Well after several hours with tcpdump I finally got it running.  The issue was my DSL modem.  It's a D-Link DSL-502T, I don't recommend it.

I tried using PPPoE on pfSense to authenticate as it seems some people have had success authenticating against an actual PPPoA authentication.

I had to set the modem to "half-bridge" mode as pfSense can't auth directly due to PPPoA.  In this mode the modem authenticates to our ISP and puts the public IP on the ethernet port in the modem instead of setting up a LAN.  For some reason, it was blocking responses, and there was no firewall our routing enabled on the modem.  As a workaround, I set the Ethernet to a static IP on the modem, then put the WAN port of pfSense as the DMZ until I get a new modem.  Once I did this, everything works as expected with responses routing correctly back to our ISP.

We have a significant performance boost in our routing and NAT even with Snort running.  The box we turned into our Firewall is an old P4 2 GHZ with 1 GB of ram.  Thanks to everyone for all the hard work put into pfSense.  It's the best firewall distro I've used.

Many thanks dotdash.

It works, i already had tried a setup like the one you written, but the rule was below the auto-created.

Many thanks and best wishes from Poland.

@eyepodder:

I tried creating a 1:1 nat and I keep getting this error when trying to create it.

The following input errors were detected:

* The WAN IP address may not be used in a 1:1 rule.

I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.

Maybe it's a bit cryptic, but that error message means you can't use the WAN IP address in a 1:1 rule.
The 1:1 must be between a VIP and and internal host.

Ah, forgot to respond on this one… three things:

1)  I had messed around a bunch with the same firewall pair before starting to do performance testing and I suspect things were a little dirty under the hood.  I ended up nuking the firewalls back to the base state and things looked better, but not perfect.

2)  My apache settings were a little weak.  I ended up making sure that I was logging to /dev/null and bumped the apache threads (I was using the worker model) up to a higher number and made sure to check vmstat on the system.  It was surprisingly easy to overload the system I was using.

3)  ab never really panned out for me.  I ended up having a hard time getting it to really scale well.  I ended up using curl-loader http://curl-loader.sourceforge.net/ from multiple machines, and running multiple apaches behind pfSense.  The documentation was a bit sparse, but the results were more consistent and I could crush the servers behind pf.  Ironically, I wasn't able to max out pf, as I needed a few more servers behind it to max it out.  I think I was doing about 20,000 connection attempts per sec when I had to stop.  The requests were pulling a tiny "Hello World" html file, so this was opening and closing sockets with very little data in between.  I think my firewalls were at about 55-60% CPU.  I also did a bandwidth test where I pulled a 50K file over and over again and was able to max the gig link without pfsense breaking a sweat, but that's really more of a test of the NIC then the software, anyway.

It's a VIP… Not sure where you got a second WAN from.  I've got a second firewall, if that's what you mean, but the idea is to have that IP still be active on failover, so it really needs to be a CARP VIP.  I'm not trying to load-balance or anything, just trying to dictate what IP ends up being the source IP when viewed externally.  For other protocols, I can just NAT traffic to a specific IP, but for FTP, that doesn't work.

@http://www.iana.org/assignments/protocol-numbers/:

50      ESP              Encap Security Payload                  [RFC4303]

You can select ESP on NAT and Rules.

If I misunderstood you, add a picture
Could you be running a older version (/me thinking out loud)

Okay, bit the bullet and upgraded our production firewalls to 1.2.2.
  But it didn't help.  :(
  Anybody else run into this?
  Surely we're not the first to want NAT reflection in v1.2.x …?!?

For that matter, does anybody have it actually working? 
  If so please send me your config.xml, (offline and passwords and such redacted of course), so we can do a stare-and-compare to find the problem.  :/

Does something like this attached picture not work?:

pf-nat-config.PNG
pf-nat-config.PNG_thumb

I was wanting to do something like that but I can't recall why I didn't… But in the meantime I managed to successfully put a pfSense box between Cisco and LAN. Once again pfSense saves the day to make everything simpler.

With all of this working? I get some trouble…
PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.)
without VIP all works Fine...

Need some advice!!!

Also I need portforward on my VIP. It's not working! ((

Usualy it is something stupid. The firewall on local web server blocked traffic.

Everything works like a charm.
I fwded SSH and HTTP without any problem.
Thanks.

Please use the search function.
This has been asked numerous times.

–> http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

Thanks GruensFroeschli,

I'll try with that in mind, but I think I'll make a virtual machine for this, don't want to mess with the coders again.

If you remember anything more or find a guide or something please post it, it would be nice to fix this before we're going online with this

Kind regards
Quandion

I don't use bridged mode very often, but I generally plug a laptop directly into a bridged modem if I need to access it. There are numerous threads asking the same question you did. This might be a good place to start http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

firewall –> rules --> WAN
Modify the autogenerated firewall rule for your portforward.
Probably the easiest is, if you create an alias containing all your sources you want to allow, and use this alias as "from".

push

:-)

Hi,
does anyone has a suggestion on this one ?

I do not get a clue.

Thx :-)