@viragomann: The source port has to be "any", only dest port is "DNS". This. Applications source ports are usually random ports. And are in the case of DNS. Sorry I didn't mention that.

For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS. I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router. I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work. This is my version information: 2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26 2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7  And it's still not working. Thanks a million. [image: System_Advanced_Firewall&Nat_NetAddTrans.png] [image: System_Advanced_Firewall&Nat_NetAddTrans.png_thumb]

Update pfSense to a current version first.

I think the easiest solution is to just force IPv4 with the client (ssh -4).  This avoids the long delay.

How is it that your downstream clients would have internet via pfsense if your downstream switch didn't have default route pointing to pfsense? Lets say client sent ping to 8.8.8.8 to its gateway on the switch at say 10.50.50.1, if switch didn't have default route how would of it sent that traffic to pfsense for those clients to have internet?  So when you say your client and server had internet - how was that working without switch having route?  Where they set to use a proxy on pfsense at 172.20.2.20?  So the switch knew how to get there?

Hello friends, We solved the problem. Thank you very much for your help with Derelict  :). The gateways of NVRs are located at 192.168.3.1. I have updated 192.168.3.254. Goodbye.

"another 10k plus nodes." So they have 10k some nodes all on the same layer 2 /16??  Wow just Wow!!! From what I can make out.. Your not doing any real routing here your just port forwarding.. And all the networks on the right side are just downstream from pfsense on the left. It should work even if a bit odd ball - but to me you are bypassing all kinds of "security" that I would assume could cause a huge stink!!!

As for a /16 LAN at home.  hehe.  So there's a couple reasons for that.  I run a business from home and often connect via VPN to my clients which are usually on a 192.168.x, but sometimes on a 10.x, and so I want to make sure I have no subnet conflicts (I realize I could do 192.168.178.x or something obscure). Yeah, large swaths to 10. addresses are usually what you avoid if you are trying to eliminate subnet conflicts over VPNs but if that works for you…

Hi neilh23, Thank you for your response  :) We may put our 'extern firewalls' in separate VLAN, but I do not see how it will help. For now we just add NAT in our extern firewalls. It works, but the drawback is that services in our DMZ do not see real source IP of incoming traffic anymore. Regards, Damien

The DGS-1100-08 arrived about a month ago. It sat in the US for a while, then eventually got grouped with other things and sent over. So it's a late Christmas present. I'm already ordering parts for my next project that I won't see until July. (not router related though.) I started setting it up today and after messing with NAT and Firewall Rules the VLANS are beginning to take shape. I can finally isolate printers that ping Japan all day, a security camera system that pings China, and a VOIP box from the rest of the network. Thanks johnpoz and Grimson for your help. Reviewing your notes on NAT was a big help.

Just to follow up. It turns out that the eBook app I was using with Calibre doesn't support SSL! I tried an alternative and it is working great with the split DNS configuration. The fix was to use the FQDN from my cert for the split DNS entry. Thanks for the help, guys!

If NAT is not working, then who replaced source addres from 192.168.10.56 to something else?

The issue has been resolved, I went ahead and enabled the setting "Default gateway switching", based on my last observation. Now in-spite of the WAN interface going offline the NAT works.

The ftp package is for clients behind pfsense to go to active ftp servers on the internet.. It doesn't work with active servers behind pfsense, especially ones that would have not way to get to the clients IP anyway since it has no gateway. What that package does is look in the control channel and see the port the client is telling the server to connect to, and then forwarding that port to the client.

what??? Dude you have yet to show something wrong… Sorry but that is FACT!!!  A firewall will block out of state traffic... All the blocks you were showing were out of state.. They were not SYN blocks.. Calling it anything other than PEBKAC is what would be out of line here... Sorry been here 10 years...  If I had a nickel for every time someone said is this a bug... And bought cryptocoin with it I would be on my island with the yacht with its helicopter in the bay sipping a cold drink with my toes in the water and my ass in the sand. Vs still here listening to people ask what is wrong, but can not provide any details to show the problem.. When you want to show us an actual problem that can not be explained by simple PEBKAC.. Then happy to help..  But sorry someone that would put a rule on interface that could never happen... Like you had shows clearly you do not understand how any of this actually works.. For future readers..  What exactly was not working here?  Other than you seeing some out of state blocks in your log?  Nat reflection?? Where is the state showing pfsense sent traffic to IP address 123 via 1:1 nat and then blocked the SA back??

Thank You! I know this document, and I had correctly configured passive FTP ports. I changed my firewall for pfsense and my FTP server stops work. After reinstalling FileZilla now everithing works fine - the problem was with FTP config not with pfsense.. Sorry and thanks again. Martin