What you are looking is not 1:1 NAT imo. What you want to do would be better suited to Advanced outbound NAT. What you would do is go to AON and enable manual.
It should create a rule for each of your VLAN networks. Just adjust each one according to the IP you want it to use.
One other problem I see is that IP Alias and CARP must carry the same CIDR as the WAN interface. So instead of 227/32 it should be 227/28.

It's specific to pf, the packet filter we use, which comes from FreeBSD which brings it in from OpenBSD.

m0n0wall uses ipfilter, which is different.

Others might use ipfw, ipchains/iptables, etc. They can all act differently, you need to check the docs for each one to find out the expected order of operations.

you have to have port forward and rule both

You have to see if you need to forward the passive port range of FTP.
In the FileZilla server you can set the passive port range from xxxx-xxxx. Then nforward this on pfSense.

My FTP access works great btw.

To add in here, I did try to use a bridged connection on windows and that didn't even allow the packets from the NAT to be sent out.  There is no function of connection between the windows host and my PFS box.

Somewhere on the NAT I originally had there must be something set up incorrectly…

Still, if anyone has any input, I would gladly take it, otherwise I think I'm breaking a boundry here that could be added to the list of stuff not done with PFS yet.....

IDK

But let me know if you think I could try something!

There is no pptp-proxy, so it's not supported, at least "officially".

for example:

tcpdump -ni wan_interface_name_eg_em0 host external_ip_address

Hi,

I'm using a standard STUN Client-Server ,http://sourceforge.net/projects/stun/.
I'm not sure if the info from the Stun client is correct.

Thanks

I've now figured out why I was unable to connect using my 2222 NAT, and the reason is blocked ports at work (suddenly they only allow <= 1024) and thus makes it quite hard to verify my NAT rules at home.

I'm ashamed to have believed that it depended on pfsense.

"My question is why is it NATing, and is there a way to keep it from NATing that packet?"

Why is it natting?  Because be default pfsense is set to NAT.. If you just want to use it as a router, then

http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F#Disable_NAT

@dimkyson:

http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf I hope this will help you.

Thank you man .

I tracked down the real issue.  What happened was some device on a different LAN port after being power cycled grabbed the firewall IP address.  After removing the switch from comcast gateway the firewall was able to reclaim its IP and comcast gateway resumed sending data to pfsense.  It looks like what likely happened is when pfsense got its IP back the ARP on comcast gateway did not update with the data that the VIP's also needed their information updated and all data was sent to the no longer existing MAC address.  Power cycling the gateway for 1 minute cleared its tables and allowed data to the VIP's to continue.

Disabling NAT reflection prevents users inside the firewall from accessing ports on the WAN interface.

Count the number of forwards you're doing, especially including port ranges.

Make sure the total is less than 500.

That was my problem (RTP port range for Jabber = 10,000 forwards, all set for "System Default" reflection). It's rock-solid now.

Here is one HUGE, guaranteed cause of random NAT reflection failures:

Add RTP NAT forwarding for Jabber while the System Default is set to use reflection. That will do it.

(For those not familiar, RTP uses UDP ports in a vast range e.g., 10000-20000 – far too many for pfSense to manage reflection)

Perhaps it's a bad idea to have system-wide reflection? I'm not a novice (I'd like to think). I know that reflection can't be used for more than around 500 ports, and still I made this mistake. I may be an idiot, but I'm not new at it.

I just fixed my random reflection failure by disabling reflection for my RTP forwards.

Thanks for your suggested solution but it is not an option for this case because I need to figure it out for similar scenarios from customers.