For anyone searching later on, I wanted to give an update on this thread.  I finally got the configuration working, and the problem wasn't because of the pfSense box.  The problem resulted because the proxy server is dual-homed to two networks that had routes between them.  Since the proxy server and the pfsense box had 2 networks in common, things were getting screwed up. The relevant lines from my config (manually configured) are: For the load balancer: <type>gateway</type> <behaviour>balance</behaviour> <monitorip>192.168.75.1</monitorip> <name>Proxy_Server</name> <desc><port><servers>192.168.75.1|192.168.75.1</servers> <monitor>For the fw rules: <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> <source> <address>192.168.75.1</address> <not><destination><any><port>80</port></any></destination> <descr>Allow HTTP</descr> <gateway>Proxy_Server</gateway></not></os></statetimeout></max-src-states></max-src-nodes></rule> In my configuration, I have a NAT router (pfsense) that has a LAN, WAN, and OPT1 interfaces.  LAN is set up internally, WAN goes to the Internet, and OPT1 is cross-cabled into the proxy.  The proxy server is a Solaris 2.8 Squid 3.0 box configured for transparent connections.  It has 3 interfaces, bge0, bge1, and bge2.  Bge0 goes to the internet, BGE1 goes to the same network as the LAN on the NAT, and bge2 is cross cabled into the pfsense box.  It may sound confusing, but we did it this way so the proxy has it's own public IP, and doesn't have to have traffic flow through the NAT if a client configures their browser to go directly to it (which almost all do). The proxy server has the following ipnat rule applied: rdr bge2 0.0.0.0/0 port 80 -> 192.168.75.1 port 3128 What I saw happening was confusing for a while, but I was able to figure it out.  When traffic from a client who was using the transparent proxy would go through the pfsense box, it would be routed correctly to the proxy server.  The proxy server would see it, and respond back but it would go through the wrong interface (bge1 rather than bge2).  This resulted in the client receiving the packets, but from the wrong source.  If I created a route to force the traffic back through the pfsense box on the proxy, it would work, but then all traffic from the proxy would go through pfsense, which is unnecessary. Finally, from reading TONS of online material, I figured out that ipfilter would solve this problem with source based routing.  I know have the following line in ipf.conf: pass out quick on bge1 to bge2:192.168.75.254 from 192.168.75.1 to any This tells all traffic seen on the bge1 (LAN) interface that came from from the proxy subnet (bge2) to go back the way it came (bge2) to the ip of the OPT1.  This means that all traffic originated from the LAN goes back through LAN, and all traffic based from the Proxy-Pfsense highway goes back that way. I know nobody may need to read about this, but I wanted to put my experience here just in case there was someone else with the same problem later on down the road.  It certainly cost me a lot of time. I appreciate all the work others did to get me to this point.</monitor></port></desc>

your new IPs should be added as Virtual IPs, in the Firewall menu. you can then use them for NAT. your diagram  seems to imply that you might have 2 wires coming out of the modem. this is not correct. you just use the existing wire, no problems.

Ok, now it works! Thanks a lot

@Perry: http://forum.pfsense.org/index.php/topic,9301.0.html Thank you. Turns out it was my MTU size. I guess pfSense was using an MTU of 1500 and my router was using 1492. I set both of them to 1490 and the problem is solved.

If you want to access a local Server via the WAN IP enable NAT reflection. sticky: http://forum.pfsense.org/index.php/topic,7001.0.html

Sorry reboot has sorted this.

It's described here: http://www.openbsd.org/faq/pf/pools.html though sticky connections appear to have issues in FreeBSD for at least some people, with outbound/gateway load balancing. If you see some traffic just disappearing, that's probably why.

The running ruleset should be in /tmp/rules.debug You can copy that file, edit it, and use pfctl -f to load it. Of course, that will be nuked if you make any changes in the gui…

Can't say if you did it the right way. But did you save and apply, you might also need to clear states. http://diskatel.narod.ru/sgquick.htm

Hi Perry Wow, fast answer  :D Ok, so you say I've made two errors. First of, correct the monitor IP, ok did that (and it helped). Secondly, you say I should delete the WAN2 subnet firewall rule??? Oh, and the interface for setting up pools is NOT logical, I didn't see the connection between adding the port, and selecting a monitor IP until you mentioned my error. As the Secondary line is down at the moment (no cable in it ;) ), I'm going to test that the primary cable works. Thankyou for your insights.

http://forum.pfsense.org/index.php/topic,9931.0.html

@GruensFroeschli: Your ping result seems strange. How exactly do you test "from the internet"? By "from the Internet" I mean pinging My router from other network (outside My network). I figured it out… On Load Balancer pools I have gateways defined as WAN_only and WAN2_only. All rules on WAN2 were going in/out by WAN2_only as gateway. I changed it to * and everyting works just fine - ping, SSH and webGUI. Thanks for adivces. :)

@cmb: The route comes from ICMP redirect. To enable sending of ICMP redirects: Go to Diagnostics -> Edit File Load /etc/sysctl.conf Find the net.inet.ip.redirect=0 line and change the 0 to 1, so the line reads: net.inet.ip.redirect=1 Save the file and reboot. I'm not sure if this is the right place for this, but could you post some more information about ICMP redirects, and where you would or would not want to use them? It seems really interesting to me. I never knew this was possible. There was a time a while ago where I wanted to do exactly this but now I can't remember why. Thanks!

[image: ftphack.png] ok this is what i did, ill test it now and see if its working Helper is ENABLED on the LAN interface and DISABLED on all 3 WANs

Xionicfire i don't think you should mix your problems as describe in http://forum.pfsense.org/index.php/topic,9891.0.html into this topic. One problem at a time :).

@cmb: I haven't heard of a system not applying addresses, want to make sure that's not a bug. I also assumed the interfaces were enabled.  :)  From the config chubby emailed me, that was the issue. If you don't enable OPT interfaces they don't get addresses assigned (for obvious reasons).

pfsense can route from pfsense connect it to DSLAM.Digital Subscriber Line Access Multiplexer (DSLAM).

see anything on the console?

@Yvan: I'm setup with multiwan and Sticky connections has disappeared from the page. It has the Load Balancing header and a submit button and nothing in between! I'm on 1.2RC3 I believe If your WAN connection is a PPPoE connection, the setting is not displayed and always disabled. Not sure why (I'm just going from the source code).

Well i already posted the solution in my first reply :) http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562