There are anchors in the config so you can use those dynamically from the shell, but if you knew how to control pf(4) you already would know about it, right?! So do not mess with it till you are confortable enough.

Thanks for the help, it is still not working but I think I know what I have to do! Cheers, Leon

Hey everyone, I searched the whole network yesterday one device after anther connected to the patch panel and didn't find any mysterious devices on IP 192.168.1.1. I don't know…. well it works now so no big problem. Bye and thanks for the help.

Problem fixed when I used outbound NAT.

Good idea :) use same aliases for firewall and nat, thanks. In this case is better use portforward. No more secure, but same as PortForward i think. Both is protected over firewall,. Only if fail firewall then can by more security issue use 1:1.

@blak111: Is there a way to catch all DNS traffic and redirect it to other servers such as the OpenDNS set? I have had several problems with guests having static DNS servers set so they never make it to the captive portal because of the DNS queries timing out. Hi Kevin, I'm not familiar with pfSense, but since it looks like m0n0wall fork and using PF, then the answer should be yes.  You have two issues.  One is redirecting the traffic, and the other is making sure your DNS server (or in this case, ours at OpenDNS) will recognize that it's meant for us, and that we know where to send it back.  For the first part, you should be able to use the rdr rules and for the second part you should be able to use the NAT rules. So just thinking outloud, something like this should work: First intercept the traffic from your internal interface: rdr on $int_interface inet proto udp from any to any port 53 -> $opendns_ip (note: you might only be able to do this to one of our IPs, not both, but that's okay, really) Rewrite the outgoing packets to actually have a destination of 208.67.222.222 nat on $int_interface proto udp from $int_interface:network to any port 53 -> $opendns_ip This is all just a total guess, but something like this should be possible. :-)  Let us know if you figure out the magic commands.

Thanks.. it worked :D

Ah… When I put on a unic VHID Group on every carp IP everythig was ok... :-)

Becouse i want to disable NAT on router, maybe all port forwarding to pfsense wan interface wont make sense. If helps: [image: pfwanint.jpg] [image: pfrouter.jpg_thumb] [image: pfnatfor.jpg_thumb] [image: pfnatfor.jpg] [image: pfnatout.jpg_thumb] [image: pfnatout.jpg] [image: pflanint.jpg_thumb] [image: pflanint.jpg] [image: pfwanint.jpg_thumb] [image: pfrouter.jpg]

thanks for reply. i wait 1.3 release with impatient.

when Server A (192.168.4.250) tries to connect somewhere its "public" ip shows up as 200.200.200.250 However when someone tries to connect to 200.200.200.250 the port forward should route any packets on ONLY port 80 to Server B (192.168.4.240). technically if i were to 1:1 nat when someone connected back to 200.200.200.250 it would get sent to 192.168.4.250 and not to 192.168.4.240 and thats the problem :/ If i understand you correctly you want the VIP 200.200.200.250 to point to LAN IP 192.168.4.240 and the only thing you haven't done so fare is setting up NAT -> Outbound -> Manual Outbound NAT WAN  192.168.4.240/32  *  *  *  200.200.200.250  *  NO

Well to be honest i find it a bit strange that you have a subnet of 10.0.0.0/8 on your LAN, and at the same time traffic destined for 10.0.0.0/8 should be sent to a gateway. To me this seems a bit conflicting. I mean if something is in the same subnet than the interface itself this means you shouldnt have to send it to a gateway because it's directly reachable.

Do you know some possible things to look for that would interfere with this working? We have dual wan. We have multiple FTP servers tied to different virtual ips.

I'm not sure i really understand what you are trying. But you cannot NAT traffic into a IPSEC tunnel.

Just wanted to let everyone know it wasn't a Pfsense problem, but a Barracuda Webfilter that was causing the problem, still not sure how, but it was the problem.

I only have the backend code which has to be applied to the firewall at every reboot. I dont write interface gui code. But I can walk a coder to what needs to be done in the gui to make it work with the backend. Until someone is willing to do ti its not worth my time and effort to do so.

Well you could do it like this: Internal net: 10.1.1.128/25 External Net: 192.168.1.128/25 translates to 10.1.1.192/26  to  192.168.1.192/26 10.1.1.160/27  to  192.168.1.160/27 10.1.1.144/28  to  192.168.1.144/28 10.1.1.136/29  to  192.168.1.136/29 10.1.1.132/30  to  192.168.1.132/30 10.1.1.130/31  to  192.168.1.130/31 10.1.1.129/32  to  192.168.1.129/32 like this you dont have to create 125 rules but only 7