I have fixed this problem by setting all the networks to a /24, and adding the destination network to the pfsense1 rules. All is working well now. My Wireless setup is located here http://forum.pfsense.org/index.php/topic,10077.0.html

yes but on port 441 Thanks for your response cconk01

I think there are a few threads about the long wait for CARP interfaces during bootup. As far as i know the problem is solved for the next version. Hmmm. I've never experienced that i had to reboot to get CARP IP's working. Are you sure you've waited long enough? A reload can, depending on your setup, take quite a while.

There is a note at the bottom of the screen when you add a VIP. Note: ProxyARP type IP addresses DO NOT work with the FTP Helper and addon packages such as squid. Use a CARP type address in this case.

hi, im testing Current version: 1.2.1-TESTING-SNAPSHOT. problem still persists. i will stay tuned …. ozett

Having trouble visualizing what the firewalls should look like to allow the server to be dmz out the wan. I have taken your advise an changed the /8 to be a /24 like the rest of the network. (See last diagram) I am very excited about this GruensFroeschli  you rock.

just need to access my home desktop http web and https for my wireless access point.

Anything not explicitly allowed is denied, so you shouldn't worry too much. DNS should show closed from the WAN. The DNS forwarder will show DNS open from the LAN side- I don't think it should show open from the WAN, but I'm not 100% sure- I generally point DNS to an internal server instead of running the forwarder…

Ok, so here's my follow up to the issue. Here is the setup: –------------------------- (Internal Nodes)-----|48port switch|--------<---------------------- Pfsense box----------------------->--------------|48port switch|-----|External Public IP's---------> (192.168.2-7)-------|SWITCH|--------------LAN(em2)192.168.1.1--|----------|-82.46.115.82(em0)WAN-------------|SWITCH|-----------(82.46.115.1-255) I was able to setup the internal interface em2 as 192.168.1.1 and the external interface em0 as 82.46.115.82. All the private IPs  need to have ssh,http, and https enabled. Which would be a better approach: NAT–->1:1---> ProxyARP with -->outbound NAT and all the proper rules that will forward traffic from external to internal interface. or NAT-->Portforward using single WAN interface address but different ports.   a) Can all the internal clients have ssh,http, and https access from a single interface? Hopefully this helps, let me know if there is anything i can add.

Outbound traffic works. I tried the same configuration (same IP, etc) with a Netgear WGT624 router and everything including port forwarding worked. I also called my ISP and asked them to check that everything was properly configured on their side. It's really strange this won't work.

http://forum.pfsense.org/index.php/topic,7001.0.html

You cannot do this with pfSense. I think if you search on the forum there is a thread about this exact same issue. Someone provided a solution but i dont remember what it was ^^"

There are anchors in the config so you can use those dynamically from the shell, but if you knew how to control pf(4) you already would know about it, right?! So do not mess with it till you are confortable enough.

Thanks for the help, it is still not working but I think I know what I have to do! Cheers, Leon

Hey everyone, I searched the whole network yesterday one device after anther connected to the patch panel and didn't find any mysterious devices on IP 192.168.1.1. I don't know…. well it works now so no big problem. Bye and thanks for the help.

Problem fixed when I used outbound NAT.

Good idea :) use same aliases for firewall and nat, thanks. In this case is better use portforward. No more secure, but same as PortForward i think. Both is protected over firewall,. Only if fail firewall then can by more security issue use 1:1.

@blak111: Is there a way to catch all DNS traffic and redirect it to other servers such as the OpenDNS set? I have had several problems with guests having static DNS servers set so they never make it to the captive portal because of the DNS queries timing out. Hi Kevin, I'm not familiar with pfSense, but since it looks like m0n0wall fork and using PF, then the answer should be yes.  You have two issues.  One is redirecting the traffic, and the other is making sure your DNS server (or in this case, ours at OpenDNS) will recognize that it's meant for us, and that we know where to send it back.  For the first part, you should be able to use the rdr rules and for the second part you should be able to use the NAT rules. So just thinking outloud, something like this should work: First intercept the traffic from your internal interface: rdr on $int_interface inet proto udp from any to any port 53 -> $opendns_ip (note: you might only be able to do this to one of our IPs, not both, but that's okay, really) Rewrite the outgoing packets to actually have a destination of 208.67.222.222 nat on $int_interface proto udp from $int_interface:network to any port 53 -> $opendns_ip This is all just a total guess, but something like this should be possible. :-)  Let us know if you figure out the magic commands.