I realized that I did not have outbound NAT static mapping the UDP ports, and appears all is well now that I enabled outbound manual NAT. I had to open all other ports to NAT as well (any to any) at the bottom of my NAT entries to get everything to work.

Thanks GruensFroeschli!!! This seems to be the problem(or not, because there is no problem ;) )!!! Thanks again.

you need to forward ports 10000-20000, and check your sip_nat.conf file there some info you need to add there. check the forums http://www.trixbox.org http://www.pbxinaflash.com They are both based on asterisk.

Yes, it should disconnect active sessions when the rule schedule is in effect (or stops taking effect, depending on if you did a pass/block), but IIRC there is a difference in reloading the rules and the rule going into/out of its scheduled time.

I've figured it out already! The correct firewall rule was: pass quick proto tcp from any to any I guess this can be made more secure by narrowing it down, but for now I'm happy with a working IPv6 link! :D

First, start by defining what you need people to be able to do…

can you ping the server from the clients. if yes then it might be an issue with the port on the mail server. either way you should create a rule from LAN dirrectly to the mail server ip for any port and try the app again. being sure to ipconfig/flushdns on test client and routes on pfs box too for good measure.

I'm not sure what might be causing the replication error, but before you go any deeper into troubleshooting, upgrade those firewalls to pfSense 1.2.3. 1.2.2 is rather old, and that is the only way to be sure that whatever bug you are encountering hasn't already been fixed somewhere along the line.

Thanks Jimp!

Grrrr, ok, problem solved. And of course for documentation reasons here my solution: I does make a difference in which order the ports in your Alias appear. I do have a RewriteRule in Apache that rewrites everything from http to https and although this was not directely the problem it did mess in some way with pfSense. Now I set 443 as my first port in my alias and at least https works. Via http a correct rewrite still isn't done but at least it works in some way now. Via http I get: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.    Hint: https://myurl.com So either my apache rewrite is incorrect (which I am pretty much sure it is not) or pfSense does not really handle Aliases in Port forwards correctely. It seems to me that the forward does not try to map external and internal to be the same but does map them in the order they appear in the aliases which would be a quite stange behavior.

It's sort of vague what that is talking about. That may just be for configuring an outbound connection from your server, in which case that would be done on the firewall software there if there even are any outbound restrictions. If you don't have the default rule to allow all traffic outbound, you will need to add entries allowing traffic from your server to those IPs on those ports. (most people have the default allow all outbound rule and thus would not need to do that step) On the outside chance that they are talking about inbound connections coming from those IPs, you can do that too. First you'd have to setup a port forward for those two ports to your internal server, and check the box to automatically add the firewall rule. Next, go to your WAN firewall rules and edit the rules that were put there automatically and enter the IP addresses into the 'source address' box.

The usage of MAC addresses belong to the lower levels in the ISO OSI ("L2"). Your MAC is only used and seen on the local net/broad cast domain. When you pass a router the MAC is gone in the eyes of the receiver, sort of. (I see now that Efonne basically wrote the exact same thing :) ) See here for some more info: http://en.wikipedia.org/wiki/OSI_model  http://en.wikipedia.org/wiki/Data_Link_Layer

My bad, I thought of them as a different kind of rule in the set, in that aspect, but I'll have that in mind, not the problem here though. I again have seen one occurrence of this problem, I had one xbox on one of the internal networks that wasn't allowed to pass through after 2200 but it took a few minutes passed 2300 before it was effectively blocked. There's no other rules blocking that IP so the rule blocking past 23 is that one that should've blocked at 22, schedule details in pic below. This is the same system that I have reported intermittent problems related to imspector and captive portal for earlier. Could my system be messed up somehow and if so how can I tell (I don't want to make a re-install unless I feel it's needed). How can one be sure all configs are in proper syntax etc, is there some kind of debugging/syntax checker/self test command that one could use? TIA  

Thanks for your reply. I tested this, but it doesn't solve the problem. Actually I'm running on m0n0wall, as I'm in need of my PBX…

Approximately speaking, a connection to a web server will always have a destination port of 80 but the source port will be a random number in the range 1024 to 65535. If the source port were always 80 it would not be possible for TCP to distinguish between multiple http connections between the same pair of hosts.