did you find any problem with the 30 second refresh on the wan?
I am running in ppp half bridge and am seeing the same thing.

I am having performance issues so was thinking this is the problem.

Do I understand that you did not have any performance issue?

This will only work if squid is on a different interface. At least many months ago I couldn't get it to work with a redirect rule with squid on the same interface. Mostly due to not being able to add a rule thats like below

rdr on {iface} inet proto tcp from !{squid ip} to any port = 80 -> {squid ip} port 3128

Three options:

Place squid box on different interface on the pfSense box and make the redirectrule. Set squid box up with a bridge and redirect traffic going through the bridge to squid. Change the pfsense dhcp lease default gateway to squid box and set the squid box gateway pointing to the pfsense box with traffic being redirected to squid.

This is not possible with the 1.0 series. The next major version will have support for this kind of aliasing. It's already in head.

That is sourcebased natting which is not supported atm.

Yeah, apparently. Actually if some sort of plain text explanation could be added to that option that would be awesome.

oky, the reason is that

on the linux machine i have not jet configured the proper gateway!

solution:

delete all nat and ftp rules (ftp related)

reboot

add one first ftp nat, save auto created rules and apply

reboot

add one second ftp nat, save auto created rules and apply

don't reboot

different 2 ext. and 2 int. fpt server accessed.

Thanks for your advice, but I think it will redirect whole IP address not just one port. I think somethink similar what is implemented in e.g. ZyXEL ZyAIR G-2000 plus router (firewall with WAN-to-WAN rules). I do not know if it is possible to do in pfSense firewall.

Ufff!! :)

i´ve found the problem :)

if i have the captive portal active … the nat rules and upnp dont work ... What do i have to do ?

Sorry guys .. and thank you :)

Guess something like that would be needed: http://www.openbsd.org/cgi-bin/man.cgi?query=tftp-proxy&sektion=8&manpath=OpenBSD+4.0

Rules are always applied incoming at an interface, so if your smttp/pop3 clients sit at lan this rule has to go to firewall>rules, lan tab at the top of the list.

Your question has already been answered.  Search the archives.

You can create custom NAT mappings at firewall>nat, outbound tab. Just enable advanced outbound nat and create only the needed NATs. Everything not specified as outbound NAT rule will then simply be routed.

I just setup Filezilla ftp server here on Win XP and it worked fine with any ftp client I threw at it. However the exact same (I think!) config on a remote site just got me a login, but no data connection. I could even make directories, but no LIST. Filezilla client did the same.

I then tried leap FTP client to connect to the remote Filezilla server and it works fine. ftp://ftp2.leapware.com/pub/lftp276.exe

I have no idea why Leap works and the others fail.

:-(

Moral of the story: its probably your ftp server config thats the problem, not the firewall.

resolved 1.0.1 update. thanks.

Sorry I didn't notice the reply until now, I had to set aside pfSense and temporarly use something else to get a IIS site up.

First, I'll try to keep in mind the 'order of operations'.

Second, I'm glad I was able to help find a bug.  I hope the fix made it to 1.0 stable.

I plan on testing 1.0 in the near future.

Thanks to all who replied.

It's (unfortunately) a bug. You won't have to reboot with version 1.0.1. This bug doesn't appear always and with all configurations which made it a bit hard to find but it's already fixed.

natreflection doesn't work for 1:1 nats. If this is only a mailserver and you only need few ports (25,110,…) turn off the 1:1 nat and use a combination of protforward and advanced outbound nat for this and enable nat reflection at system>advanced ( at the very bottom of the page). Other option is to set up split DNS like you suggested.