pfSense does NAT by default on any interface that has a gateway specified e.g. WAN or any OPT-Interface that has a gateway (and thus can be used as additional WAN). If you want to shut down this behaviour you can do so by enabling advanced outbound nat at firewall>nat, outbound tab and specify custom mappings.

There are some posts with screenshots around in this forum. Please search.

Try to add some advanced outbound "no nat" rules. Not ruse if this will work though or if they get "beaten" by the 1:1 nat's.

@Jakk:

No, they do not NAT the traffic, it is only within the operators own network cloud where they use 172.x.y.z addresses as link addresses between different IP-routers.

Just wondering, but it is your ISP Covad by any chance?  I have dealt with several Covad DSL setups where the WAN range from their side is a 172.x.x.x network, and the LAN range is your normally used public range.

Thanks…

AHHHH DUH obviously I would first have to ckeck the desired rule(s) then click the x "delete" icon at the very bottom of the list.  Too bad it is not set up like firewall rules.

Thanks

Did you manually create the firewallrule or was it autocreated when adding the nat entry? In case you created it by hand let us see the rule please. Make sure the host behind the client has no own forewall and uses the correct gateway. You also have to test this from the outside  (in case you try this from the inside it won't work without natreflection turned on but this might cause issues with your webgui if it still listens at port 80).

@Rockyboa:

Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.

Martin

Block incoming on LAN to 127.0.0.1.  That will kill it.

Check your ssh-client for a keepalive setting. Other option is to raise the default statetimeout for this connection by editing the advanced option for this firewallrule.

That didn't help either.  Regardless of what I do, I can loopback into the SSH box, but the printing only works from external sources.

Would any sort of diagnostic output help?  Like I said earlier, I'm very new to pfSense and really don't know how to diagnose these problems.

My homebox has 2x intel fxp onboard (ibm eserver). I don't see any issues with it. Not a zero in/out error. Same at the nexcom at our office or 2 other nexcoms that I have out with intel nics. However these drivers have support for several intel chipsets, so the problems might only arise with really new chipsets like in your hardware.

well, the problem was the protos i configured in the mappings were tcp/udp… i modified it to tcp now and now its fully working

What I would like to do is similar, but, just a single host IP:port (the pfsense LAN interface address actually) to an internal LAN host:port (port being the same for both).

What I am trying to do is have LAN:25 (and ONLY LAN:25) being redirected to the internal:25.  All other WAN destinations:25 would be unimpeded.

I have tried a LAN NAT rules with the "external" source the LAN interface IP and any port to the internal IP port 25.  But, as you might guess, it only works when you are on the pfsense shell such that you are coming from LAN interface IP.  I am sure there is some way to do this.  Maybe it takes more than one NAT rule to do.  Not sure.

I have answered my own question

it was infact working, however ftp was still showing up as the firewalls interface ip, ticking disable ftp helper on all the interfaces fixed this. I had to do it on all interfaces.

WAN -> DMZ shows clients ip
DMZ -> WAN shows dmz servers ip
LAN -> DMZ shows lan clients ip
LAN -> WAN shows firewalls wan ip

It was the default gateway :) Thanks!

I tried re-installing (I took the snapshot this time) and it didn't work, a little more details about my network:

as seen in the picture Server IP: 192.168.2.2, Laptop ip 192.168.1.2, All traffic from DMZ(192.168.2.1/24) to LAN (192.168.1.1/24) is blocked!

Now If I try SSH or Telnet to any service to example.org (by domain name, so My laptop will get it as 2.0.0.2) the connection will be closed after 3/4 seconds of inactivity! however if i use SSH/Telnet but this time to 192.168.2.2 (by ip) then the connection will stay open…

any solution ??

Thx

Do it works if I have traphic shaper on, and it manages p2p traffic by QoS?

To help you (I hope ^^) :

I've got a 360 connected to lan. And the only thing I had to do to make XboxLive! work is to set up a nat on the following ports :

3074 TCP -> 3074 TCP 3074 UDP -> 3074 UDP (and not 2074 like you said ;) ) 88 UDP -> 88 UDP
(From WAN, TO the 360)

Sometimes when I'm running the Live! test on my xbox, it tell me that its Strict, but often it tell me that its OPEN.
So I suppose that its OPEN in all cases and its just a bad detection from the 360 :)

And don't forget to make the rules to allow this traffic in your firewall ;)

@sdale:

You need to also change the webgui port to use a different http port, ex 8080, or change to https. Https is better anyhow ;)

Only if you try to access the webgui on the external IP. If you come from LAN and try to access it by it's internal IP it will still work.

@Piplfox:

If          Proto        Ext. port range  NAT IP  Int. port range  Description                                                                                                           
WAN   TCP/UDP 5800                      192.168.2.3    5800
                                                      (ext.: any)

Try setting the External address to 'Interface Address', instead of 'any'.