They don't differ. They're doing exactly the same thing, and what you're describing different between the two can't happen.

Thanks for the reply. I believe that I need both interfaces, as the gateway for each IP range is different.  I'm unsure of how a virtual IP would work when I need those IP's routed to a different subnet, even if it's on the same interface. I got the 1:1 NAT's working last night by playing with the firewall rules a little more.  I now have a setup where I have some 1:1 NATs and also have Advanced Outbound NAT set up.

ASCII Art WAN1–\              /---DMZ             \          /             PFSENSE----LAN             /          WAN2--/              ---WIFI

I had the same problem. I solved in another (very unclean and unsecure) way. Just now I were looking around for some suggestion :-( Anyway, this is my solution: You keep in your LAN a PC with the fixed IP address and choose netmask and gateway (eg 10.1.1.1/30 gw 10.1.1.2). Assign the gw IP as the first address of the firewall LAN interface. Assign to the same interface a second IP address for others LAN client, and configure firewall and nat rule accordingly (looking around you can find a step by step document about). Create the tunnel as usual, then you can connect (only) from the PC to the remote LAN. Ugly but working. If someone have a better idea….

Use aliases in your rules. Like this you only have to change the alias.

LAN Rules [image: fwrlgd0.png] WAN Rules [image: fwrwen1.png] I added the "Allow everything from everywhere" rule on WAN for testing. You said: @GruensFroeschli: NOT if you try to access a different remote IP. Mailserver and Computer1…ComputerX are on the same interface, maybe I don't understand you question.

I found that my PPTP vpn connections were doing this also, I went into the System Advanced settings and checked the box for: Disable Firewall Scrub

Are you logging the rules?  Does your firewall show a green light passing the traffic?  Maybe try breaking the ports apart to test.  What if you remove the untangle and go direct to the pfsense?

Nevermind, I figured it out…  I thought that the alias's option was only for hosts!

Have a look here.

Thanks for that, this was driving me nuts. There was one machine which intermittently allowed inbound connections. I could see no difference in the rules applied to it vs other machines. Turned out it was allowed through the captive portal by MAC address whereas the others were being let through via IP. Added an IP rule and everything's fine.

works for me too, thanks  ;D ;D ;D ;D

Yes. But you "could" write your rules yourself. In this case you cannot use 1:1 NAT. These post might interrest you: http://forum.pfsense.org/index.php/topic,13494.msg72294.html#msg72294 http://forum.pfsense.org/index.php/topic,13494.msg72552.html#msg72552