i found the solution. i contact the VSAT technicians. So, we try up the topologi. MTU is the PROBLEM !!! so, we have to give the same MTU at the cisco router and so the pfsense, so they can communicate. Previous setting, MTU at pfsense 1500, and the cisco router 512. So, i set the MTU at pfsense 576, and the cisco router 576. The technicians said, it strange. Because in cisco router, it's already been set up that the cisco router will negotiate the MTU if its below it or above it. But when trying communicate with pfsense, the policy seems not working. But, well…it's already been solved now. It's not the NAT problem, policy problem, or anything else. It's the MTU setting. Thanks for all. If anyone can give me how we can negotiate the MTU and communicate with cisco smoothly, please don't hesitate.

O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs. So the answer to my top post is YES. :-) Thank you all for your help. :-)

thanks i did it last night, it works again problem's solved!  8)

Fixed. I was using a different range in the NAT rules then what the PPTP clients were being assigned. Oops!

Do you have anything in the firewall log? As a add to this place a rule above with the servers ip as source and tick log. Diagnostics -> Packet Capture can also be helpful. Did you try wget to another server?

This is how NAT works. What you want is source NAT. This came up once and i suggested to enable Advanced outbound NAT, and NAT from the WAN to the LAN. However, i never got feedback if that worked (It was just an idea, i never actually tried that)

Have tried HTTP(S), triple check the gateway and is correct host gateway is going to firewall.

Thanks for the input, I tried it, even tried leaving the destination port blank so that all traffic outbound from that server would be directed out via it's public address. Still doesn't work, as a matter of fact, no internet connections work at all not even inbound. But when I change outbound back to automatic, internet connections work again but I am back to square one with all outbound traffic going out via the wan interface ip and not the server specific public ip's (virtual ip's) I assigned and active sync of course doesn't work then. I am not using 1:1 nat, just some virtual ip's on the wan interface for my public ip addresses and some port forwarding. Very simple configuration that has me stumped lol If I have overlooked something please feel free to correct me, my ego is not a concern at this point in time LMAO Thanks again, Seumas

@cmb: …as NAT reflection in general sucks ... Maybe a dumb question: What would you prefer to use in such a scenario?

It won't work, if you do not disable captive portal on OPT1. If you do, so does NAT.

http://forum.pfsense.org/index.php/topic,7001.0.html Enable NAT reflection

Well, I made progress, but I believe that I do need ICMP to be routable from both the Internal and External interfaces to the DMZ server.  I simply don't see a way to do this with port forwarding, while 1:1 NAT creates issues with SIP and the source address of the DMZ server when communicating with Internal network devices.  I'm just going to use a different router until I can figure this out.  It's a shame that testing on this particular deployment requires as much preparation and down time as it does.  It may be that I can do this by editing IPtables directly, but i'm not sure when I will be able to spend more time testing. Thank you for the advice.

I seem to remember that there were PPPoE problems in an early 1.2 version. Update to 1.2-release or one of the 1.2.1RCs and see if your problem goes away is my best bet.

You are going to have to give a bit more detail on this if you want someone to help. Do all port-forwards from all secondary WANs initally work, but stop working? What do you see in the logs when the port-forwards stop working? What do the state tables look like? What you are saying doesn't make any sense logically. BTW- you should not use registered ports for external port shifts. (tcp/udp 2000 is Cisco SCCP.)

i'm having the same problem. when i entered the proxy manually (3128), it can be done. but when i use the redirect rules NAT for LAN interfaces from 80 to 3128, seems to be unresolved web. hiks…can anyone help me?

Ok. Problem solved (in part at least). I've disabled NAT reflection, created some DNS forwarder and Port forward entries and it works as expected. Well, the only drawback is not being able to ping server from LAN, but it should be enough. BTW. I've encountered strange thing (bug) in Firewall Aliases. As all of us I'm lazy so I tried to create alias for all ports my server should provide and then create just one Port Forward entry using alias created earlier. But it didn't work, I couldn't connect to server. So I've removed alias and created 5 separated entries in Port Forward (one for each port) and it works! Is this a bug or just my misunderstanding what is a purpose of port aliases? BTW2. I've encoutered another problem with strange HTTPS lags which I describing here: http://forum.pfsense.org/index.php/topic,12343.0.html Best Regards, motzel

http://forum.pfsense.org/index.php/topic,7001.0.html NAT and firewall are separate rulesets. So yes if you delete the "allow all" rule you block everything. Although i dont think 1:1 NAT is easier. 1:1 NAT approach: 1: set the 1:1 mapping. 2: create an alias containing all the needed ports. 3: create a firewallrule allowing the alias for the server in question normal port-forward approach: 1: create an alias containing all the needed ports. 2: forward the alias to your server ports. The corresponding firewallrule gets autocreated. 3: enable AoN and set the outbound mapping. You just the do "about" the same thing at different places. IMO the second is "better" because it works with NAT-reflection (see link above). Also you dont forward everything per default leaving the option to use a single IP for multiple Server.

@GruensFroeschli: If you can access it via a browser, the portforward itself is working. –> Not a problem on the pfSense side. Doublecheck if your client is correctly configured. I did that yesterday (rebuilt the client) and it didn't make a difference. I tried AGAIN today, and guess what, it started working again. I am not sure if a patch was applied to the client overnight to fix something. The fact that the repository was accessible by the browser and not via a client made me think that the client used a different set of HTTP methods to get to the repository. In any event, thank you everyone for your help, I appreciate everyone's input.

firewall–>NAT