It is just as simple to change the port for RDP and add the rule.  I have done this for several customers for security purposes.  It works fine.  It you are using it internally we just create a custom desktop icon and push that out all you internal users. RC

@unguzov: I have problem with NAT and port forwarding. One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover). The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log: Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0 Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0 Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0 Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0 …. What can I do now? Remove Team function or adjust firewall settings? It sounds like you don't have switch support for aggregation, or don't have it configured properly. Pure failover mode is all that will work properly without switch support. I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this? I think FreeBSD should be updating the ARP table any time it receives a packet that doesn't match its current cache, as should any other TCP/IP stack. Are you saying you want it to flush the cache sooner and make a new ARP request? This is controlled by the sysctl tuneable 'net.link.ether.inet.max_age'; it seems to default to 20 minutes.

First create Virtual IP's for all the additional IP's you have on the WAN. You should probably use CARP VIP's here. Enable advanced outbound NAT firewall –> NAT --> outbound Now you can create a rule for each subnet and select as NAT-address the VIP.

1.  pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules 2.  change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp) Thanks to bits and pieces everywhere on these forums, PASSIVE is Now working NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!

Wow! User error strikes again, and I feel like a jackass for posting now. :) I changed my IP scheme w/ this migration and forgot to change it for the virtual hosts inside httpd.conf. …stupid. Thanks for all the great work on this project.

Have you UNCHECKED the "Disable NAT reflection" option? http://hightechsorcery.com/2008/11/nat-reflection-pfsense-firewall Cheers, Bern

I think one problem is that giving users more options gives them more opportunities to screw things up. I can see specifying the source for NAT being useful, but it would be a rarely-used option that only a handful of people would ever need. I would love to see an 'expert' box hidden under several warnings that would allow you to input raw syntax for a rule. It wouldn't have to attempt to display it, just add it to the ruleset. I have had couple of times when I wanted to do something unsupported by the GUI, like outbound NAT vs an address pool, pointing a fw rule to a custom table, etc.

I use https, so 443..

Ah, so you only have the one public IP address?

Destination port range: from: (other) 58585 to: (other) 58585 and External port range: from: (other) 6112 to: (other) 6112 Maybe V Destination port range: from: (other) 6112 to: (other) 6112

advanced –> Firewall Optimization Options --> aggressive

Create a new NAT Rule on the LAN Interface, ext. address any, ext. port 80, nat ip [your squid server], local port: [squid servers port] and your done. greetz

Show the output of the routing table on pfSense and give the Pppoe server configuration and an output of ifconfig command.

with an alias you essentially create a group of hosts and bind them to an easy to remember name, say for example:  "FTP friends" and then add all the IP addresses you want to have access to your FTP.  Then when you create your NAT to your ftp, you specify the source as your newly created "FTP friends" alias.  So in the future if one of those ip addresses change, you just have to modify the alias and not the NAT rules, saving a little time.

Thanks for the reply. I did try moving the listening port to something other than 22 and I also tried ssh -p portnumber user@pfsence.box With both of these the session just hangs until it times out. Logging is enabled and, eventually I did see some errors from the correct inbound address: Dec 9 17:04:38 WAN xxx.xx.xxx.xxx:4045 xx.xx.xxx.xx:135 TCP Dec 9 17:04:05 WAN xxx.xx.xxx.xx:22 xx.xx.xxx.xx:64909 The rule that triggered this action is: @61 block drop in log quick all label "Default block all just to be sure." If I can get my rule above this one, I might be in with a chance but I can't see it my list. I am a bit lost. I am not sure if the issue is the ssh command, the pfsense config or a routnig issue. What I do know is that the sshd on the internel host is not being contacted. :-\