I have no glue why it is not on the official documenting but atleast here in forums it is told several times.

I wonder if you're seeing the same issue that I am? (reported here: http://forum.pfsense.org/index.php/topic,42980.msg222115.html)

My workaround was to force outgoing FTP traffic across the default gateway.

This issue has a workaround:  http://forum.pfsense.org/index.php/topic,42971.0.html

It was due to a MAC address issue on the LAN interface. Click the link above for a workaround.

Note: Posted for historical reasons, in case someone has the same issue I did.

Hello all,
i m also facing port forwarding and nat problem
its not working.

my configuration is go to firewall - nat- port forward - interface wan - protocol -tcp - source- any, port range - any
destination - wan address- port 3389 , target ip 172.16.17.145 target port 3389 - save .
then i have to create a rule for lan from any to lan .

also its not working anybody can help me for this .

Thanks alot in advance.

A Mohan Rao
+91 98260 61122
mohanrao83@gmail.com

Thanks for the suggestion.  You were mostly right :). The problem was IP block list.  Evidently one of the lists doesn't like apple.

Sorry, I got interrupted just now.

Your new OPT1 interface is just like any other interface but you do have to create rules to allow VMs access out from the DMZ - to send emails for example.

You say you have port 80 forwarded to your mail server?  I assume you have port 25 as well or just made a mistake there.

If you only have one external IP address then you would only be able to forward any given port to one destination IP (VM or physical machine on your LAN).

I can't answer the PS3 problem but, by default, anything on your LAN should have unrestricted access to the WAN.

Hope that helps.

Just re-read your post and realized you might be asking about creating a physical DMZ - which I assume would be connected to your PS3.  Not too much difference between that and creating a virtual one - you just need to join a physical NIC to that vSwitch.   It would still be OPT1 to your pfSense VM.

@mhill:

It looks to me like the reason it was not working was the source port specified as 2222.  The source port should not be specified, just the destination, right?

Yes, source port is not usually known. It is normally any (1024 to 65535).

Yesterday, i tried to connect from Windows 7, the same result :'(
For example i installed ISA2006 and tried to connect and-WOW-connect is done!
I think, that my pfSense dont wanna to work whith me((((

Hello all,

Finally I solved this reinstalling the pfSense box. After configuring the NAT rules, the FTP works again, well, I had to disable the ftp proxy (in the previous installation it didn't exist, perhaps because it was a beta upgraded to final, buy i added the tunable debug.pfftpproxy and set it to 1, without luck).

Now it's working, but no idea why changing the LAN address broken that.

I've not restored a configuracion, only "just in case", and configured everything from scratch.

I think a screen shot of your rules for WAN and LAN would be more effective for most people or clean up that rule dump with new lines.

@marcelloc:

I would prefer to use same set of ports on alias and specif nat for different source and dest ports.

I think I understand: if you are port forwarding the same ports then you use an alias.  If the ports are different, you specify them one-by-one.

It seems that's the only way to do it.  I was just curious if the behavior I saw was a coincidence, or if it was operating as designed.

–jason

I created my NAT as 1:1 but I needed port forward for certain ports. Plus I used aliases for firewall rules for simplification of firewall rules (grouping ftp server, web servers and the like). So for the few that needed port forward, I didn't want it to create an associated firewall rule as the rule already existed as a part of a larger alias rule.

You would need a reverse proxy in order to do that. There are a couple packages for pfSense that may help (mod_security, for example) but nothing with NAT alone can do that.

Thank you. It has worked. :-)

I

I'm not sure about 1.2.3, but if you activate AON in 2.0 you will see all of the auto-created rules and NAT function won't change until you start editing those rules.