OK… I'm a moron...

I looked a little closer and realized that the servers that I was attempting to connect to using a NAT defined on PFSense1 had PFSense2 defined as the gateway (both have IPs on the same subnet).  (that may cause some arp issues).  Given the fact that the inbound and outbound traffic is taking different paths and ending up on different interfaces on the PFSense box providing NATing services, I'm surprised that the SYN/ACK was ever received and that the session established.

I additionally corrected the Static Routes to NOT include any locally attached subnets.

After taking these two steps, the NATs work as expected.

Brian

I never actually tested this.
I "think" if you create an "advanced outbound NAT" rule that NAT's from the WAN to your LAN it should rewriting the source.

@GruensFroeschli:

Are you talking about a bridging firewall or about a router without NAT?

first case: no
second case: yes

I was thinking about bridging but you've convinced me to do it by routing! :-)

Thanks a lot,
GFK's

I'm not sure i understand correctly what the problem is.

If you forward traffic then this traffic gets forwarded.
There is no
"However it does not send URL with with the port forwarding request so my ISA2006 does not like the request and apply the default behaviour of dropping/ignoring the request."
part.
Either it forwards the traffic or not.

Also i'm not sure how exactly you did use your additional /30 subnet.

If it gets routed to your public IP, you can add the first usable IP in the /30 subnet to an interface on pfSense and the second usable IP to a server.

If you created VIP's on the WAN the you should be able to make use of the first and the second IP.
Just NAT forward from the VIP's to your servers in your private address-space.

And you're trying to access the WebGUI of the AP?
Can you ping the AP from the ping tool in the pfSense webGUI?
Did you set the corrent subnet on the LAN interface? (it can happen)
Did you set the corrent default gateway on the AP? (I've had one where you couldnt set a default gateway…..)

Hi,

Ooops, I dind't see it…so why is VIP configured? I mean, it is completely normal that WAN/LAN addresses are in different
network range. I'm not using VIP so may wrong but first backup current config then can you delete VIP config and all the
rules back to default, then add port forwarding only to see the packets are flowing pfSense and your linux box(172.22.41.2?).

Turn your box back to factory default, check one by one, one at a time. That's all I can say for now.

cheers,

pfSense developers confirmed that the behavior I am seeing is a known bug in pfSense 1.2-release.  The bug stems from the way that the ftp helper applications are started with CARP-type virtual IP addresses.  This is fixed in pfSense 1.2.1

Cubert

Read the link above again.
You have a to create a rule above your loadbalancing rule with as destination the IP's of your ADSL-routers and as gateway *

You can try.

System/Advanced

At bottom of page under Network Address Translation

Disable NAT Reflection

Uncheck box

Then you have to configure your ADSL modem correctly or set it into bridging mode so pfSense can handle the additional IP's.

Can I help to find the right way???
1. You have 2 pfSense machines?
2. Every pfSense have NIC's(number them all, and list all ip's here)
3. There is a difference betwen NIC configuration on pfsense and stations configuration (subnet behind "pfSense1")

Configuration with 1 router ("pfSense0") works fine…No additional tasks required!
Now the "pfSense0" must know what subnet they must pass to "pfSense1" (so you must write static route on "pfSense0" for each subnet working behind "pfSense1" like). On "pfSense1" you must use only 1 "default Gateway" on NIC, that looks to "pfSense0"(it will be the WAN for this router). No additional  steps required.

I think you must understand the principles of routing...
Now, the sample configuration:
"pfSens0" NIC's: pfSense0WAN0, pfSense0WAN1, pfSense0DMZ, pfSense0LAN
"pfSens1" NIC's: pfSense1WAN0, pfSense1LAN0, pfSense1LAN1, pfSense1LAN2

pfSense0WAN0 :Static IP: 70.169.215.103 Subnet: 255.255.255.24x Default Gateway: 70.169.215.102
pfSense0WAN1 :Static IP: 34.69.200.89 Subnet: 255.255.255.24x Default Gateway: 34.69.200.90
pfSense0LAN    :Static IP: 192.168.0.1 Subnet: 255.255.255.0
pfSense0DMZ  :Static IP: 192.168.1.1 Subnet: 255.255.255.0

pfSense1WAN0 :Static IP: 192.168.0.2 Subnet: 255.255.255.0 Default Gateway: 192.168.0.1
pfSense1LAN0  :Static IP: 192.168.2.1 Subnet: 255.255.255.0
pfSense1LAN1  :Static IP: 192.168.3.1 Subnet: 255.255.255.0
pfSense1LAN2  :Static IP: 192.168.4.1 Subnet: 255.255.255.0

now we have IP's, but have no routes. Add static routes on "pfSense0":
1. Destination network : 192.168.2.0/24 Gateway: 192.168.0.2
2. Destination network : 192.168.3.0/24 Gateway: 192.168.0.2
3. Destination network : 192.168.4.0/24 Gateway: 192.168.0.2

now, we have configured  both routers...
now, we'll configure the STATIONS in subnets, not routers!
in subnet DMZ you must use 192.168.1.1 as default gateway,
in subnet LAN0 you must use 192.168.2.1 as default gateway,
in subnet LAN1 you must use 192.168.3.1 as default gateway,
in subnet LAN2 you must use 192.168.4.1 as default gateway.

now disable DNS Forwarding on "pfSense1" and in all subnets use 192.168.0.1 as DNS

Don't forget about Firewall rules!!!

Any questions?

You should start by finding out what you're trying to do:

Try to read up what NAT is and how it works.
Google and wikipedia can help you there.

You should also read the tutorials and howtos in the links you can find here:
http://forum.pfsense.org/index.php/topic,7001.0.html

After that draw a diagram of what you want, which IP you have where and what should have access to what.

If you have that:
Set up VIP's where required (your additional IP's) and create port forwards or 1:1 NAT entries depending on your needs.

Well the IP i am connecting to is the internal IP, yet due to the way the server software works (it is an incredibly alpha peice of software that really doesnt function exactly as it should) it does cause some wierd router loopback issues, even though i am connecting to the internal IP. So im not sure whether it is the client machine that has the loopback issue or the server.

Either way i shall try NAT Reflection asap as this sounds exactly what i am after. Thanks for the tip.

Thanks for the help :)

Would it be better to set this up with a vip like this?

Pubic IP
                            l
          Rouer DMZ to 192.168.1.10/24
                            l
              WAN 192.168.1.10/24
pfSense1, dell2400, DHCP  LAN 10.0.0.100-10.0.0.200 Freeradius, Captive Portal
                  LAN 10.0.0.1/24
                            |
                            |
                            |–-wired Switch (Local Network at my house)
                            |
                            |
                  WAN 10.0.0.3/24
pfSense2, bridged ap, Wrap With Omni On Roof
                  LAN 10.0.0.2/24
                            |
                            |
                            |wireless
                            |
                            |
                  WAN 10.0.0.132/24
pfSense3 client, DHCP 192.168.2.100-192.168.2.200, Radius Client, Captive Portal, Omni Directional On Roof
                  LAN 192.168.2.1/24
                            |
                            |
                            |Switch--------wireless linksys 54 G (Acess Point for client computers)
                            |
                            |
                  10.0.0.10/24 VIP
  Win XP DVR Server (http Camera Server)

The source port is a random port chosen by the operating system in range 1024-65536 unless specified by the client.

Hope this helps: http://forum.pfsense.org/index.php/topic,7001.0.html

And there are several posts asking the same in this this NAT forum.

Try rebooting the external router after you have added the proxy arp vip. Some routers have a nasty habit of keeping an arp cache that won't clear without a reboot (or waiting couple of hours) and will prevent the vips from working.