search "ping VIP" –> http://forum.pfsense.org/index.php/topic,4499.0.html Afaik you cant ping PARP VIP's. Use CARP VIP's instead (even if you dont use CARP-functions)

I found what problem. but need help 1. if i have this cheme. all NAT working workstation (ip 10.0.0.30) –--->pfSense/bridge(10.0.0.3)----->cisco1700(10.0.0.1) gw 10.0.0.3 <=- 2. but on this scheme Nat not worked workstation (ip 10.0.0.30) ----->pfSense/bridge(10.0.0.3)----->cisco1700(10.0.0.1) gw 10.0.0.1 <=- What i can do in 2 scheme for working NAT?

Thank you dotdash, I had an error in my thinking… I did have the private natted LAN set to use the FW lan ip as the GW. I will go back and double check everything now and reset the default LAN allow rule.

ok thanks for the help

I Alread Try to put the 78.10.1.97/28 addres in the Lan and conect other computer to a OPT1 and make a rule to pass all trafic from that OPT1 to the Banck Address Thru the lan  but the VPN not Estabilish. The vpn only work when that especific address is in My network

I didnt notice before but dotdash is right. With PARP you need to specify the correct IP with /32 If you want to map only one IP. With CARP you need to specify the actual CIDR subnet of the IP in your case /29. PARP should work in your case too but if you want to run services on the pfSense on this VIP you should use CARP.

You can do this with a properly configured apache. But not with pfSense directly.

that fixed it, thanks man :)

Hello I have tried that but doesnt seem to be working see my picture for how its setup in the port forward page [image: portforward.jpg] [image: portforward.jpg_thumb]

Thanks to cmb and mrzaz for the response. Now that I have checked from an outside host, I seem to be able to browse the web server – which I couldn't from inside, which means redirection is working. Also, I didn't know that they could be handled in such a different way in PF -- apparently a lack of experience with that. But that solves the trouble for the time being. Thanks for the links to pf doc, I'm reading it at the moment. Thanks again. Regards

The port forward needs to be on WAN, not OPT1.

Ok.  I added a rule to forward port 80 and that works great!  Thanks! But I don't know all of the ports that need to be forwarded.  Ideally everything.  I see that reflection is limited to <501 ports. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports. Can you recommend a better approach to solving this? Thx

firewall, rules, lan: tcp,lan net,,,443-https,wan-gateway Make sure this rule is before the default that point to the load balancer. Better solution is to make a balancer pool and a failover pool. point to the failover for https, point default to balancer.

Update - since what I have been reading pointed to the issue being resolved with AON I decided to try it.  I kept the default wan rule and added a copy of it pointed at opt1 (wan2).  After resetting the states and waiting a short period of time I tested the remote phone and it is working perfectly now. Thank you for a great product!!!

First off, let me change my subject line for this post to "NAT port forwarding stupidity from no common sense BOOB". Cry Havok patiently asked me what the default gateway was for 192.168.XX.10. The answer?  THE WRONG ONE.  It was set for 192.168.XX.1!!!  Upon changing it to 192.168.XX.2 (the LAN for my pfsense box), everything worked just like it's supposed to. I should be embarrassed (and I am).  ::) Thanks to all who replied, especially Cry Havok, who helped me trip over the obvious!  It's always the little things…

sorry i forgot to add those details i am using 1.0.1 built on Sun Oct 29 01:07:16 UTC 2006 and it runs on a dedicated x86 pc with 3.2ghz and 1gb ram.

It worked, thanks :)

We did, but it wasn't the transparent change we'd hoped for. It broke IPsec, so it was pulled. It's too late in the release cycle to mess with it. 1.2 will not support NAT-T, though it may be added as a package maybe by the end of the year. 1.3 will support it.