On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855

I created the ip as a virtual ip and not in 1:1 and then created NAT rules, and set the outbound nat accrdong to the need I had. It did work AFTER i rebooted the ISP modem in this fashion. I suspect it will also work in 1:1 as well. I feel like there should be a big fat sticky note somewhere on 1:1 and modems and arp (as in sticky or note in the pfsense gui)…

marcelloc> very interesting, I'll dig into that! Now everything is ok, calls in all directions…fine tuning on: voicemail,codecs order, redirection,call transfert, pickup call...

create proxy arp or virtual ip for every single ip you have. 1:1 transfer any trafic but only one client/server(unless using server loadbalancing) with portforward you can decide what trafic you want to server have and can use multiple servers(ex. port 80 -> server1, port 25 -> server2 etc.)

You know I tried this quite some time ago, and was not working on vmware 2.0 server - forwards would not work to devices that were using a bridged interface on the HOST machine.  But to other physical devices in the network it would work. I gave up, since fowarding to other virtual machines is a requirement for me. Now I have moved away from vmware 2.0 server, hardware is not capable of running esxi – and I know virtual box has recently enabled promiscuous option.  So I might have to re attempt this.. Here was my old thread http://forum.pfsense.org/index.php/topic,27599.0.html

hi ! i tried your configuration. here is the result: Red:192.168.10.250/24 –--  WAN:192.168.10.254/24:| PFSense |LAN:192.168.2.254/24 --- Green:192.168.2.100/24         NO Gateway !                                                                                                                      GW: 192.168.2.254 ARP-Proxy on WAN: 192.168.10.100 (single address) 1:1 NAT on WAN: External 192.168.10.0                           Internal 192.168.2.0/24 Http request is successfull ! thanks for your support. –--------------------  packets on WAN side:---------------------------------                        ---------------  packets on LAN side:---------------------------------  SYN :      Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250 SYN,ACK: Destination IP = 192.168.10.250 , Source IP = 192.168.10.100  <<< (pfsense) <<< Destination IP = 192.168.10.250, Source IP = 192.168.2.100 ACK:        Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250 from 192.168.10.100 perspective, the webserver is in the same subnet as the client. the client can connect to the server without using a default gateway. Next step should be, that client and server are connected with a vpn-tunnel.... ::) :'(

You would use Virtual IPs and NAT. Please search docs.pfsense.com on how to set them up.

to complete this threat: by adding a virtual ip range (10.1.0.0/24) also on green port, and changing the 1:1 nat rule (Internal IP = 10.1.0.0/24)  the following is possible: red-PC–-------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC2---------green-PC       192.168.10.250                                              ----------                                                      10.1.0.111        192.168.2.100 ping 192.168.12.111 S: 192.168.10.250          >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250       D: 192.168.12.111    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 10.1.0.111 S: 192.168.12.111        <<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<  s:="" 10.1.0.111<br="">      D: 192.168.10.250            <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250 ping 192.168.2.100 S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250       D: 192.168.2.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100 S: 192.168.2.100  <<<<<<<<<<<<<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<<<   ="" s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250 ping 192.168.12.100 will not work</reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ></reply<<<<<<<<<<<<<<<<<<<< >

http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Hi m8 Make sure that the pfsense router is in the DMZ zone. Next go to the web interface of pfSense and go to the tab interfaces ==> WAN. After that make sure that you look for the title "Private networks" and DISABLE "Block private networks" and "Block bogon networks"!!! I had the same problem as you today and I've almost thrown the pc into pieces out of frustation thanks to those checkboxes. I hope it solves your problem as well. Grtz

GruensFroeschli, Thanks a lot. That worked perfectly ! I've been trying for hours to get that working. Regards, Andrew

Nevermind. Thanks to anyone that spent any thought on this before I figured it out myself. Virtual IP at 10.1.4.2, changed to manual outbound NAT, set an outbound NAT rule: Interface "LAN2", Source any, destination 10.1.4.98, NAT address of the Virtual IP

You can't NAT by domain name, since NAT works at the IP layer. You could however install a reverse proxy (such as HA Proxy) and have it handle that, since that is one of the things it is designed to do.

@Metu69salemi: i have no glue why there is those localhost rules, but it don't do any harm to have 'em. but showing your public ip's is never good idea. Thanks for pointing that out Metu…  I usuall "****" or <blank>them out.  Had given it a quick look but forgot I had added them on the right side as translation addresses there.</blank>

Got it working… Since all my LAN subnets need to go out the same VIP - I simply created an NETWORK TYPE ALIAS from the "FIREWALL" tab and then added all 4 of my subnets to that. Then adjusted the AON outbound rules to use that alias.  Adjusted the firewall rules to use that Alias. It's now working! Many thanks to all who helped!

There's nothing fancy about it - nothing different to any other networking. The default gateway is the directly connected IP address of the router, in your case 192.168.1.1. The netmask will be 255.255.255.0. Alternatively, just configure them for DHCP and let pfSense handle it.

Yes, i know that… but my boss dreams with angels and i have to suffer.  :-[ By now the problem is solved, tks all. He preferred to change all the clients manually, so i´ll suffer again in another way. Again, tks all that tried to help me. Danilo

yes.