Post a description of exactly what you're trying to do (example, I'm trying to forward port 1234/tcp and ports 4000-6000/udp to server at LAN address 10.x.y.z blah blah blah) and include screenshots of your port forwards and WAN firewall rules. My initial guess would be either you're missing some ports in your NAT definitions, or ts requires static ports outbound.  I don't have the time now to look into that.

i had this issue with my unraid plex server , i had to change privilege on - off and off - on , also bridge to host or host to bridge till it works

You only need outbound NAT if you care what IP addresses are used by those servers for connections they INITIATE outbound.

There are several.  For me, the quickest is to go to Diagnostics - States and filter based on the IP of the NAS. In general, I recommend against placing these types of services so that the public can access them.  Configure OpenVPN and then connect to your LAN via VPN, then hop over to the NAS.

The sticky is right at the top of this board, use your eyes and brain: https://forum.pfsense.org/index.php?topic=15811.0

Most residential ISP's do not allow port 25 or 80. Especially if those services are dynamically assigned IP's. But it's worth a call to them to check it out. Maybe they can offer an upgrade.

PfSense be default doesn't know what the upstream end of the tunnel is doing with regards to routing. There is no routing protocol in existence (well at least with VPN solutions) that would tell pfSense that the upstream is actually forwarding traffic for your LAN network back over the VPN link to have two-way routing between the ends of the VPN tunnel. Such routing scenarios are always set up explicitly in coordination with both parties.

No idea what OPNsense does for DNS. But it sounds like you have that and pfSense configured completely differently.

You do undestand fin_wait 2 is normal after fin.. Normally this is a faulty application.. And you sure your not looking at old states.. Why exactly do you even need nat reflection - just access the http directly.. Does your port forward work from outside… Then your down.. There is zero reason for nat reflection.. just use a host override to access the local IP be whatever name is you want that you use on the outside.

I ended up abandoning this, changing the IP scheme at one site and then set up a site to site VPN.

Yeah, the workaround is quite easy but it wasn't the first thing I thought of. I wish it had been mentioned somewhere, not sure where though… Anyway, thanks for your help :)

@new2pfSense2017: I have confirmed that my pfSense router is connecting properly to VPN A.  I am unable to get the VPN B-enabled DD-WRT router to tunnel through the pfSense router. The connection delivers the requested web pages using VPN A's exit point, but does not persist to VPN B's exit point. I would note the following for future reference: https://doc.pfsense.org/index.php/Connectivity_Troubleshooting I use a VPN exit location (Germany, let's say) on pfsense. I use a separate VPN exit location (Paris) on a client on the LAN of the pfsense router. The client still shows DNS exiting from the client VPN location (Paris), not the pfsense router location (Germany). This is accomplished without the use of opening ports or "VPN pass-through." I would run through the connectivity troubleshooting with a client connected directly to the pfSense, leaving the second ddWRT router of the diagnostic test and note your findings. Also check your NAT settings on the pfsense router. Take a screen grab of your Outbound NAT settings and post them here.

I'm still stuck on this. Is there anyone who can please give me some direction on how to setup pfSense for Join.me or possibly help me debug what is going on? Andy

@dotdash: You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense. Sorry, IP-adresses were just an example, not using double NAT. Anyways, I got this figured out now. I got side-tracked with proxyarp, which is not necessary in this case. How I solved it? Just added more WAN IP's as Virtual IP's with Type Alias (as they can be on the same subnet as the physical WAN). Added these Virtual IP's and also the physical WAN IP as an alias group ("ALL_WAN_IPs"). Added PAT-rule using the "ALL_WAN_IPs" alias. With Round Robin with Sticky Address. It seems to be pseudo-sticky though. Clients uses different WAN IP's on different connections. My understanding of Sticky Address was that it uses the same WAN IP for the all connections based on the source (client) IP. One thing that I still don't understand is that the clients never seems use the physical IP-address from the WAN interface, even though it's included in the Host Alias "group".

Well to be honest nat reflection in itself is an abomination that should be avoided… Its a work around for bad design.. Have yet to hear a valid reason for its use.. You have either hard coded an IP, or don't correctly use dns.. Users misunderstand the rules all the time.. There are loads of threads where can access the web gui from the wan..  When in fact what they are doing is accessing the wan IP from the lan..

For future folks that make the same mistake I found the problem: When trying manual outbound NAT I had setup a virtual IP of 10.10.1.200 but had the interface set to LAN instead of localhost. Once I changed the VIP interface to localhost it worked fine. Hope this helps someone in the future.

Nat is processed before the firewall firewall rule is allowing in what NAT is doing.. Its always best to actually post a screenshot of your question. So everyone is 100% of what your seeing and what your question is about.