Thanks a lot for your interest anyways…  ;)

If you only serve incoming requests the state will handle the returning traffic as well, so you don't need outbound nat. Try VIPs type proxyARP or CARP if you need layer2 traffic for these IPs. If you ISP is routing these IPs to you anyway type other will work too.

no.
but you can create an alias.

long waited?  It's been answered many times.

pfSense does not have NAT-T support.

I changed the setting in the firewall.  It looks like IIS7.0 on my Vista workstation needs to be reloaded.  It looks like I killed it.  I will give you a update after I reload IIS.
RC

I finally found the answer… I had to setup CARP interfaces for each of the virtual IP's and then the NAT port forwarding worked just fine.

BTW... I also found that I had to specify the same subnet mask for each CARP interface or it wouldn't work. For example:

My main interface is XXX.XXX.XXX.98/27

My CARP interfaces had to be:
XXX.XXX.XXX.99/27 to XXX.XXX.XXX.104/27

Great to hear so far.  I'm about to install this on a permanent box, and I'm hoping for the best.

I have a range of about 13 IP's or so that I can dedicate to the students, so I may NAT their entire subnet to that range of IP's.

I'm glad to hear that I'm not crazy and that others have had problems with FreeBSD freezing under heavy IPFilter loads as well.  I thought it was something I was doing wrong.

@cardinalweb:

Hopefully someone can clarify, from what I can tell from the forum and other responses is it true that NAT Reflection will NOT work on Virtual IP Addresses that have been assigned through NAT 1:1, BUT it will work on any addresses you setup within NAT port Forwarding?

that's correct.

I'm locking this thread though, since it discusses issues about a year and a half ago it's largely no longer relevant to any currently supported versions. If you have further questions please start a new thread.

Not sure if you've figured it out (as title now says solved), but it occurred to me that you might have meant Proxy-ARP and not CARP by PARP. While CARP addresses should have the correct mask, Proxy-ARPs added as you show should have be added as 'single address' /32.

Maybe you don't even need VIPs. If you really just want to make one machine available to the public add a portforward with appropriate firewallrule (let it be autogenerated). I think you are overcomplicating things here.

@GruensFroeschli:

do you want to 1:1 NAT or just normal NAT?

normal NAT or if possible 1:1 NAT, i could try both and see which one will work better, thanks.

why do people post the same thing in two different threads?

attached you can see an example of NAT and FireWall rule (which is autocreated when you create the NAT entry)

the server that should be accessible has the IP 172.22.30.200 and runs on port 81.
if you want to run your server on port 80 you need to change the webgui of pfsense to a different port.

if you dont want to do that you can create a Virtual IP in your subnet on WAN and 1:1 NAT this VIP to your server.
the server is then accessible via this VIP

freenas_webgui_nat.JPG
freenas_webgui_nat.JPG_thumb
freenas_webgui_fw.JPG
freenas_webgui_fw.JPG_thumb

Can someone put a screen capture of the NAT/rules and NAT/port_forwad  so I can reach my server inside the lan when I am outside.

My router ip = 10.0.0.1/8
Pfsense Wan ip = 10.0.0.254/8
Pfsense Lan ip = 192.168.1.1/16

My web_server ip = 192.168.1.101/16
The PC from which I want to reach the web_server is = 10.0.0.7/8

Thanks …

Sounds like a pretty standard port forward setup - look at the NAT menu.

There is a pfSense package available for NTOP (system, packages). Have you verified DNS resolution from the firewall? Do you have the ftp helper enabled on the LAN interface?

Thank Everyone , solve it , like dotdash said it all automatically nat only me do some careless mistake.
shreckbull thank for the info

i think the gui only checks when you have 2 rules of tcp or 2 of udp or 2 of tcp/udp but not a mix

but its not a problem the first rule wins the other is never seen

Everything except DNS is TCP, not TCP/UDP, so I would change your rules for SMTP/POP, etc to use only TCP. Then it should work with NAT refection on. I would think a better solution would be to use Internal DNS servers with the private numbers, or do split DNS.

As long as the client is configured properly for the custom port as well, shouldn't be a problem (doing the same thing on my setup).  Are you sure you have the correct ports forwarded for passive mode as well?  Is the ftp helper enabled?

@SecureMe:

…via a manually entered "Static Route" in pfSense...

So Chris - have I made it more confusing?

Oh boy, I was busy recently. Didn't realize that I was that far off the track…
Of course, a static route in pfSense makes perfectly sense and is the missing brick I was looking for.

Thanks Jason for your rather long explanation! Even I got it now.

I shut up now and and have some sleep...  :-X