Thanks Hoba, I enabled "NAT Reflection" then added the Port forwarding as you said and it just works!!! Then I think I don't need my old firewall box again. Thanks again to all psSense team.  Let me know if there's anything you think I can help. Tony.

TCP/UDP shouldn't cause a problem in your example as both should be open and be forwarded. Just note, that once you have autgenerated the firewallrule by adding the portforward the both rules (nat and firewall) are not linked together anymore. If you change one you have to change the other as well. Maybe this is/was the problem as you changed rules manually later?

If you want to have these changes backed up in your config run them by using hidden config.xml commands (see http://faq.pfsense.org/index.php?action=artikel&cat=10&id=38&artlang=en ).

That is correct behaviour. You can shift ports with it but not redirect a range of ports to the same port.

With the current implementation of loadbalancing probably not but I might be wrong. Who knows  ;)

aaa ok thank you that was simple. I was in the wrong area. Again you came trhough with some good info.

That solved the problem. Thank you! Regards, Krzysztof

Can you give us some details about your WAN setup and all WAN public IPs that you have (real interface IP and virtual IPs, type of WAN conection)? For the different virual IP types: CARP Can be used by the firewall itself to run services or be forwarded Generates Layer2 traffic for the VIP Can be used fo clustering (master firewall and standby failover firewall) The VIP has to be in the same subnet like the real interfaces IP ProxyARP Can not be used by the firewal itself but can be forwarded Generates Layer2 traffic for the VIP The VIP can be in a different subnet than the real interfaces IP Other Can be used if the Provider routes your VIP to you anyway without needing Layer2 messages Can not be used by the firewall itself but can be forwarded The VIP can be in a different subnet than the real interfaces IP Hope that helps a bit. Other

Search the forum for "static port". You have to add an outbound nat rule for this and enable advanced outbound nat at firewall>nat, outbound.

http://www.firewall.cx/vlans-links.php for some vlan info as hoba said. I've just placed a ordered for a http://www.hp.com/rnd/products/switches/ProCurve_Switch_1800_Series/overview.htm or if all the pc are located in the same room go with more lan nic's to save some money. a diagram would be useful –-wan-----pfsense or use http://www.gliffy.com

thanks.  congrats! after 1.0.1-SNAPSHOT-03-08-2007 snapshot update problem resolved. (but, i think nat reflection problem exist, may be) previous connection setup: lan to dmz connections used nat real ip (real wan ip) currently internal ip (opt ip) example: previous setup:  (my ordinary setup) nat reflection enabled nat: 212.x.y.93 -> 10.6.1.93 = port: 21 (used auto created rules) lan clients connection 212.x.y.93 success, but 10.6.1.93 not succes (wan to ftp server connection success) current setup: nat reflection enabled nat: exactly lan clients connection 10.6.1.93 success, but 212.x.y.93 not success (wan to ftp server connection success) if true, this is my new ordinary setup..

PF (the filter used by pfSense) scrambles ports for advanced security by default. Some VOIP-Providers don't like that. Have a look at the following links how to shut down this behaviour for your VOIP-Phone: http://forum.pfsense.org/index.php/topic,104.msg5876.html#msg5876 http://forum.pfsense.org/index.php/topic,1047.msg12752.html#msg12752 There are other threads covering this too. Search for "static port" if you still have questions.

Glad you got it working finally  :)

Try unchecking "block private IPs" at interfaces>wan.

You only create the portforward at wan so lan will be untouched. However if you want to make the webgui available at wan later you probably should use another port for it (and of course use https for it).

Scrambling ports is done as an extra security mechanism.