If you have two hosts sharing web services on same port with only one valid ip address, you will need a proxy package like varnish to do this.

take a look on doc.pfsense.org

there are many docs to help

http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

@pk-oso:

Hi all.. What do you mean with ï screewed my routing"? Thank You

There are lots of ways to screw routing. If yours is screwed, it's likely screwed in different ways than this one. :) Start a new thread to describe your issue.

In this case, it came down to:
@cmb:

Note there is no traffic going from 192.168.200.16 back to any outside IP on that LAN capture. Which probably means that host's default gateway is set to something else, which isn't going to work correctly.

After many months I've just fixed this and realized the issue was not pfsense at all. With the correct ports set up in pfsense, my solution was to…

log on to ATT website Deactivate my Microcell Wait 5 mins for it to deactivate properly (you know when it has as the web site no longer shows it as active) Reactivate Microcell on web site Plug in Microcell 60 mins later I got an email saying activation complete and both our phones now have MCELL connection

Jon

Yeah some details of what port(s) and what your IP your trying to send it too and easy walk you through it.. To be honest you should only have to create the NAT, firewall rule should be created for you automatically.

So unless your behind a double nat, or ports are blocked before they get to your pfsense - creating the forward should take all of a few seconds.

Unless your on some weird setup multiple wan, double nats, etc.  should be pretty freaking straight forward.  But without some details to work with its hard to help you.

AFAIK pfsense can't do NAT before IPSEC on the same box.

Check http://redmine.pfsense.org/issues/1855

Personally i removed the packages mentioned and that fixed the problem.

I can only assume it was something to do with squid and a failed package upgrade (even though this said it was fine) as this is the only package which could do this reverse proxying.

To confirm this was with all ports not just smtp (25) our webserver also showed connections as coming from the external interface.

Good news.  Was able to resolve this issue by ensuring that:

ADVANCED > FIREWALL/NAT

"Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from." is CHECKED.

Once CHECKED, I was able to access https://mypc.server.com (example address) from behind the firewall and I could access the site as if I too was on the internet.

Change pfsense webgui port to some port other then service port you want to nat.

Thanks for all the replies,

Finally they setup my router correctly today and now 1 of my 5 public / external ips is my WAN address. NAT also needed to be disabled on the router.
Then i setup the remaining 4 public / external ips as VIP (Proxy ARP) and just did normal NAT port forward and it works like a charm  ;D
No NAT 1:1 needed ;D

Thanks everyone !

Oh my, i don't know why this simple stuff did not click in my mind. Worked like a charm thanks

@nihar15:

Mikrotik fulfills all our requirements except inbound server load balancing that's the reason why I am looking.

inbound server load balancing for pfsense:

built in tool in services -> load balance

haproxy package for http,https and tcp balance

varnish for http balance and cache for speed up server responses

apache + mod_security for balance and http sercurity

balance or nat will not work on same interface, you will need a reverse proxy package or an outbound nat to change source ip going to web servers.

visual example:
192.168.1.20 - client
192.168.1.200 - firewall
192.168.1.10 - web server

192.168.1.20 asks 192.168.1.200 for a page

192.168.1.20  forwards to 192.168.1.10

192.168.1.10 see that client(192.168.1.20) is on same network

192.168.1.10 returns page directly to 192.168.1.20

192.168.1.20 rejects this communication as he asked 192.168.1.200 for a page and response came from 192.168.1.10

To workaround this without any package or nat, you need to edit internal dns to answer website name to its server ip.

Added the rules again with the switch I mentioned, and renamed my router (to router.mydomain.com).  This caused the dns lookup of server.mydomain.com to find the public IP of the machine, instead of the local IP of the router(192.168.1.1). From that point the NAT rules worked fine, redirecting my HTTPS port to the proper machine.

Okay, so all the *.254 are in the commercial firewall?
The pfSense boxes are only for the wireless?

If it is a true metro-e … it is just one big switch (or patch cable) ... you could even have it in VLAN1 if you like ... I like to keep locations separate, but that is just me. Intresting thing is that if you are trying to get from subnet 5 to subnet 4, you have to go out then in the metro-e (if I gather your network setup correctly). Perhaps you could clarify a bit more with what devices hold what addresses.
Think of this an exercise in getting to now your network. Like this perhaps:

internet
  |
  | |VLANX:50.x.x.1            | VLANX:50.x.x.2
ProxyA                  Comercial FW
|VLAN1:10.0.1.1/24        | VLAN1:10.0.1.254/24 (Default GW)

|VLAN1:10.0.1.253/24
  Core Router
      |VLAN2:10.0.2.254/24
      |VLAN3:10.0.3.254/24
      |VLAN4:10.0.4.254/24

VLAN5:10.0.5.254/24 \ VLAN3:10.0.3.1/24 (GW 10.0.3.254) Cisco Router                          pfsense <-or-> VLAN4                                ======== Wifi Net VLAN5 Metro-E

/ VLAN4              \ VLAN5
Cisco Router        pfsense WiFi
|                            |VLAN100
Network                  Wireless Network
.
.
.

And so on.

then you could provide details per device on what network IPs and subnets there are. You might not have a core router and the VLANs are in the commercial FW. Just have to adjust based on your setup. Visio is your friend here. Change the values to what is correct for each node in your system. Before we can make recommendations or you make some changes, you are going have to know how traffic flows in your network setup.

It could either be routing/policy routing or firewall rules. But it's hard to say for sure with the info you gave.

In the case you're talking about, is the VPN connection being handled by pfSense or by client software on the PC?

What do your LAN rules look like? (screenshot would be sufficient, feel free to blur/block any IPs)

What do your interface configurations look like? Do you have gateways selected from the drop-down on the interface config only for WAN-type interfaces?

The ISAKMP may not be necessary is you are not running a VPN. The 127.0.0.1/8 NATs the local firewall traffic for things like package downloads, DNS lookup, and other firewall services that go to the internet. You might want to leave that one. I am not sure about the PPTP stuff. I have never used it.

Netflow would be great, though it does not give you the actual translation, it does give you enough to track it down.

There are some patches floating around to add something like this in to tcpdump to read pfsync, but there isn't anything stock that does it, and nothing for pfSense. Even with that patch though it doesn't log the destination, just the internal and external IPs and the ports involved.

Hehe, thanks i saw the troubleshooting and i saw that i forgot to set up the default gateway on the client machine's, Thnx again that helped :)

with nat computer change ip-address, like
192.168.0.1 -> pfsense -> 200.223.1.25(sorry if I got someones ip-address)

Without NAT pfsense can work like router, so you can connect between different (v)lan's
192.168.0.1 -> pfsense -> still 192.168.0.1, but connected device is on 10.10.10.0 /23 subnet

With firewall rules you determine, what trafic is allowed to passthrough

Sorry all.. worked out the issue

Static settings in the XP box had different gateway.. all good now.