I'll focus on the second case for now, since it's easier to explain.
It's definitely some issue on the pfSense box, whether it be a bug or config problem. I'll try to clarify a bit:

Basically, I have a machine (A) on the LAN making a request to another machine (B) on the LAN using an external IP that has NAT reflection enabled. When the UDP packet goes out on A, it hits the router (R), which from what I can tell, copies the packet and sends to machine B with R as the source. Machine B then correctly replies to the packet back to R, but then it seems to be dropped and never gets forwarded back to A.

The packet capture from before shows exactly that. I've confirmed the same results using Wireshark on both machines (essentially tcpdump on Windows).

Edit: I should also add that I can't use the split DNS option. Since this uses the steam service, they refer to all servers by IP afaik.

@timb:

I am currently testing pfSense and ran into an issue with a simple http port forwarding rule. I followed the Port Forwarding Troubleshooting guide and found that the problem was related to common issue 3 - "Client machine is not using pfSense as its default gateway".

I was wondering if someone could explain this limitation. Also, is there a workaround?

It's basic networking - if the reply traffic isn't going to go back to the firewall, as it won't in such a scenario, it can't send it back to the Internet. ISA is a reverse proxy in that scenario, the traffic is sourced from ISA, not the remote public IP.

Efonne's work around would suffice but is ugly, better not to NAT like that where you can avoid it. A better deployment with ISA in most cases is to not use it as the default gateway but just as a proxy/reverse proxy.

Thanks Efonne!  That's the great thing about open source projects, the product can get continuously improved based off of community feedback.

isn't the issue that the web server is looking at the host address in the html header not the IP transmission info?

In reality, the request could appear to be destined for any IP address but the destination address typed in the browser must be http://98.169.xxx.xxx
In the same way you use host header info to host multiple websites on one server.

If the web server were configured to look for a host name rather than an IP address you could use Split DNS. If the webserver cannot be configured to do this you must either use NAT reflection or possibly some sort of HTML proxy to rewrite the HTML header?

cool.

Hi michaelahess and to all pfsense users who are encountering problems with polycom V500 and their equipment in general with NAT.

After researching in the internet for the solutions to the problem with my device above, I stumbled upon a posting for proxy arp. This solved it generally, but I also had the following settings:

1. created a virtual ip with proxy arp for the WAN IP of the NAT router
2. created the port forward rules for the V500 TCP and UDP ports and the TCP port from 17xx something to the internal polycom v500 machine IP

I do hope this will help others who have this problem. I've been trying to fix this problem for the past 2 years and now I finally nailed it. I have promised myself also to give back to the community what I have learned as a pfsense user/admin with 3+ years experience in using pfsense as a router with various services enabled for our campus network.

If you can make the client machine to use a fixed source port for outgoing connections you can then write an advanced outbound NAT rule for that client machine that matches the client ip and source port with static port option turned on. If the source port can not be controlled then I don't think pf can do "cone" NAT as described.

Couldn't hurt.

Double check the window firewall.  Try turnning off the window firewall to make sure.

Then, Reboot the firewall state.

Hi, sorry I didn't get back to you sooner, I was not able to reproduce the error to run a packet capture - I'll make sure to run capture it if it ever happens again.

Thank you again for all your help!

even if I turn off pptp server, I still cant get it to connect. Its going in and out

Hmm ok all i did was enable NAT reflection in advanced setting and it seems to be working now :)

However no new rules have appeared in the "Outbound NAT" section, or anywhere for that matter - is this normal?

Like this:
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

fixed it myself, maybe.
standard 1:1 natting worked, EXCEPT for VOIP.

tcpdump shows packets going out the right ip, static and all, but the PACKETS (SIP info) contained the wrong 'reply-address' (contained the public ip for the WAN)

I deleted the 1:1 natting for the voip, and entered a manual inbound (portmap) and outbound rule,set them for 'static' and moved the outbound rule above the default manual natting rule.

don't know who or what was messing with the sip packets, but the packets themselves were being rewritten.

(that and I might have gotten it right, but was missing a firewall rule. :-(

Great product, lots of features, but NATTING could use its own book.

It works now…. its not 1.2.3

Do this on the server and client and you should be fine... it just took some time to take effect
and I forgot todo it on the client computer also
http://support.microsoft.com/kb/926179

You can't do 1:1 NAT if you only have one WAN IP. It doesn't work that way.

You just need to forward the appropriate ports to the unit, and perhaps set a manual outbound NAT rule to match its IP outgoing and select 'static port' on that NAT rule.

Just disabled the whole Outbound NAT.

You are right.  A simple Firewall State Reset was all it is needed.

thanks.

puzzled here.  if you did a default pfsense install, then anything going to the school network should be NAT'ed to their network and should work.  reading between the lines, it sounds like you disabled NAT or something (not sure what else would 'disable protection of the internal LAN.)  if this is the case, likely the issue is that their hosts don't know how to reach your 192.168.1.0/24 subnet.  you either need to have them route that subnet to you (in which case you want a static WAN IP), or just use DHCP&NAT.  am i missing something here?  is there a specific reason random hosts on the school network need to be able to connect to your private LAN?