Hey thanks for taking the time. I forgot to update. Issue solved, problem was ISP modem got reset, or ISP came in and resetted it. So the firewall was turned back "ON" after logging back into the modem and changing it back to OFF, then everything worked, as predicted when playing with the pfsense in a test environment. Long story short, to avoid further unexpected ISP management intrusion, I disabled all the factory and ISP default accounts, changed Admin passwords, create new account for myself, and …. to really avoid further modem woes.... Set the modem in bridge mode, and now I'm using pfsense for PPPOe as I was planning to do from the beginning, that being said, Now I need to build probably a few more pfsense boxes to go behind this box, for the network management stuff, since I was planning to do Fail Over, load balance 2 WAN using pfsense in 2 physical boxes, so if one physical machine dies, the over one keeps going. I was contemplating running 2 VM but unsure if the lag in VMware might cause network delay or not. I've seen such delay elsewhere before with other Network Apps that are VMmachine sensitive. Anyway, that's topic for another thread.

@cmb: https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks Thank you very much. That worked for me well.

Hi guys, sorry i forgot to update this thread. Everything is working fine since i installed a new NIC PCI-E. this topic can be closed.

You created a rule with protocol IPv6 and put IPv4 IPs in it. That's not valid. Fix or delete that rule. I fixed the input validation last week so it's not possible to create such rules. https://redmine.pfsense.org/issues/6211

I found that on: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#BSDPF Use the PF ruleset below as an example for FreeBSD and OpenBSD prior to 4.7. your internal interface int_if = "fxp0" Tor's TransPort trans_port = "9040" set skip on lo scrub in rdr pass on $int_if inet proto tcp to !($int_if) -> 127.0.0.1 port $trans_port rdr pass on $int_if inet proto udp to port domain -> 127.0.0.1 port domain Use the PF ruleset below as an example for OpenBSD 4.7 and later. your internal interface int_if = "fxp0" Tor's TransPort trans_port = "9040" set skip on lo match in all scrub (no-df random-id) pass in quick on $int_if inet proto tcp to !($int_if) rdr-to 127.0.0.1 port $trans_port pass in quick on $int_if inet proto udp to port domain rdr-to 127.0.0.1 port domain My question is first wich ruleset i need? Prior 4.7 or later 4.7 And how i can add this rule to Pfsenes? Thanks

Hello, do you have find a solution because i need to do the same thing? Thanks for help

You could bridge OPT1 to WAN and that would give you a non-NATed network with public IPs (assuming the WAN network is using routable public IPs) and you would still be able to filter the traffic with firewall rules.

I'm already accessing other cam that are not multicast compatible that way Thanks :)

Okay, I believe i've resolved my problem but would like to hear feedback to see if this is an "acceptable" solution. I created a Virtual IP on the  LAN interface and have all my internal app aliases (app1.mydomain.com, app2.mydomain.com, etc) resolve to this VIP. Then I'm setting the same NAT rule on that VIP as I have on the WAN which forwards 443 onto POUND (Reverse Proxy). ;D

I don't think this will work. You need to do this port forward in your ISP router. A specific port forward should take precedence over the "DMZ" host setting. This is generally how it works. So put a port forward in your ISP router for WAN:443 to 192.168.1.100:443 and everything else should go to the "DMZ." If your ISP router is no good, put it in bridge mode and let pfSense get the public IP address.

Isn't this what 1:1 NAT for?

Yeah you are right ip aliases on carp - i set the carp ip as parent and all is working as expected. thanks

You need to open port 3074 for the first user, 3075 for the second, etc. https://www.reddit.com/r/blackops3/comments/3rsw61/open_port_3075_for_open_nat_type/

OK, so i finally had some time to dig into this. @johnpoz: According to your state table pfsense sent the syn, but your machine didn't answer..  Sure that machine is actually listening on 3070??  Great you opened the firewall, but if nothing listing never going to work. Oh man, that was it. These port checker websites of course assume there is already some application listening on the specified port. I tried PFPortChecker from Portforward.com (nice little tool btw.) and everything turned out to be working just fine :) Thanks for your help!

I'm not sure about that, seems to be what you need. I was just explaining how to make a rule to bypass your Nat rule. If you only want the proxy to be natted on port 80 then you can make that change in the outbound Nat section. By default PfSense will Nat the whole subnet.

Thanks Viragomann!  That was easy - confused myself because we have two WAN interfaces so I just added 4 rules.  I assume I don't need to worry about Default NAT rules in Sonicwall (only Custom) like default rule below when nothing is translated. Orig Source: Any Trans Source: Original Orig Dest: LAN Interface IP Trans Dest: Original Orig Srv: Ping Trans Srv: Orginal Thanks!

Your automatic mappings have an overlap 192.168.50/23 overlaps with 192.168.51/24 why are both listed there?  I would switch to manual completely and then switch back to automatic did that clear the issue..  You shouldn't be seeing both those networks in there.