I hav proceed to more tests, and on new issue is that, from the client 192.42.14.198 (LAN2), i can't traceroute the pfsense gateway, and from the pfsense gateway, i can't traceroute the client on LAN2. The traceroutestop à my LAN1/LAN2 gateway, but the ping  works!! Can it com]e from my LAN1/LAN2 gateway? here is its configuton : qw-14:/home/jerome# ifconfig eth0      Lien encap:Ethernet  HWaddr 00:50:04:1D:B0:7C            inet adr:192.168.1.214  Bcast:192.168.1.255  Masque:255.255.255.0           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:2140 errors:0 dropped:0 overruns:0 frame:0           TX packets:766 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 lg file transmission:1000           RX bytes:179096 (174.8 KiB)  TX bytes:89501 (87.4 KiB)           Interruption:11 Adresse de base:0xa000 eth1      Lien encap:Ethernet  HWaddr 00:01:03:03:9F:AF            inet adr:192.42.14.254  Bcast:192.42.255.255  Masque:255.255.0.0           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:501 errors:0 dropped:0 overruns:47 frame:0           TX packets:117 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 lg file transmission:1000           RX bytes:69929 (68.2 KiB)  TX bytes:10950 (10.6 KiB)           Interruption:5 Adresse de base:0x2400 qw-14:/home/jerome# route Table de routage IP du noyau Destination    Passerelle        Genmask          Indic  Metric  Ref    Use  Iface 192.168.1.0    *                    255.255.255.0    U        0        0        0    eth0 192.42.0.0      *                      255.255.0.0        U        0        0        0    eth1 default          192.168.1.254  0.0.0.0              UG      0        0        0    eth0 qw-14:/home/jerome# cat /proc/sys/net/ipv4/conf/all/forwarding 1

http://forum.pfsense.org/index.php/topic,7001.0.html

Please make a screenshot of the firewall rules and any related nat rules.

alright; I unchecked the NAT reflection box, and that did the trick. ugh, that was driving me nuts, so I thank you guys a lot.

well, I think I got things figured out; I waited a bit after I made the port forwards; and everything works; I guess it's just not instant, is all.

The order is correct. Setting up a Virtual IP is basically telling the firewall to accept the traffic coming in on that IP. For example, if the firewall's WAN address was 1.1.1.6 and you had a server behind the firewall that you wanted to get traffic sent to 1.1.1.1, you would have to tell the firewall that it is also using that IP address. Otherwise, the traffic comes in from your ISP's router and the firewall ignores it. See http://en.wikipedia.org/wiki/Address_Resolution_Protocol and http://en.wikipedia.org/wiki/Proxy_ARP

Fixed. Thanks..

OK - that was fun figuring out….  It's a squid issue.  I reinstalled everything and started from scratch w/out any packages installed.  I got everything working great and then when I installed squid all 1:1 NAT reverted back to the router IP. So, now that I have that fgured out, is it possible to run 1:1 NAT with squid, meaning, can I 1:1 NAT public IPs to private network IPs and proxy port 80 requests through squid (and still retain the public IPs)?  I hope that question makes sense... thx

You should post your question in packages.  To redirect only certain traffic to squid proxy you'll need to edit squid.inc by hand and create an alias that will build your table.  Take a look at this post: http://forum.pfsense.org/index.php/topic,6439.0.html (note that squid package was updated since above post so inc file might look a little different now)

UPDATE: I've managed a double NAT in active ftp in some way.. I've set the "ForcePassiveIP" parameter in pure-ftpd to the external address outside the network the server is on (192.168.1.1) in order to get passive on m0n0wall working. I've now tried to set up the pfsense too, and it seems to have payed off! :) Passive FTP is working trough the pfSense box now, I'm going to troubleshoot the passive connection in the meantime.. I've testet trough SSH on an external server server <–----------->  pfsense/m0n0wall <-------------------------> routermodem (PPPoE) 10.0.0.4                    10.0.0.138/192.168.1.1                                85.167.x.x Like I said, this is with double NAT. I have no idea why the bridge on the modem, and the PPPoE on the pfSense didnt work. Neither how the ForcePassiveIP parameter affected the active FTP-connection with the server.. Though, it do not work through the simple external FTP-tester I've been using a lot, including the SSH ofcourse. http://www.g6ftpserver.com/en/ftptest To others experiencing the same issue: Configure passive connection on your FTP-server and force the passive IP to the external IP from the network your in. (above) Though again. This configuration may be trouble for my CStrike connection. I will need to test out that too..

enable NAT-reflection

Ok, well I'll ask this then.. How can I get DHCP on my WAN address to pass thru a filtered bridge onto both the OPT1 and OPT2 internal adapters?

Thanks for the replies. I got it working but I am not sure how. I was sniffing with wireshark and in the midst of my troubleshooting it started working. Did not change anything in the firewall config. The router was working correctly as well. It was sending out ICMP packets that were getting a response and the ones that were not getting a response exactly the same way. One key thing that I forgot to mention in my original post is that this is a cable connection. Since the time the problem mysteriously fixed itself I have tore down the whole setup a couple of times and rebuilt it. And I have been able to reproduce the problem but not with consistency. One thing I found that fixes the problem every time is rebooting the cable modem after I am done creating all the VIPs. Any VIP that did not exist when the cable modem was powered up has a random chance of working. But if I reboot the cable modem after creating the IP then it would work every time. I did not sniff the wire to see if the modem was somehow ping sweeping my CIDR block to see which IP is live and which is not. It wouldn't make sense for it to do that. In any case, I'll post back if I find anything concrete. Right now my troubleshooting is not conclusive but at least I know how to get it working. What a great product BTW. Very impressed.

Try this: http://forum.pfsense.org/index.php/topic,1528.0.html

You know what, I am an stupid. I just remembered I did not tell the spacific rule itself to log, I just had logs in general on… Dohh... Anyway I am in the process of rebuilding it now due to crashing for some odd reason after the 11/6 snapshot was put on. When I am done I will remake the rules and what not from scratch and maybe it will work now, I dont know... :) If not I will post back with my findings as I only have one more day to get this thing working. :( If anyone else can think of anything please let me know, But am I correct in assuming that making the rules like I did it should just pass all traffic going to the 5 public IPs to the 5 local on the DMZ and it will be upto the hosts/devices to firewall? That is what I am after. I know I can do individual ports but I just want EVERYTHING allowed on these 5... UPDATE Guess I am dead right now... The 11/6 snapshot is broke it seems or at least for me... Posted my problem in install/upgrades... I keep getting random reboots. So cant finish playing with this until that system stays up. :)

I am new to all this myself but my understanding, someone correct me if I am wrong, is that when it is unchecked the box makes random ports for the outgoing connections. This is more secure because say if someone was following your traffic they would get lost in it because it changes the port number. If you check that, it will force it to use the same port number. Some things dont like the port changing like that but a lot of home routers do it even… Hope that helps, maybe someone will chime in if I am off..