Are you actually testing this from outside your network and getting that result?

Resolved, your instructions were correct. It turned out to be that the server in question did not have the correct gateway assigned. Thanks for your help!

@fannet:

We are seeing crazy high latency (25-45MS) pinging from our PFSENSE gateway to any other host (and vice versa) on the same layer-2 domain (same switch). The machine has 16 cores (AMD) 32 GB ram and a dual 10gb NIC. The total traffic going through the NIC is less than 1 gigabit/s. We have NAT enabled and have about 1500 users going through the box. Between any other two hosts on the same switch the ping is < 0.9ms

Any suggestions?

Did your particular hardware configuration ever work well in the past ?

Thanks - yeah that looks to be using MLdonkey as a multi protocol sharing server, web/ftp, bittorrent, emule, etc.  The turnkey docs/tutorial for that appliance are a bit lacking from just a 2 second look.  And yeah they do say to forward that range - why I am not sure.  Clearly from the mldonkey site, and even from their example on the turnkey site they show the portcheck script used 6882 so why would they say forward that range?

http://mldonkey.sourceforge.net/WhatFirewallPortsToOpen#Incoming_connections
BitTorrent client_port = 6882 bittorrent.ini

I finally resolved this issue. It requires that nat reflection for port forwards check box be un-checked in the Advandaced settings on the Firewall tab. Then I had to delete the already made rules for 80 and 443. Then when creating the new rules I had to make sure that Nat Reflection was set to Enable for each Nat rule.

Just to update this.

Turned out to be an unstable STUN server that we were using. We just used a different from from VOIP info. The 3cx one is very unstable.

As well as just doing a rule from the three IPs from our sip provider helped a lot too.

@fellesnelle:

I’ve tried it several times without any succes. But know I did it again and it works. I’ve forgot to use ‘Host’ in my connection.
Thanks for your reply.

I have the same problem, can you explain me how did you fixed it???
Thanks!!

normal , I posted a wrong ip address for best security :)

ok I post screen if easiest :)

Even after resetting to factory default, I still can't make it work.

I determined that my company's MAC address filtering is to blame, anyway we have found a way around this.

Thanks!

Could be a residual ARP in the next hop )ISP Router( or the like. I would set it up how you like and restart everything you could. Past that, i would check logs and double check the config.

Honestly don't know … Might be possible with a WAN and then a LAN rule. I don't think that is going to work either as it is still going a different route with NAT transforms as well.

Both are transparent proxy configuration as it will forward http connections to squid.

That would not really be nat, other than the normal nat from your private to your public on your wan.

Are you setup for explicit proxy - ie your browser pointing to the proxy or just transparent.  Which intercepts http/https normally.

Normally if you just want to allow access to specific ports outbound, you would do that on the lan rules.  Be default the rules are setup to allow anything from lan segment to go to any port outbound.

You create specific rules to allow http, https, pop, smtp, etc.  And then create a block rule after those that blocks anything else.

1. Why are you using port forwards on your openvpn interface? That isn't something that I'd expect to work, honestly. If you have proper routing on the VPN there is no need for port forwards there.

2. http://redmine.pfsense.org/issues/1882

natively it cannot, but I hear packages like haproxy, varnish or perhaps squid3's reverse proxy can do that for you. i have not used those, but they are there for that sort of thing.

It needs to read:

interface: wan
protocal: tcp
source: any
sorce porte range: from: any / to: any
destination: wan address
destination port range: from: (3062) / to: other (3062)
redirect target ip: ip address lan
redirect port range: other (3062)
description: name
nat reflection: use system default
filter rule association: pass

thankyou for your assistance. i worked it out from your comments. I was adding the whole subnet to VIP as a proxy arp. I changed it to each individual IP address and I can now see each IP address in the drop list.

thanks for the assist