Just to give you an update….

I did one last clean install with the latest version of pfsense... Recreated all my rules and settings, and this time it worked... I have absolutely NO idea what is going on, but it's working now, so i wont fix what's not broken...

Thanks for your time man, much appreciated

Have anybody completed running bridge and nat on same pfsense?

here is a quick post of my states
PFsense box = 192.168.11.1
my phone = 192.168.11.224
69.25.47.134 = aptella ip (they have a /24 so this ip varries)

udp  127.0.0.1:5060 <- 69.25.47.134:5060 <- 192.168.11.224:5070  NO_TRAFFIC:SINGLE 
udp 192.168.11.1:5060 -> 192.168.11.224:5070 MULTIPLE:MULTIPLE

I have enabled static ports, installed sipproxd and set the firewall mode to conservative.

after looking over the sipproxd config (see below) the sip ports that aptella uses are from 5060 - 5080 in my case, is there a way to setup sipproxd to handle a range, or should i even be using sipproxd?

releviant config info:
<optimization>conservative</optimization>

advancedoutbound>
<rule><source>
<network>192.168.11.0/24</network>

<sourceport><descr>Auto created rule for LAN</descr>
<target><interface>wan</interface>
<staticnatport><destination><any></any></destination>
<natport></natport></staticnatport></target></sourceport></rule>
<enable><siproxdsettings><config><if_inbound>lan</if_inbound>
<if_outbound>wan</if_outbound>
<port>5060</port>
<rtpenable>1</rtpenable>
<rtplower>10000</rtplower>
<rtpupper>10899</rtpupper>
<rtptimeout><defaulttimeout><authentication><outboundproxyhost><outboundproxyport><expeditedforwarding>on</expeditedforwarding></outboundproxyport></outboundproxyhost></authentication></defaulttimeout></rtptimeout></config></siproxdsettings></enable>

Yes, look under Firewall: NAT: 1:1.

It's best to do NAT on pfSense, and not your modem.

pfSense is ideally at the "edge" of your internal network, with the WAN side of pfSense having a public IP and when used that way has the greatest flexibility.

Time for a diagram or picture showing how everything is connected and which devices work and which don't.

So, you need:

Default block/deny rules on all interfaces

Forward 3389/TCP from the WAN interface of the external firewall to the WAN interface of the internal firewall (if it's doing NAT) and then from the WAN interface of the internal firewall to 192.168.1.101

It may be related to that second WAN that you said was just shut off, or some other cause. Somehow it's trying to reflect any external address instead of a specific one.

NAT Reflection is evil  :)

KPA - everything is up and working now, thanks for the help.

efonne - we are using the firewall rules to only allow the necessary ports in.

Is there any possibility to solve this issue? Is there any association w/ ftp helper?

Solved!!!

I disable ftp helpder on LAN and WAN on both pfsense box that we have.

We're using vicidial.

i'll try to check with their forum. Thanks man!

When I used to run version 1.2.3, I never tried/used nat reflection, instead I used split dns and it worked fine with port forwards and captive portal.

method 2
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

I had the 2nd outbound NAT Rule, but didn't have the first "No NAT" rule.

Aaargh! You're completely right! I was inside the network…

So I'm glad that it works! Thaks a lot!

My requirement is to provide connectivity to one of my clients for VPN connection between his office and remote branch office.

The primary connectivity is through fibre with backup through a Vsat connection.
We want the backup to be seamless such that the vpn tunnel should be able to connect through the vsat.

There are 2 WAN connections on the Pfsense and am thinking of using VIP's of each connection(fibre and Vsat) and map it to one of the LAN IP's.

Hi all,

first: thanks for all answers!

We solved the problem with Split DNS.
@KPA: thanks!!

Why do we need this:
RedDot / OpenText need it for the Backend
Typo3 needs it for search Content and produce some new out of it
IMAP-Client RoundCube needs it for Identification

Once again: thanks for all ideas!!

dark.fibre

This is most likely fine.  Exactly what I do.

Thank you cmb,
I read the document and tried your guess also. I solved the problem in two steps.

1. First i tested with the Interface address and disabled the firewall in client.
It worked.

2. Then i tried with the virtual ip for additional public ip. No success.
Then i unchecked FTP helper in wan interface and it worked.

Actually i am trying this for last 1 week without success. But your 2 hints solved the problem within 10 minutes.

Thank you once again.

Cool, I hadn't noticed that one :)