When you create a port forward, the default setting is to auto create the firewall rule on wan for you to allow.. If you have rules ahead that specific block other than the default deny then that could fail - and you would have move the wan allow for your nat to be above any explicit blocks of the ports your wanting to forward inbound.

Thanks you. everything was ok when I switch to mode NAT + Proxy Originally I chose the mode Pure NAT Thank so much

Forwarding is no solution here. That translates the destination address to another one, however, your crap device won't work with that, since the source address is out of another subnet. What you need here is translating the source address into one out of the subnet of the concerned device and which is assigned to the pfSense interface, so that responses are sent back to pfSense. That can be achieved by outbound NAT in pfSense. Firewall > NAT > Outbound If the outbound NAT is still working in automatic mode, select the hybrid mode and save that setting first. Then add a new rule. According to your example, select the VLAN30 interface (the interface facing to the problematic device), at destination enter 10.10.30.200, at translation address select "interface address" which is the default value. Save it. Accessing the device should work now.

The DNS load balancing feature doesn't see much testing, it's possible there is an issue there, or it may just be a limit of relayd. Last time I tried it, it worked, but I also wasn't trying to have it hit a different internal port. How are you testing it to see if it works? Have you tried other monitoring types than ICMP? One major thing to be aware of, when relayd does dns balancing it acts like a proxy, so your DNS servers will only see the address of the firewall itself and not the clients. Depending on your DNS server config that may make a difference in how it handles the queries.

Thanks for the responses! Will be trying out the following as suggested by jimp: The above on WAN, plus y.y.y.0/30 routed to x.x.x.2, then set y.y.y.0/30 as an outbound NAT subnet"

:D I'm Austrian. The 35C3 is to far for me to got to.

It is working now.  The windows box at that IP had it's subnet mask set to 255.0.0.0 in stead of 255.255.255.0.  Not sure why.  I changed it to 255.255.255.0 and I can access that machine through the vpn with that outbound NAT rule disabled.  Thanks for your help on this.

huh?  Please post up logs of what your seeing and why you believe you shouldn't be seeing it. When you say your seeing blocks to a port that is suppose to be open, I would guess your seeing out of state traffic is what your seeing.  Do you see flags on the block like A or FA, or RA, PA, etc..  Or do they show S for SYN?

@johnpoz: Why would a rule that is not set to log be logged need a description ;) If something is not suppose to be in the log, why would the log need to show its description… So I would say its expected behavior to be honest.. Because it was set to be logged and is still in the log - at least until the log rolls over.  Sure, if the rule had been deleted, no description available. However, the rule IS still there, with its description (and pf label), so why have the display of the description depend on whether logging for the rule is currently disabled or not? Perhaps it is by design but I'd never noticed it before, so I thought I'd ask.  Day to day it's no big deal.

@viragomann: Just put all your the subnets into an alias (Firewall > Aliases). Add an outbound NAT rule for the corresponding interface, check "Do not NAT", at destination select Network and enter the alias name. Put this NAT rule to the top of the rule set. Now outbound NAT is disabled for the subnets contained in the alias. That's the trick… Thank you very much. Works great.

I had set up my pfSense interface on a particular LAN subnet that was different from the modem/router's default interface. Yep, that would do it.  You can't have the same subnet on both sides of a router.

draw your network… if you do not have a transit network I can almost promise you have asymmetrical.. If you have this its asymmetrical!  unless you host route on each device in the 192.168.1 network. 2nd pic is non symmetrical [image: asym.png] [image: asym.png_thumb] [image: nonasym.png] [image: nonasym.png_thumb]

I'm not sure what you're trying to do. Both mentioned networks are private. pfSense works on the assumption that at least one interface is "WAN" (has a gateway address to the rest of the world) and at least one is "LAN" (no gateway address). I assume your router connects to the rest of the world. And from your description it's doing NAT to translate the public IP to your first private network. Do you have more than one public IP address, and is it static or dynamic? Why are you connecting your first network to the pfSense box via wireless? What do you mean by remote network? With port forwarding, where are you coming from, and what are you trying to forward to? You really should have only one DHCP server per network. And these days just about everything that has some sort of smart networking function (routers, modems, firewalls) includes a DHCP server, and it's on by default. Check everything and turn off the extras. The way DHCP is setup is there's a pool of addresses. The default is to assume an 8-bit subnet (last octet is 0 through 255, and a mask of 255.255.255.0). In any subnet you can't use the first address (0) because it's the networks address. And you can't use the last address (255) because it's the broadcast address. Also the device itself is typically using 1. Therefore the default setup for a DHCP pool is 2 through 254. You should be able to set that down smaller–for example 128 through 254 (half your addresses in your pool). Then you have 2 through 127 (the other half your addresses) available to assign as local static addresses--for example one of them to your pfSense box, another to your LAN server, etc. Best of luck.

How would disabling the resolver accomplish that??

That's a normal behaviour with a proxy server. On the destination device you only see the IP of the proxy and that is the interface IP of pfSense which is facing to the destination device. What else? To see the WAN IP makes no sense over all. The WAN IP may be the origin destination IP but never the source IP.

Thank you very much! It works now!

@viragomann: Have you configured the DNS resolver to listen on localhost or all interfaces as suggested in the doc? No, I missed that. Thanks for pointing out. That solves the issue.

pfSense 2.2? Upgrade. See Also: https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

@ScottyDM: Perhaps they've gotten better, but in the past cheap routers couldn't reflect at all. With 2 ISPs perhaps you should run your servers on one ISP and connect the rest of your LAN on the other. A bit extreme, but it'll work. Or look into getting a block of static IP addresses. It'll cost, but much cheaper than running a 2nd ISP. Generally, with a block of IP addresses the ISP knows and expects you to run servers. So no terms violation. Which ISP has the best uplink speed? And for a game server, which has the lowest latency? The only reason I got 2 ISPs is because someone in our household wants to watch specific tv channels and they only offer that as a whole package with cable internet included, we never or barely use it, besides…. it's downtime is ridiculous, it's only available 73% of the time, upload is terrible, download is a little less than decent, and the latency spikes are all over the place. Anywho I've only hooked it up onto my pfsense machine because I could and in case our primary ISP (Which is Fiber.) ever goes down, which is never.

You prob need to charge your flux capacitor, its most likely low.. Come on guy - there is zero info to even guess to what your problem is. "other versions have this error." - What error??? Sounds like your mail server crashed - I would suggest you contact the maker of said mail software, or their support forums.