worked great. thank you very much for the help :D

You're in luck. Somebody already wrote the load balancing and failover instructions out for you:

http://doc.pfsense.org/index.php/Multi-WAN_2.0

Be sure to post back if there's any part of it that you're having trouble with.

It's not clear from your post everything you are trying to do.

@yayo78:

1)I need to ping all the machine in LAN side (ex: 10.0.1.6, 10.0.1.5, ecc)

If you want every host on the LAN to be pingable from the WAN then you probably want to turn off NAT, see here:

http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F

and create some pass rules on the WAN interface to allow it (or disable pf altogether if that's what you want).

2)I need to allow machine in WAN to navigate to internet (at this time i can't ping 8.8.8.8 "google dns")

In a typical setup a host on pfsense's WAN would not be accessing the internet through pfsense, however it is possible. In any case, the host must have a default route through a valid gateway.

Can some one help me with a step-by-step guide to configure firewall, nat ecc…

That is exactly the purpose of the excellent documentation found here:

http://doc.pfsense.org/index.php/Main_Page

For us to be able to help you it is best if you would search the docs for the ones that apply to what it is that you are trying to do, and then if you are stuck on some particular point, ask in the appropriate forum about the detail that is giving you trouble. The best place to start is probably here:

http://www.catb.org/~esr/faqs/smart-questions.html

Hi,

create two VLANs on your switch:

VLAN 10: Data
VLAN 20: Voice

The port which connects the CISCO and pfSense must be tagged for VLAN 20.
Create a VLAN with ID 20 on pfsense, assign this interface an IP address and plug in the network connection.
All clients on VLAN 20 need to use pfsense as its gateway - setup the DHCP server to do that if you like on pfsense for this interface.
Setup a firewall rules for VLAN 20 interface on pfsense to allow traffic.

you set them as monitor ips for your gateway groups ?

This is what I did:

1. At PFsense, create Static route to the VLAN subnet. (eg: 172.16.19.0/24)

2. Create a VLAN interface on the LAN interface. For example if your LAN is eth0, create a VLAN on eth0; but ensure that the VLAN ID is the same as the VLAN ID in your coreswitch.

3. Reset your pfsense machine and you are good to go!

you might need to add NAT Outbound for the VLAN subnet

Try it and update us…!

Regards,

@urbangear:

i have the same setup (multi WAN/single LAN), assigning two of my public IPs to two different hosts in my LAN, after adding VIPs and assigning those to my internal hosts i then created a rule in WAN with a default gateway as both public Ips belong to WAN interface

and it worked… be sure to use another ISP to check if it's accessible from the outside

But in your case there is no loadbalancing (at least you didn't mention it), so a rule in WAN in just fine. What if your WAN is Tier 1 in a failover gateway group? Still creating the rule in WAN and selecting the failover gateway group would grant access to your VIPs from WAN (Tier 1) and WAN2 (Tier 2) also? Or a floating rule would be more appropriate in this case?

There is the checked option in the System -> Advanced menu:

SYSTEM -> ADVANCED -> Firewall/NAT
Disable NAT Reflection for port forwards
Disable NAT Reflection for 1:1 NAT

SYSTEM -> ADVANCED -> Networking
Hardware TCP Segmentation Offloading
Hardware Large Receive Offloading

System: Advanced: Miscellaneous
Load Balancing ->  Use sticky connections
Security Associations -> Prefer older IPsec SAs
Schedule -> States
Gateway Monitoring  -> States

If you are NAT'ing out to your developer network then you would have to have a Static NAT for every service or for every server to get in to the server network from the developer network.
So add a static and test it. Then add all the other statics, or don't NAT just route. If you remove NAT'ing then everything should work.
Have the developers got a gateway? If so, and it isn't this box then you would need a route on the gateway for the server network.
Make sure that the Block Private Networks is not checked for the WAN interface.

Don't the developers have Internet access?

using untagged you "waste" physical interfaces on your pfsense, other then that that could work

That is correct. Everything on my LAN, except my Pfsense is gigabit. I'm assuming traffic from device A on my LAN to device B on my LAN is not routed through the Pfsense interface. Is that correct?

That is correct!

create a route for 172.16.0.1/24 –> PFB on PFA
and a route for 10.1.14.1/24 -->PFA on PFB

should do the trick

I get that, but as in your other static addressed IP's delivered by DHCP, they must not be within the range that you have set.

Look at your LAN tab the left hand Range box will have an IP if 10.0.0.x, where x is something greater than 52, probably 100.
The DHCP range is a subset of the full range and does not cover the statics that you have added the bottom.

You have selected the full range at the top of the page, 10.101.0.1 - 10.101.0.254, so you can't add ANY static's to that network. Reduce the range at the top of the page so there is space for the static address 10.101.0.2.
Change the left hand range box to '10.101.0.x' where 'x' is anything greater than '2' i.e. 3,4,5 etc. you can leave the top end if you wish at 10.101.0.254.

Then there will be room for 10.101.0.2.

I think one of us is having a bad day, eh?

Thanks, any time. Have fun with CP.

Want to play games, via pfsense at home?

see: http://www.cqrite.com/2012/pfsense-2-0-1-and-gaming/

You misread my statement. I said it's not there in a way a beginner with pfSense can understand what to do. I did not understand what exactly was meant by those instructions (and had thus gotten it wrong) until I read the guide I linked to where the writer detailed Exactly How to create the Firewall Rules…

That step is just confusing in the 2.0 docs. (edit: likely because I'm not engrossed in large corporate network configuration daily ;) I tend to work with smaller companies with 3-10 employees, but this one had outgrown a single dsl line)