Ah, forgot to respond on this one… three things: 1)  I had messed around a bunch with the same firewall pair before starting to do performance testing and I suspect things were a little dirty under the hood.  I ended up nuking the firewalls back to the base state and things looked better, but not perfect. 2)  My apache settings were a little weak.  I ended up making sure that I was logging to /dev/null and bumped the apache threads (I was using the worker model) up to a higher number and made sure to check vmstat on the system.  It was surprisingly easy to overload the system I was using. 3)  ab never really panned out for me.  I ended up having a hard time getting it to really scale well.  I ended up using curl-loader http://curl-loader.sourceforge.net/ from multiple machines, and running multiple apaches behind pfSense.  The documentation was a bit sparse, but the results were more consistent and I could crush the servers behind pf.  Ironically, I wasn't able to max out pf, as I needed a few more servers behind it to max it out.  I think I was doing about 20,000 connection attempts per sec when I had to stop.  The requests were pulling a tiny "Hello World" html file, so this was opening and closing sockets with very little data in between.  I think my firewalls were at about 55-60% CPU.  I also did a bandwidth test where I pulled a 50K file over and over again and was able to max the gig link without pfsense breaking a sweat, but that's really more of a test of the NIC then the software, anyway.

It's a VIP… Not sure where you got a second WAN from.  I've got a second firewall, if that's what you mean, but the idea is to have that IP still be active on failover, so it really needs to be a CARP VIP.  I'm not trying to load-balance or anything, just trying to dictate what IP ends up being the source IP when viewed externally.  For other protocols, I can just NAT traffic to a specific IP, but for FTP, that doesn't work.

@http://www.iana.org/assignments/protocol-numbers/: 50      ESP              Encap Security Payload                  [RFC4303] You can select ESP on NAT and Rules. If I misunderstood you, add a picture Could you be running a older version (/me thinking out loud)

Okay, bit the bullet and upgraded our production firewalls to 1.2.2.   But it didn't help.  :(   Anybody else run into this?   Surely we're not the first to want NAT reflection in v1.2.x …?!? For that matter, does anybody have it actually working?    If so please send me your config.xml, (offline and passwords and such redacted of course), so we can do a stare-and-compare to find the problem.  :/

Does something like this attached picture not work?: [image: pf-nat-config.PNG] [image: pf-nat-config.PNG_thumb]

I was wanting to do something like that but I can't recall why I didn't… But in the meantime I managed to successfully put a pfSense box between Cisco and LAN. Once again pfSense saves the day to make everything simpler.

With all of this working? I get some trouble… PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.) without VIP all works Fine... Need some advice!!! Also I need portforward on my VIP. It's not working! ((

Usualy it is something stupid. The firewall on local web server blocked traffic. Everything works like a charm. I fwded SSH and HTTP without any problem. Thanks.

Please use the search function. This has been asked numerous times. –> http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

Thanks GruensFroeschli, I'll try with that in mind, but I think I'll make a virtual machine for this, don't want to mess with the coders again. If you remember anything more or find a guide or something please post it, it would be nice to fix this before we're going online with this Kind regards Quandion

I don't use bridged mode very often, but I generally plug a laptop directly into a bridged modem if I need to access it. There are numerous threads asking the same question you did. This might be a good place to start http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

firewall –> rules --> WAN Modify the autogenerated firewall rule for your portforward. Probably the easiest is, if you create an alias containing all your sources you want to allow, and use this alias as "from".

push :-) Hi, does anyone has a suggestion on this one ? I do not get a clue. Thx :-)

FYI,           I found the issue. There were actually a few different problems. First, The webserver was referencing both private and public ip addresses that correspond to the private ip. Second, The firewall does not support NAT reflection unless you utilize port forwarding. The fix was easy. I setup all services to use port forwarding and enabled nat reflection under advanced options and also modified the lan rule source to * (any) to fix the problem. What gave it away was that the webserver (with ipcop in front of it) could access webpages via the public ip. and with pfsense it could not. PFsense does some actual sessioning versus ipcop providing only basic nat. PFsense was not the issue!!

For future reference, I added some information on this to the FAQ section of the Doc Wiki http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F