Thanks guys for your help. I finally found the solution and it wasn't in the pfSense config.. Since these servers are VM clones from the prod environment, the gateway of the webserver was still configured for the prod switch (which didn't exist in the preprod environment) So changing the GW to the pfSense firewall made it ! And for the "locking out" thing .. i didn't say i was a network guru, but i know enough to tell that its not a normal behavior ;) thanks to phil.david and johnpoz for taking the time to understand the problem =) have a good day sirs. PMiND

where you could have a problem is box sends traffic to public IP..  But if you don't get pfsense lan IP, and original IP - server would just send back traffic via local network and not back out through pfsense and clients don't normally like responses from IPs they didn't send too, etc.. So unless your client is on different local network than server you run into asynchronous path/routing issue. There should be no reason why your client can not just resolve these boxes to their internal IP and now you don't have to worry about reflection.  I just really don't see a need for nat reflection in a network correctly using name resolution.

I have exactly the same problem! pfsense 2.1(latest stable)   + squid package 2.7.9 (latest stable) if I disable transparent proxy it works. if I use port forwarding "telnet www.site.com 80" is working. if I use nat 1:1 "telnet www.site.com 80" is NOT working. if I disable transparent proxy then nat 1:1 "telnet www.site.com 80" is working. my only solution is (1) disable transparen proxy or (2) use port forwards instead of nat 1:1 someone has other solutions? has someone tried if package squid 3.x.x. (beta) has the same problem? I cannot since my pfsense is in production. in any case thanks for posting! after 3 days of work you help me finding the cause of my problem!

Security reason for what??  Its outbound traffic - are you clients hostile, why would you not let them create connections to what they might need to connect too. In a company, sure you limit what they can do..  But if your wanting to game off this connection I doubt its work or business, etc. ;) But seems like you got every security feature under the sun turned on :)  Clam AV, snort, pfblocker, etc. etc..  Yeah your going to have issues trying to game in such a setup. I would remove all that stuff.. Use a default pfsense setup.  Create your forwards if you think you need them - but to be honest most of those ports are prob listed as required outbound.  I would suggest fireup the came and use a tool on the pc to see what ports the exe tries to talk on. Then once you have that in place you can start locking down your rules if you want. Default pfsense blocks all unsolicited inbound traffic, and allows all outbound traffic..  This would be a default home setup and secure enough for a home.  Snort is going to be a pain if not really gone over and configured for what you want it to look for.  Blocking huge chucks of IP address from a list outbound is also sometimes painful.  I use pfblocker myself, but I only use it to block inbound to my forwards for 22, and what I answer ping to, etc. As to your specific forward problem - you did not have firewall rule for the gamingtcp alias, so that would never work. Let me know how I can help if you have more questions - but from what I see, fix the firewall wan rule, and then remove all that snort and pfblocker stuff to troubleshoot game play and forwards.  Then once you know it works you can turn those types of systems back on and troubleshoot what in them might be causing you problems if any, etc.

In the older case with public IP addresses inside the LAN, they were not all allocated by the ISP. The upstream routes a block to you, and you route it internally however you like. Your addresses work fine locally even if the ISP is down, the traffic is still local. The only difference between a "public"/"routable"/"global" address and a "private"/"local" address is that your ISP will only route traffic for the former and not the latter. They don't care what you do with the addresses inside your network. I don't think I've ever seen anyone running ULA+GUA at the same time on the same network.. It's link-local+GUA or link-local+ULA+NPt in most of the cases that I've seen. Link-local on IPv4 is used now and then but not usually both at once. You might recognize IPv4 link-local as the IPs that Windows auto-assigns when it cannot locate a DHCP server, 169.254.x.x.

Not yet, but it's on our to-do list. https://redmine.pfsense.org/issues/2118

the vpn server is at work, right? not at home? if the server is not running from home I don't think the router makes a difference. If you are running a Windows shop, I might suggest you look into DirectAccess.

Ok now that everything is working, I am curious in trying to setup something else with this but I am unaware as to how this would work. 1 ADSL connection w/ 5 usable IP addresses - intent for customers to login through our order entry and place orders. other website functionality lies on those IP addresses (cisco 800 series router from ISP, multiple home routers connected to it) 1 VDSL connection w/ 1 IP address - office traffic and main servers etc…, ISP modem which is also setup as the router for wifi (one machine and few handsets). Currently all machines run through 10.0.0.x network (internal/VDSL) while some servers are multi-homed and also have 192 based IP's (ADSL connection) in order for customers to connect to us to use same servers. My boss set everything up with home routers. Hopefully all that makes sense and I didn't forget any information. I want to eliminate the multi-homed situation with these home routers and make everything run better off 1 internal private network. How would I go about such a setup? How many NIC's would I need for this or am I looking at a special setup for this? Do I need a managed switch on the other end of the router with a VLAN to handle the traffic? Much help appreciated.

Hi Guys, Thank you for your help. I followed the advice and created set of two rules on LAN side of FW to block all 25 port traffic other then my mail server. I also use aliases for everything. That saves time when you change IP of the particular service and do not have to track all rules for changes but just adjust alias IP. Cheers

What you're after won't work. The connections go through squid, not NAT, so no amount of NAT will help that. The proxy process on the two nodes are separate. AFAIK squid doesn't have any kind of a multi-node sync for the connection/cache, only settings. Unless somehow the squid proxy processes could share data about ongoing connections in a clustered fashion, that isn't going to work no matter what you have set in pfSense.

What rules?

Yes, that was definitely the problem.  Thanks again!

"Disable webConfigurator redirect rule" needs to be checked, not unchecked. "Check this box to disable this automatically added redirect rule."

That  can happen if a couple factors are in play: 1. You have your firewall's domain set to your dynamic DNS domain 2. The domain the firewall is using is set for Wildcard DNS Under those circumstances, any short name query will return the IP of the WAN since that's what it's told to do with wildcard DNS active. The short name expands to <short name="">. <your domain="">since the domain is assumed in those cases, and then that query gets a proper reply since wildcard is active. To fix it, either deactivate wildcard DNS or change the domain name in use by the firewall to one that doesn't have wildcard DNS active.</your></short>