But every day the PBX looses connection to the sip-server or stun-servers and the customer can not do any phone calls nor could someone call the customer. All 24h the German Telekom will cut the Internet connection to his customers, also the business customers! Could this be the problem? The SIP Server is at your ISP side and the STUN server is normally placed free in the Internet, likes a server at a hoster. The other way is the following, take a PBX appliance inside of the DMZ at the pfSense.

You can use the package pfBlockerNG for that.

"Is there some way to make the pfSense automatically choose a port at the WAN level that will map to 40102 for each of the machines?" Yeah UPnP would be one solution, your wanting to forward pubicIP:X to ipA:40102 and publicIP:Y to ipB:40102  Correct?  And you want pfsense to auto pick X and Y based upon ports that are open.

Your problem if you ask me is not understanding the basic principles of ftp when used with nat and passive and active.  And then an over complex setup from the get go.  You clearly have a multiple nat setup where your natting your public IP to your pfsense wan, and then natting again on pfsense to networks behind pfsense? I would simplify that setup.  Why do you not just replace your cisco with pfsense box?  And then run segments off that pfsense?  If you set on using cisco at the front, why just just use 1 pfsense behind it.  If your set on using 2 of them?  Are they in different locations?  Why nat rfc1918 space again - why not just route those networks?  I would use transit networks from your cisco to your pfsense boxes in that case, etc.

If you want it to be 1024:65535, leave the box blank and that's what it will do. They should update those instructions to omit the ports. That said, that should work. Similar issue to #4300 for a different field. https://redmine.pfsense.org/issues/5156 Fixed.

Is there no one who can help?

thinks?  you mean thanks? ;)

Honestly, the NAT is useless. In fact, it's breaking things, IMHO. The "cannot resolve" is not an error.

If the NAT rule is not present, the filter rule cannot be matched (the destination of the rule would not match) so it isn't typically necessary. Someone could add the code to toggle them both, but it's not been a priority since it's generally not necessary. You can toggle one or the other and receive the same net effect.

Yep, right. Not a pfSense question. In short, do what KOM suggests (reverse DNS, SPF, SSL, etc). Then set your MX record to point to the external server and pick up your email from there. Job done.

Just a small update, I found someone who had a walk through and apparently it is a port forwarding issue on PIA side. So I am in the process of figuring that part out as we speak. I have it setup on pFsense but now I need to convert a script for synology to work in ubuntu. Thank you for the help and made me look outside the what I was already thinking.

"d)  Is there any downside to putting everything through static port?" Yeah.. You have multiple devices behind pfsense do you not..  So client 1 goes to pfsense.org:80 from his random source port of say 42103… So say 192.168.1.100:42103 pfsense using napt creates the connection from publicIP:port to pfsense.org:80 So if always used static and pfsense used same source port as your client so you had publicIP:42103, what if client 2 or 3 or 14 wants to talk to say facebook.com:80 and it just happens to use that same source port 42103 -- how does pfsense maintain both connections?  192.168.1.122:42103 It can't!!! Now if you had only 1 client behind your nat wouldn't be an issue because well clients not going to use the same source port to connect to different places.  But the more clients you have behind pfsense the more likely it is that would run into issues with clients using the same source port in a conversation to the public..  So your going to break shit if you try and force all ports to static. And since machines to when started start at the beginning of the range and not some random part of their Ephemeral port range - while different versions of OS have altered what range they use, etc.. if you had a bunch of window 7 machines that all use the same range and you rebooted them say in the morning everyone turned on their machines - you would have a shit storm of why does internet work and then not work and then work why is it SLOW, etc. etc. etc.. And connections were attempted with the same ports and pfsense set to use static couldn't make those connections.

Without access to the ISP router you're at a big disadvantage for troubleshooting to solve this. Maybe start with a pfSense WAN packet capture to see if the request is going out and coming back reflected by the ISP router.

So I decided to remove everything and start from scratch. I believe I have removed everything and go to remove the alias and I get "Cannot delete Alias. Currently in use by"  In use by what?  

silly me  ;D I fixed it by moving the NAT rule for the FTP  below the SIP lolz… [image: Clipboarder.2015.09.03-015.png] [image: Clipboarder.2015.09.03-015.png_thumb]

So I guess I am stuck with a VPN go go through it. But I can simplify the vpn for user based authentication via an AD or Radius server on the back side. thoughts ? thanks

I never would have guessed that.