At present, from what you say, INCOMING traffic on Port 80 is basically being forwarded by your modem/router to Pfsense. So all you should need to do is simply add a port forwarding rule for port 80 to the IP of your server. so in Firewall menu select NAT, then create a new rule under the Port Forwarding tab Set these settings: interface -> WAN Protocol -> TCP Destination -> WAN Address Destination Port Range -> HTTP (port 80) Redirect Target IP -> 192.168.1.100 Filter Rule Association -> Create Associated Filter rule other stuff can I think be left as default. And that should be it…. It's just a simple port forward operation really, unless I'm misreading something.

Port forward does not change source ip But outbound nat does. Change outbound nat to manual and create outbound nat just for traffic outgoing wan(if you need this)

Aha - figured out why the conflict in case of /8  ;D I had it the wrong way around i.e. /8 = 2^8 = 256 addresses and /24 = 2^24 = 16M. I'm more used to the 255.0.0.0 format, which makes sense intuitively. But in fact: /8 = 2^(32-8) = 16M and /24 = 2^(32-24) = 256. I'll change all the netmasks /24 - and now I agree, it'll probably solve the problem. FreeBSD forums all say that the above error usually indicate a physical network error or conflict. So this makes perfect sense then. Thanks again.

Thanks. I went ahead and threw a VM on the wan subnet and tested hitting IP aliases that belonged to another /27 and it worked without issue.

1.) Create a Gateway Group with WAN1 = Tier 1 and WAN2 = Tier 2 2.) Set this Gateway-Group in firewall rules as your Gateway 3.) Ready! @Nachtfalke: Thank you so much, that worked like a charm i never knew it was so easy :) @ptt: Thanks for the link to the Documentation, i'm gonna have a read on the load balancing next Thanks Ya'll, problem solved!

Not possible because the firewall has no concept of what IP the client is routing to, it's impossible to tell. It's not routing to an IP, it's routing to a MAC address, which is the same either way. Even if it weren't, there isn't a way to differentiate by destination MAC. If you're making people go to the trouble of changing their gateway IP, might as well make them change their system's IP instead, have one that goes out one WAN and one out another.

Things that go to a gateway group switch back when the other WAN comes back online, that's not what I was referring to. The default gateway switching functionality is separate from that.

That's if you want to route public IPs, you don't have to. If you don't have a need to isolate publicly-reachable hosts on a separate NIC or VLAN with the public IP subnet, just add the additional subnet's IPs as Other VIPs and use them with NAT as needed. Or don't need VIPs at all if you're strictly using 1:1 NAT, just setup the 1:1 and you're done.

Explanation. Pfsense is router LAN is 192.168.1.0/24 route to 192.168.0.0/24 Lan ip is 192.168.1.1  wan ip is 192.168.0.114 all traffic to deferents subnets pass i disabled packer filtering  on pfsense and configure and static route to principal firewall to reach secondary network Pfsense1 is firewall  wan is a public ip and LAN is local ip on inet network 192.168.1.2 When i try to upload a file via ftp traffic stop from network 192.168.1.0/24 to 192.168.0.0/24 if you want to test i can upload all virtual environment to one server. Regards Nicanor

Hi, Sorry for my poor english ! Thanks ! it's working now, i manage to set linksys router like my pfsense (to enter from outside, i mean exterior ip), now i can enter in router settings as  client of my pfsense machine/server (wan ip assigned by pfsense dhcp server to router). Regards.

Check the docs: http://doc.pfsense.org/index.php/Multi-WAN_2.0

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29#iroutes

now it's ok ! but how can i make this proxy server secure ? i mean where i'm using this proxy to be less traceable my ip/eterior ? how to set up instead of http , to work with https ? packages to be less traceable and traffic also (traffic from exterior ip-that is add in unrestricted ip in squid / and my ip) ? i mean instead (adding proxy in lan proxy settings at http ) http to be add at secure ? also i can enter in pfsense from exterior ip how can i disable that , but proxy server also working and connect to it from outside on port 21? Thanks for your help !!!

Ok, thanks for the info. MLPPP isn't an option as the links are different speeds and I'm not sure I pay the ISP enough to warrant a BGP setup ;) I'll stick with the failover script for now.

Sure, just add the second IP as a Virtual IP under Firewall > Virtual IPs. For that role, IP Alias, CARP, or Proxy ARP should work fine.

@Floh: Hi, thank you for your replies. Ok, I'll think about setup a rule for this issue. cu Floh You often get logged out on sites using HTTPS. To solve this problem you can, as stated above, create a rule for HTTPS to only use for example WAN1 instead of the multiWAN-gateway. You can also create a new pool of(a seperate aside from you regular pool/loadbalance), for example, WAN1 and WAN2 but with failover instead of loadbalance, and configure the rule for HTTPS traffic to that gateway. Like this you will keep redundancy.

You can do with or without nat, just create the balance(system -> routing) and then apply it to rules.