You know I tried this quite some time ago, and was not working on vmware 2.0 server - forwards would not work to devices that were using a bridged interface on the HOST machine.  But to other physical devices in the network it would work.

I gave up, since fowarding to other virtual machines is a requirement for me.

Now I have moved away from vmware 2.0 server, hardware is not capable of running esxi – and I know virtual box has recently enabled promiscuous option.  So I might have to re attempt this..

Here was my old thread
http://forum.pfsense.org/index.php/topic,27599.0.html

hi !

i tried your configuration. here is the result:

Red:192.168.10.250/24 –--  WAN:192.168.10.254/24:| PFSense |LAN:192.168.2.254/24 --- Green:192.168.2.100/24
        NO Gateway !                                                                                                                      GW: 192.168.2.254

ARP-Proxy on WAN: 192.168.10.100 (single address)
1:1 NAT on WAN: External 192.168.10.0
                          Internal 192.168.2.0/24

Http request is successfull ! thanks for your support.

–--------------------  packets on WAN side:---------------------------------                        ---------------  packets on LAN side:--------------------------------- 
SYN :      Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250
SYN,ACK: Destination IP = 192.168.10.250 , Source IP = 192.168.10.100  <<< (pfsense) <<< Destination IP = 192.168.10.250, Source IP = 192.168.2.100
ACK:        Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250

from 192.168.10.100 perspective, the webserver is in the same subnet as the client. the client can connect to the server without using a default gateway.

Next step should be, that client and server are connected with a vpn-tunnel.... ::) :'(

You would use Virtual IPs and NAT. Please search docs.pfsense.com on how to set them up.

to complete this threat:
by adding a virtual ip range (10.1.0.0/24) also on green port, and changing the 1:1 nat rule (Internal IP = 10.1.0.0/24)  the following is possible:

red-PC–-------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC2---------green-PC
      192.168.10.250                                              ----------                                                      10.1.0.111        192.168.2.100

ping 192.168.12.111

S: 192.168.10.250          >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
      D: 192.168.12.111    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 10.1.0.111

S: 192.168.12.111        <<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<  s:="" 10.1.0.111<br="">      D: 192.168.10.250            <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

ping 192.168.2.100

S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
      D: 192.168.2.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100

S: 192.168.2.100  <<<<<<<<<<<<<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<<<   ="" s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

ping 192.168.12.100 will not work</reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ></reply<<<<<<<<<<<<<<<<<<<< >

http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Hi m8

Make sure that the pfsense router is in the DMZ zone. Next go to the web interface of pfSense and go to the tab interfaces ==> WAN. After that make sure that you look for the title "Private networks" and DISABLE "Block private networks" and "Block bogon networks"!!!

I had the same problem as you today and I've almost thrown the pc into pieces out of frustation thanks to those checkboxes.

I hope it solves your problem as well.

Grtz

GruensFroeschli,

Thanks a lot. That worked perfectly !

I've been trying for hours to get that working.

Regards,
Andrew

Nevermind. Thanks to anyone that spent any thought on this before I figured it out myself.

Virtual IP at 10.1.4.2, changed to manual outbound NAT, set an outbound NAT rule: Interface "LAN2", Source any, destination 10.1.4.98, NAT address of the Virtual IP

You can't NAT by domain name, since NAT works at the IP layer. You could however install a reverse proxy (such as HA Proxy) and have it handle that, since that is one of the things it is designed to do.

@Metu69salemi:

i have no glue why there is those localhost rules, but it don't do any harm to have 'em.
but showing your public ip's is never good idea.

Thanks for pointing that out Metu…  I usuall "****" or <blank>them out.  Had given it a quick look but forgot I had added them on the right side as translation addresses there.</blank>

Got it working… Since all my LAN subnets need to go out the same VIP - I simply created an NETWORK TYPE ALIAS from the "FIREWALL" tab and then added all 4 of my subnets to that.

Then adjusted the AON outbound rules to use that alias.  Adjusted the firewall rules to use that Alias.

It's now working!

Many thanks to all who helped!

There's nothing fancy about it - nothing different to any other networking. The default gateway is the directly connected IP address of the router, in your case 192.168.1.1. The netmask will be 255.255.255.0. Alternatively, just configure them for DHCP and let pfSense handle it.

Yes, i know that… but my boss dreams with angels and i have to suffer.  :-[
By now the problem is solved, tks all. He preferred to change all the clients manually, so i´ll suffer again in another way.

Again, tks all that tried to help me.

Danilo

yes.

You can assign interfaces of that pptp connection. but that could be problematic if you have lot of clients enabled

@GruensFroeschli:

No round robin included ;)

It does forward the ports correctly.

However what doesn't work is if you want to forward ports with aliases if the internal port differs from the external port
(eg. you want to forward port "25, 93 and 110" to "10025, 10093 and 10110")

Great, that just saved me having to create 7 different rules, instead of just 1 (I forgot to also add 80 and 443 for the webmail component).  Thanks again!

Let us know how it went.
going to spend some offline time(it's midnight over here)

@jswright61:

So the cable goes from OPT1 to Wan (Internet) port on the AEBS? The OPT1 interface gets a private IP? Any firewall rules needed. I apologize for lack of knowledge here. I am hoping for step by step instructions.

thanks

Scott

I'm not familiar with the AEBS, so I can't give you instructions for it.  And now that I think about it, you might have to use the WAN port and deal with double NAT, as I'm not sure how it handles the guest network part.