that fixed it, thanks man :)

Hello I have tried that but doesnt seem to be working see my picture for how its setup in the port forward page [image: portforward.jpg] [image: portforward.jpg_thumb]

Thanks to cmb and mrzaz for the response. Now that I have checked from an outside host, I seem to be able to browse the web server – which I couldn't from inside, which means redirection is working. Also, I didn't know that they could be handled in such a different way in PF -- apparently a lack of experience with that. But that solves the trouble for the time being. Thanks for the links to pf doc, I'm reading it at the moment. Thanks again. Regards

The port forward needs to be on WAN, not OPT1.

Ok.  I added a rule to forward port 80 and that works great!  Thanks! But I don't know all of the ports that need to be forwarded.  Ideally everything.  I see that reflection is limited to <501 ports. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports. Can you recommend a better approach to solving this? Thx

firewall, rules, lan: tcp,lan net,,,443-https,wan-gateway Make sure this rule is before the default that point to the load balancer. Better solution is to make a balancer pool and a failover pool. point to the failover for https, point default to balancer.

Update - since what I have been reading pointed to the issue being resolved with AON I decided to try it.  I kept the default wan rule and added a copy of it pointed at opt1 (wan2).  After resetting the states and waiting a short period of time I tested the remote phone and it is working perfectly now. Thank you for a great product!!!

First off, let me change my subject line for this post to "NAT port forwarding stupidity from no common sense BOOB". Cry Havok patiently asked me what the default gateway was for 192.168.XX.10. The answer?  THE WRONG ONE.  It was set for 192.168.XX.1!!!  Upon changing it to 192.168.XX.2 (the LAN for my pfsense box), everything worked just like it's supposed to. I should be embarrassed (and I am).  ::) Thanks to all who replied, especially Cry Havok, who helped me trip over the obvious!  It's always the little things…

sorry i forgot to add those details i am using 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 and it runs on a dedicated x86 pc with 3.2ghz and 1gb ram.

It worked, thanks :)

We did, but it wasn't the transparent change we'd hoped for. It broke IPsec, so it was pulled. It's too late in the release cycle to mess with it. 1.2 will not support NAT-T, though it may be added as a package maybe by the end of the year. 1.3 will support it.

Getting from the inside. No luck :/ :/ why redirect goes to 127.. ?? tcp 127.0.0.1:19004 <- 87.205.173.90:3000 <- 10.0.209.55:1797 FIN_WAIT_2:FIN_WAIT_2 tcp 127.0.0.1:19004 <- 87.205.173.90:3000 <- 10.0.209.55:1800 FIN_WAIT_2:FIN_WAIT_2 Getting from the outside (everything OK - ShieldsUP test) Redirection OK. tcp 10.0.209.5:3000 <- 87.205.173.90:3000 <- 4.79.142.206:40384 SYN_SENT:ESTABLISHED I have Nat Reflection Unchecked. Does not work with checked either :( Before updating to 1.2rc2 It worked without unchecking that option.

I set it up that i only have the ports unscrambled that i need unscrambled. For that let the default scrambling rule be and create above the default rule a rule for your single port you want to have unscrambled. rules are processed from top to down and if one rule catches the rest is no longer considered. Do you mean it does not scramble them when you NAT them to be accessed from the outside? This is a different matter. This is about OUTBOUND NAT. All ports on outgoing connections get scrambled (even Bittorrent, look at the state tables while you are downloading). But some Programms get their destination to send the reply to, from the source port out of the header of the packets they recieve (with the correct scrambled port) and thus work.

You dont have an AON rule for your global scope. I dont think that you can route out the WAN without NAT.

Thanks :) It's works here too :p Thanks tlsail for your screenshots :)

OK, I think I got it!  Through setting my outbound advanced NAT mappings for each interface with a rule of source any, * * *, etc.. and enabling the filtering bridge in the advanced setup, it all worked!  Granted, traffic seems to be flowing through my LAN interface rather than WAN, but I can sort that out later (this is on a test network with a software router on my mac so… ;) ).  So thanks!!! NickZ P.S. I've attached a screen-shot of my routes-table here. [image: routes.png] [image: routes.png_thumb]

Well I took your advice and verified that I was told to use the wrong IP for my gateway.  I'm still trying to wrap my head around the fact that my Linksys running dd-wrt worked regardless of the improper settings.