Use aliases in your rules.
Like this you only have to change the alias.

LAN Rules

WAN Rules

I added the "Allow everything from everywhere" rule on WAN for testing.

You said:

@GruensFroeschli:

NOT if you try to access a different remote IP.

Mailserver and Computer1…ComputerX are on the same interface, maybe I don't understand you question.

I found that my PPTP vpn connections were doing this also, I went into the System Advanced settings and checked the box for:
Disable Firewall Scrub

Are you logging the rules?  Does your firewall show a green light passing the traffic?  Maybe try breaking the ports apart to test.  What if you remove the untangle and go direct to the pfsense?

Nevermind, I figured it out…  I thought that the alias's option was only for hosts!

Have a look here.

Thanks for that, this was driving me nuts. There was one machine which intermittently allowed inbound connections. I could see no difference in the rules applied to it vs other machines. Turned out it was allowed through the captive portal by MAC address whereas the others were being let through via IP. Added an IP rule and everything's fine.

works for me too, thanks  ;D ;D ;D ;D

Yes.

But you "could" write your rules yourself.
In this case you cannot use 1:1 NAT.
These post might interrest you:
http://forum.pfsense.org/index.php/topic,13494.msg72294.html#msg72294
http://forum.pfsense.org/index.php/topic,13494.msg72552.html#msg72552

It is just as simple to change the port for RDP and add the rule.  I have done this for several customers for security purposes.  It works fine.  It you are using it internally we just create a custom desktop icon and push that out all you internal users.
RC

@unguzov:

I have problem with NAT and port forwarding.
One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover).

The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log:

Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
….

What can I do now? Remove Team function or adjust firewall settings?

It sounds like you don't have switch support for aggregation, or don't have it configured properly. Pure failover mode is all that will work properly without switch support.

I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this?

I think FreeBSD should be updating the ARP table any time it receives a packet that doesn't match its current cache, as should any other TCP/IP stack. Are you saying you want it to flush the cache sooner and make a new ARP request? This is controlled by the sysctl tuneable 'net.link.ether.inet.max_age'; it seems to default to 20 minutes.

First create Virtual IP's for all the additional IP's you have on the WAN.
You should probably use CARP VIP's here.

Enable advanced outbound NAT
firewall –> NAT --> outbound

Now you can create a rule for each subnet and select as NAT-address the VIP.