It may work (if the other router is their default gateway) but you would lose all client information. All e-mail would appear to be connecting from the firewall, which may break any kind of trusted network or spam filtering setup that relies on having that information be accurate.

Sounds like maybe you're wanting the reverse of what Cry Havok was explaining but the idea is the same.

If you only want to accept mail for your local server from Postini, then you need just one rule on the WAN tab for SMTP:

Pass TCP from 207.126.144.0/20 to (your mail server IP) port 25.

If you have any other SMTP rules allowing port 25 to your mail server, they should be removed or changed so the Postini rule is the only one referencing port 25 to the mail server.

I think that I'll be able to make such a script myself without much difficulty. I just wanted to know wether there was an existing solution to this problem or if there was a recommended approach. But I think I'll go "my way" then.

Thanks.

On 2.0, if you let pfSense handle the VPN it shows up as a dynamic gateway, so you can use the normal policy-based routing tricks to do what you want.

You'd just have the rules on WAN for the port forwards set as usual, and the rule on LAN to let your local systems out would have the gateway set as the VPN.

At the moment am not using CARP. Perhaps using openvpn for the site to site connection would be wise, Sins am not using filtering on vpn-traffic at this moment

Super Jimp!

You just made my day - it worked! BRAVO…

Once I added the IP of the local mail server "TO" and "FROM" all my mails start to drop.......

Thx again

OK.  that was dumb.  the ping to any 20.20.20.x address was actually not responded.  Just all that info telling me about it

Jim

If you hardcode your IPs as static, you could add a CARP type VIP on WAN, that will have a unique MAC address that your cable provider could use.

Though if you need two IPs both obtained via DHCP, that is a bit trickier and you may end up having to do as you say and plug two interfaces into a switch. Not ideal, but IIRC that has worked for others.

I haven´t solved it with pfsense yet.
For all my external IP´s I use pFsense, but for my Web server (Apache) I use good old Iptables with DROP as default rule until I find out what is happening.

Should being operative keyword there, but yes. I don't recall how well the automatic rule works with aliases (if it does) or if you'd have problems with using port aliases on NAT rules in 1.2.x.

It may be that it worked fine on its own but broke with NAT reflection, I don't recall exactly.

No, IPsec doesn't load balance/fail over with multi-wan. You'd have to have a tunnel nailed up on each wan in transport mode, and then have some other method (gre+ospf or similar) to route the traffic over the proper wan. It isn't quite as simple as just sending the IPsec traffic over the other WAN…

Just use additional CARP type VIPs on each WAN, then you can do port forwards to the internal addresses from these CARP VIPs.

Thanks all for the help, i will do it right away.

Update soon.

No, if you disable pf, you also disable the ability to do any NAT, including port forwards.

This looks like a VIP problem to me. You may get better help posting in the CARP/VIP section.

no not at all, i have a server account with softlayer and running 2 esx 4.0 servers, all my ip addresses are portable and i have a public /27 portable and a private /27 portable vlan. and i have no access to the router on the private lan. i could have ordered one from them but they took 2 weeks to get my portables connected right and for me to conect the 2 server lans together it was the only thing i could think of. it is working fine right now as i have 2 DNS servers one on each server and they update eachother. just a big learning curve  ??? but i am getting there, just having some other issues lik having the 2 pfsense talk to eachother keeps saying error reading daa or somthing.

Well, nevermind! Think I figured it out. The LAN rule is set to the default gateway. That * does not mean "Any".

I'll update if this doesn't fix the issue. Thanks, Efonne!