if I do the same on another host on the lan it works.

the only difference is that the not working one is the KVM host where pfSense runs as guest.

@jimp

Thanks for your answer! Although it wasn't the solution but I could rule out that it was not a bug or limitation of the current release as I've installed version 2.1-BETA1 x86 in parallel and set it up in the same way.

The advanced option you've mentioned is available in the current 2.0.2 Release x86, too. But as I've already mentioned it didn't help.

There were 2 problems in my setup.

One problem was with the OPT1 interface because the flag "Block private networks" was set and once it's set all the firewall rules that are created on a private IP (OpenVPN 10.x.x.x) are simply getting ignored by pfSense. That's a little bit confusing because I'd expect a different behaviour or at least a warning.

The second problem was easier as there was a personal firewall (silly, I know ;) ) that was forbidding the connection from a non-LAN IP to local services.

Now after many hours of headache it's working like a charm and I like pfSense again  8)

So in general with pfSense and my setup you have to be careful to not activate the "Block private networks" flag on the OPT1 interface and to switch the outbound NAT Mode to manual and create NAT rules on interface OPT1. The easiest way to do this is to simply copy / modify the existing LAN interface rules.

In addition you need to copy/create the LAN -> OPT1 "allow LAN to any" rule. That's all.

And as a hint it's better not to get confused by other guides on the internet where people say that you need to create OpenVPN and WAN rules, e.g. because that's simply not needed if you're using an optional interface (OPT1) - at least that was my experience.

I've added some screenshots of the required rules:

OPT1 IF:

Outbound NAT:

Firewall LAN Rule:

Firewall OPT1 Rule:

Firewall NAT (Port) Forward Rule that belongs to the OPT1 FW rule:

Thank you :)

The alias contains the hostname, then the alias is used to forward a port.  Just in case the IP of the hostname changes.

I initially had difficultly setuping up VLANs on Netgear Prosafe switches. Never an issue on others like 3COM, HP, Cisco, etc. My issue had to do with PVIDs. Could be yours as well.

Lee
StormForge Technologies

You never change outbound NAT. You have to have two outbound NAT rules, one for each WAN, if using manual outbound NAT.

Did you setup an allow rule in the OPT1 firewall settings? By default no rule is added and will thus block all connections.

I am afraid we are going to need more information. How have you currently setup NAT? What ports are you setting where and what IPs where?
Please send along some details.

i just copy/paste from old file.

but thanks now i know a bit more

@Metu69salemi:

Your ruleset is ok. If you don't want to give more than one portforward rule than one per device, then you could use port aliases. You can add up all the ports what that device need.

Thanx Much!
I'm actually using Aliases with the Firewall Rules, i'll give some thought to Port Aliases.

Thnx Again

Thx!

Hope you can find something  ;)

OK,

I found my issue.

I search all over the pfSense forum most of the night trying to find the solution and right after I posted this I found the answer here:
http://forum.pfsense.org/index.php/topic,56328.0.html

I must be getting dumber and I get older, I did not even think of this.

NAT works on a first-match basis so my email server is hitting that first LAN NAT rule and sending the traffic out your default NAT. When I list that email server NAT rule first, my email server will use it instead.

Sorry!

Thank you making such a great product!

@dhatz:

@fos4X:

No, that did not work. However this seems to be an issue that is very hard fix. Even a pfsense restart sometimes (indeterministic as far as I can tell) will not bring asterisk back to a register-able state.
Even resetting both (pfsense and freepbx/asterisk) sometimes doesn't help. We will next try to stop the asterisk service, reset pfsense and re-enable asterisk.

Does anyone have any idea how we can deliver a debug/trace that would help the developers see what is going on. We would very much like to fix this long-standing issue in pfsense because we are otherwise very happy with its quality and features.

If resetting all your gear doesn't help, I'm not so sure it's a pfsense issue …

In the past, SIP issues with pfsense were mostly due to its use of symmetric NAT and rewriting of both SIP and RTP ports, however most relatively current software (<3 yr old) employing ICE can deal with that, if not then you'd need to use static-port NAT.

But if you need to troubleshoot VoIP issues beyond the basics, checking SIP software and firewalls & NAT gateways, there can be a huge number of combinations of configuration parameters and intricacies of the various software / firmware involved (e.g. NAT type, UDP timeouts, WAN failover, SIP keepalives, ITSP config etc). Each version of asterisk had its own issues.

Getting VoIP right is much more difficult than let's say running a webserver.

Believe me, pfSense does not clear SIP states when WAN IP changes. I have tested a lot of configurations and this issue does not occur with OpenWrt or Tomato routers.

if you haven't solved this
try
24.123.23.100:80 –-> 192.168.10.10:80
24.123.23.100:443 ---> 192.168.10.11:443
need to create 2 port forwards
so  http (port 80) goes to server 192.168.10.10:80
and the 2nd one  forwards (https) port 443 192.168.10.11:443