akoei, Your WAN connection using DSL wouldn't happen to be a PPoE connection would it?  The reason I ask is because I have one site where their setup is like yours and the symptons are exactly the same as your describe.  My setup uses a PPoE dsl line for the WAN and a static ip cable modem for my OPT1 link.  I haven't had a chance yet, but if there is no fix for this, I am tempted to put swap my WAN and OPT1 connections and just put a cheap Linksys router in front of my DSL line, have it do the PPoE connection so I can use the static setup for the OPT1 link (as we cannot setup an OPT1 link to use PPoE in pfsense). Let me know if you see any other items with this… Thanks!

Wow, sorry about the late update! You guys were absolutely right, had a higher Tier tech clear the ARP cache before moving over to the new hardware, and sure enough it worked like a charm. Thanks for the help!   - Adam

If both need to interact with the sender (ie, TCP) then you're going to have to write a proxy/forwarder to perform the initial receipt and then forward on multiple copies.

What rules are you talking about now? Firewallrules of NAT rules? As bern said: post your non-functional config. Screenshots of the firewall-rules and NAT-rules would probably be enough.

Depends.  If you're talking about having a server listening on a range of ports (such as with VNC) then it's not that unusual, but that's usually because once something has connected to the first port then it becomes unavailable.  What you're talking about is rather different, where the clients connect to (randomly selected?) one (or more?) port from a range of ports, but the server only needs to listen on one.

Hello, thank you for your reply… Actually I'm using this configuration because all the traffic will came in another firewall on which I manage the rights port forwardings (if I add to pfsense only the port forwarding that I needs I will need to configure this also when I need a new rule)... if you are thinking that this is unuseful you're right but I'm using this configuration because I need the two wan connections and actually I'm not ready to change the other firewall (because it is a mail gateway also with antispam and antivirus).. I know the spamd package but as I read on the forum there are some problem with it (and actually I manage 200 mailboxes in 5/6 domains).. I think that a better solution will be to use bridged mode between firewall and pfsesnse.. but I've no idea on  how can I make this with the two lan connection... and I don't know if in bridged mode I'll be able to loadbalance the two wans connection... My actually ip configration is: PublicIP 1 --> DSL ROUTER (192.168.2.1) --> WAN PFSENSE (192.168.2.2) --> LAN PFSENSE (192.168.3.1) --> My old Firewall (192.168.3.2)                                                                                                                         ^ PublicIP 2 --> DSL ROUTER (192.168.0.105) --> OPT PFSENSE (192.168.0.2) ------------| NOTE: FOR THIS CONNECTION (PUBLIC IP2) I CAN'T ACCESS/MANAGE THE ROUTER THET IS PROVIDED BY THE ISP... they've configured a 1:1 natting on 192.168.0.2 for the incoming ip Thank you for your time...

Hey, Thanks for the input.  And, I tried it with the same result.  But, it looks like the problem might be a known bug in the FreeBSD port of p3scan.  I'm looking into trying to fix it.  Looks like the problem is that p3scan doesn't determine the original address correctly after it's been redirected using pf.  The 3.0 version of p3scan also appears to be broken for FreeBSD, as it doesn't compile correctly. Anyone know of something other than p3scan that can scan a pop connection?

Well after several hours with tcpdump I finally got it running.  The issue was my DSL modem.  It's a D-Link DSL-502T, I don't recommend it. I tried using PPPoE on pfSense to authenticate as it seems some people have had success authenticating against an actual PPPoA authentication. I had to set the modem to "half-bridge" mode as pfSense can't auth directly due to PPPoA.  In this mode the modem authenticates to our ISP and puts the public IP on the ethernet port in the modem instead of setting up a LAN.  For some reason, it was blocking responses, and there was no firewall our routing enabled on the modem.  As a workaround, I set the Ethernet to a static IP on the modem, then put the WAN port of pfSense as the DMZ until I get a new modem.  Once I did this, everything works as expected with responses routing correctly back to our ISP. We have a significant performance boost in our routing and NAT even with Snort running.  The box we turned into our Firewall is an old P4 2 GHZ with 1 GB of ram.  Thanks to everyone for all the hard work put into pfSense.  It's the best firewall distro I've used.

Many thanks dotdash. It works, i already had tried a setup like the one you written, but the rule was below the auto-created. Many thanks and best wishes from Poland.

@eyepodder: I tried creating a 1:1 nat and I keep getting this error when trying to create it. The following input errors were detected: * The WAN IP address may not be used in a 1:1 rule. I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP. Maybe it's a bit cryptic, but that error message means you can't use the WAN IP address in a 1:1 rule. The 1:1 must be between a VIP and and internal host.

Ah, forgot to respond on this one… three things: 1)  I had messed around a bunch with the same firewall pair before starting to do performance testing and I suspect things were a little dirty under the hood.  I ended up nuking the firewalls back to the base state and things looked better, but not perfect. 2)  My apache settings were a little weak.  I ended up making sure that I was logging to /dev/null and bumped the apache threads (I was using the worker model) up to a higher number and made sure to check vmstat on the system.  It was surprisingly easy to overload the system I was using. 3)  ab never really panned out for me.  I ended up having a hard time getting it to really scale well.  I ended up using curl-loader http://curl-loader.sourceforge.net/ from multiple machines, and running multiple apaches behind pfSense.  The documentation was a bit sparse, but the results were more consistent and I could crush the servers behind pf.  Ironically, I wasn't able to max out pf, as I needed a few more servers behind it to max it out.  I think I was doing about 20,000 connection attempts per sec when I had to stop.  The requests were pulling a tiny "Hello World" html file, so this was opening and closing sockets with very little data in between.  I think my firewalls were at about 55-60% CPU.  I also did a bandwidth test where I pulled a 50K file over and over again and was able to max the gig link without pfsense breaking a sweat, but that's really more of a test of the NIC then the software, anyway.

It's a VIP… Not sure where you got a second WAN from.  I've got a second firewall, if that's what you mean, but the idea is to have that IP still be active on failover, so it really needs to be a CARP VIP.  I'm not trying to load-balance or anything, just trying to dictate what IP ends up being the source IP when viewed externally.  For other protocols, I can just NAT traffic to a specific IP, but for FTP, that doesn't work.

@http://www.iana.org/assignments/protocol-numbers/: 50      ESP              Encap Security Payload                  [RFC4303] You can select ESP on NAT and Rules. If I misunderstood you, add a picture Could you be running a older version (/me thinking out loud)

Okay, bit the bullet and upgraded our production firewalls to 1.2.2.   But it didn't help.  :(   Anybody else run into this?   Surely we're not the first to want NAT reflection in v1.2.x …?!? For that matter, does anybody have it actually working?    If so please send me your config.xml, (offline and passwords and such redacted of course), so we can do a stare-and-compare to find the problem.  :/

Does something like this attached picture not work?: [image: pf-nat-config.PNG] [image: pf-nat-config.PNG_thumb]

I was wanting to do something like that but I can't recall why I didn't… But in the meantime I managed to successfully put a pfSense box between Cisco and LAN. Once again pfSense saves the day to make everything simpler.

With all of this working? I get some trouble… PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.) without VIP all works Fine... Need some advice!!! Also I need portforward on my VIP. It's not working! ((