use the cnet adsl router as a bridge ? .. I got a do not know, and its so hidden so i cant be cba to check it, but its set as bridge, so the pfsense get the wan adress directly. :) 82.xxx.xxx.68                  82.xxx.xxx.68                192.168.1.0/24 Adsl modem/router –--->  Pfsense  -------> Smc DT1024Ez------------> Wlan router as bridge                                           |                          24 Port switch-------> all other interfaces/comps/eq such as printers,computers, etc.                                           |---------------|                                         DMZ                  |                                       192.168.0.0/24      |--------Restricted User lan 192.168.1.0/24 with stronger rules than my normal lan                                       Cisco 800S                        Dlink managed 16 Port                                       4Port                                |                                       |                                    |                                       Windows server 2003--------- Okey, i know u wont have to have so damn advanced, but here can ya see some bridging rules, im gonna change the 192.168.1.0/24 restricted user lan adress and rules though. Well, use bridging, its kinda fun ;D instead of having vlan and such damn annoying extra things that can cause extra issues with applications or port forwarding..

Then your provider either uses a proxy to fix it at their end or uses IAX which is NATfriendly.

I experience the same issue with 1:1 NAT, regardless of whatever I try under pfsense 1.01.  Any ideas how I might go about troubleshooting this issue?

Thanks for favourable reply

Dropping the PIX setup is not an option. The PIX are already in a dual failover configuration, the support is paid up for this year, and migration and verification of the thousands of rules on the PIX to pfSense would take more time than I am willing to commit at this point. Is what I am trying to do with pfSense doable with the current version? If it works, it would be a great intermediate step. Thanks, Sean Harbour sharbour@nwresd.k12.or.us

That's right but it wouldn't help in this example as he changed protocols ;)

pfSense does NAT by default on any interface that has a gateway specified e.g. WAN or any OPT-Interface that has a gateway (and thus can be used as additional WAN). If you want to shut down this behaviour you can do so by enabling advanced outbound nat at firewall>nat, outbound tab and specify custom mappings.

There are some posts with screenshots around in this forum. Please search.

Try to add some advanced outbound "no nat" rules. Not ruse if this will work though or if they get "beaten" by the 1:1 nat's.

@Jakk: No, they do not NAT the traffic, it is only within the operators own network cloud where they use 172.x.y.z addresses as link addresses between different IP-routers. Just wondering, but it is your ISP Covad by any chance?  I have dealt with several Covad DSL setups where the WAN range from their side is a 172.x.x.x network, and the LAN range is your normally used public range. Thanks…

AHHHH DUH obviously I would first have to ckeck the desired rule(s) then click the x "delete" icon at the very bottom of the list.  Too bad it is not set up like firewall rules. Thanks

Did you manually create the firewallrule or was it autocreated when adding the nat entry? In case you created it by hand let us see the rule please. Make sure the host behind the client has no own forewall and uses the correct gateway. You also have to test this from the outside  (in case you try this from the inside it won't work without natreflection turned on but this might cause issues with your webgui if it still listens at port 80).

@Rockyboa: Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule. Martin Block incoming on LAN to 127.0.0.1.  That will kill it.

Check your ssh-client for a keepalive setting. Other option is to raise the default statetimeout for this connection by editing the advanced option for this firewallrule.

That didn't help either.  Regardless of what I do, I can loopback into the SSH box, but the printing only works from external sources. Would any sort of diagnostic output help?  Like I said earlier, I'm very new to pfSense and really don't know how to diagnose these problems.

My homebox has 2x intel fxp onboard (ibm eserver). I don't see any issues with it. Not a zero in/out error. Same at the nexcom at our office or 2 other nexcoms that I have out with intel nics. However these drivers have support for several intel chipsets, so the problems might only arise with really new chipsets like in your hardware.

well, the problem was the protos i configured in the mappings were tcp/udp… i modified it to tcp now and now its fully working

What I would like to do is similar, but, just a single host IP:port (the pfsense LAN interface address actually) to an internal LAN host:port (port being the same for both). What I am trying to do is have LAN:25 (and ONLY LAN:25) being redirected to the internal:25.  All other WAN destinations:25 would be unimpeded. I have tried a LAN NAT rules with the "external" source the LAN interface IP and any port to the internal IP port 25.  But, as you might guess, it only works when you are on the pfsense shell such that you are coming from LAN interface IP.  I am sure there is some way to do this.  Maybe it takes more than one NAT rule to do.  Not sure.