Double check that you are allowing the traffic in the firewall rules from any address and any source port. Run shields up on the ports you have forwarded and look at the firewall logs to see if anything is blocked.

Let's make this simpler.  I've read - I don't understand.  I've searched, but not for said topic of splitting the dns.  I searched for the modem model and also for port forwarding, and turned up nothing that helped.  If you like I can PM you and have you connect to my machine via RD or some other method and you can attempt to fix it yourself.  That would make life a lot easier.  In any case, I'll read the second thread you linked and see if it helps.  Waiting on your reply, and thanks.

I use XenServer not VM-Ware but ran into a similiar situation.  What was happening was the NAT to firewall rul was not being built correctly.  Shortly after that a new release hit and I have never had any other trouble. Check your rules to make sure that they are being built correctly RC

So you just want to have internally a different port than is open externally on the pfSense? Yes pfSense can do that. Did you try to set such a NAT-rule and it didnt work? (Acutally did you even look at the NAT-config page?)

It randomizes the source-port, so there would be no problem with overlapping connections. If you needed static-port, then you would probably have trouble with multiple connections to the same server. I'm not a big gamer- you might want to check out the gaming section. There's a sticky about static ports.

Do you have rules on both interfaces allowing traffic to the other LAN?  Are the clients on each LAN able to reac the Internet? Do you really have 10.1.1.x/24 on both the WAN and the LAN interfaces of the pfSense host?

You click on "Firewall –> NAT" and create a rule. Done. (for gods sake. please try it out and stop asking questions before you even tired)

If I can find another machine hanging around to try that with, I will.  I can't really take this one offline and do internet stuff.  But, 2.0 is alpha…  I'm a little unsure about alpha software. But, I have a feeling that it's actually a problem with frox re-making the connection to the client.  That's why I was looking for a source nat rule so that it could rewrite where the client thought the data was coming from.  Or, maybe even having pftpx handle that part for me.  But, can't find a way to do that either.  Any ideas would be helpful. Thanks for the help so far!

Can you show a screenshot of your advanced outbound rules?

@kpa: What I mean the order of the firewall rules, not outbound nat rules. Policy routing is done with firewall rules in pfSense. The outbound nat rules are used after the routing decision has been made, not before. Gotcha, I see where I was making a mistake as well. Thanks!!! Andy

I've deleted all previous FTP configurations including NAT, Virtual IP and firewall rules, did a number of combo configuration before finally got it going. The following configuration did it for me: 1. Created Virtual IP based on CARP 2. Enabled FTP proxy helper on WAN interface 3. Created a 1:1 NAT (tried port forwarding, it works too) 4. Reconfigure /etc/vsftp/vsftpd.conf and enabled passive mode, defined the min and max ports and enabled port range (50000 and 51000) 5. Created a firewall rule GruensFroeschli, sorry for the typo, too much thinking I guess  ;D , what I meant was I've created a rule to allow port 20 and 21 to be access from outside (not port forwarded). Cheers!

Well, thanks. That works about as well as doing NAT 1:1 as far as number of connectible games (and still firewalls my the rest of my traffic)… However, now my firewall logs are filled with exactly the reverse (lots of random incoming ports targeting 6112 on my machine that are getting firewalled). This is acceptable, since being able to access 3/4 of the games is far superior to 1/4, but I just don't understand why they have so many issues with their routing in the game.

Did you reset states or reboot? I had similar issues until I rebooted.

That would only take care of port 80. HTTPS runs on 443, in which case each client would have to be configured to your ISP's Proxy unless they do not filter port 443.