those messages.

Understandable. Another option is to use overrides in the DNS forwarder to return the inside address when clients lookup those DNS names inside the network.

http://forum.pfsense.org/index.php/topic,17728.0.html

would this work?

Problem solved… i make the forwarding via firewall==> rule

Thanks for the link and info….but I've already tried that (as noted in my original post). I'm somewhat convinced that the problem is something with the BIND configuration that needs to be modified for it to work properly through a firewall but I've already bound it to the correct IP and port...still no luck.

What are you trying to accomplish with 1:1 NAT?

I agree with cal_j here.

There is much more to it than just deleting a few rules. Since you're not too familiar with Cisco, I'd see if your ISP can provide a modem for you. If you have connectivity issues with the DSL line down the road, it will be easier for them to troubleshoot as well. ISP's love to point the finger at someone else's hardware… especially with DSL lines. Otherwise, I'm sure you can find a new modem for not too much money... of course there is always ebay as well. If you go this route, find out which modem your ISP likes best. Some devices play together better than others.