Yeah my bad in not pointing out the built in way ;)  I had pfblocker on my mind from some other thread.. hehehe

Derelict is pointing to the better way that is for, no offense to bcan but the pfblocker package has gotten a bit bloated ;)

I need to fire up pfblocker again though.. Do some playing with latest version.. one thing that curious is pfblocker can use HUGE sets for aliases… But the built in alias says to use small sets..

Use only with small sets of IP addresses (less than 3000).

the US listing from IPdeny has almost 50,000 rows of cidr blocks..
http://www.ipdeny.com/ipblocks/data/countries/us.zone

Can that be used with the built in aliases or will that cause a problem?  pretty sure pblocker is another interface into the aliases.. So either he breaking suggestions from pfsense for the size of these aliases or the text should prob be updated to the actual value that can be used..

There is the table IPs url and this allows for 30K listings, but you can only use 1 url?

So I ended up having a similar requirement with virtual KVM software that allowed me to answer my own question.  The redirect to my printer did not work (I think) because I was trying to do all routing within the same subnet/interface.  When I moved the printer to another interface, everything worked fine.

There's only one state table and every single packet that is possible to filter gets compared to entries in that table. There are no separate NAT or filter rule tables by interface either, they are all global and rule matching uses the interface information in addition to the IP header information.

^ exactly!!!

So now do the same test you did where you see the traffic on your wan.. Do that same sniff on you lan where pfsense is suppose to be sending the traffic..  Does it send it?  Does pfsense even have an arp entry for this IP your suppose to be sending too.  If your behind a double nat - then no you will not see this arp entry..

Diagnostics, Arp Table.

Hi,

Actually, a bit of poking around - it seems that round-robin DNS may be just what I'm after. I think (but could be wrong!) that Unbound supports this … does anyone know for sure?

Thanks!

I solved it (sort of)  on my phone server I put in my WAN IP for registration vs my DynDNS host (it's always worked in the past)  The dyn host is resolving to the same WAN IP but for some reason the phone system is deciding to pull my LAN IP when I am using DYnDns in the phonesystem … oh well odd issue for another day.

I did go out and rip out all of the specific rules as well, phone works like a champ.

Next mission, setup my sip trunks on my hobby asterisk box (hopefully that won't break my work phone lol)

All of your infrastructure should be on one or more VLANs with the customer bridges - the actual access network/SSID - being on others.

Looks like Ubiquiti gear from what you have said. Should be no problem doing that. What's the issue there?

1:1 NAT does not require that the last octet match. It just means that if you have a range of 64 addresses it has to translate to a range of 64 addresses. You can translate 64-127 to 128-191. You can make, say, a 192.168.2.0/23 and 1:1 NAT to 192.168.2.0 using 192.168.3.0 for infrastructure.

Lots of ways to do it.

Sounds like you really have a layer 2 problem, not a pfSense/layer 3 problem.

Thank you for your reply. I just wanted to report back in case others in my situation have an issue similar to this. So I did look at that pfsense document KOM posted but it turned out that pfsense was not even what I had to configure. Since I run Server 2012 R2 domain in my house my entire LAN has its DHCP & DNS services handled through my AD DC. The way my cctv thing works is it has a program on it that does dynamic dns. It gives me a url that just maps to my public ip on a certain port and the program keeps it updated in case my public ip changes. So what I needed to do to fix it was create another forward lookup zone in AD DNS for the public domain of that url. Then I just created a host (A) record for the exact url and pointed it to the IP of the dvr box inside my network. So when inside my network my devices, when browsing to that url, will just communicate through the LAN to the DVR box and when outside my network it will come in through my firewall for which I have port forwarding rules setup. Thanks again for the reply KOM.

IP Alias is best use for this.
Check this for reference: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

Looks like he needs a modem to bridge ADSL to ethernet. So either another ADSL modem without all the built-in crud like the wifi or the existing modem/router using only the modem feature.

Although the scenario that you are showing is a kind of messed up, just like people are mentioning above. But for whatever reasons, let's say you have a proper inter-vlan communication within each interface of PFSense.
I am considering here that you have a switch behind each interface that has the .1.1 .2.1 and .3.1 vlans registered.
Based on this, if you are having a problem in any of the vlans communicating through the switch then you must be having a routing problem (you should check the switch's configuration) OR, there might be something else, your Trunking configuration might be missing the 192.168.3.10 and 192.168.3.11 on the interface facing the gateway (PFSense).

Use HAProxy/SNI.

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

Again Thank you doktornotor!
By enabling pure NAT, the LAN port forward works!  ;D