I can imagine load balancing with VoIP would be unsatisfactory. I would create a failover gateway group and policy route the VoIP traffic to that instead of the load balance group. Both can coexist and you can have different outbound connections use different gateway groups.

I solved this. For anybody coming across this issue: I had to add two LAN Firewall Rules. See the rules in the screenshot attached.  Note that I had to select the non-default gateway that corresponded to the interface that I was trying to force the traffic out on. I have no idea where I would have found this in the documentation or even if I'm actually doing this correctly, but it seems to work for me. [image: Capture.JPG] [image: Capture.JPG_thumb]

You need a static route for the inner network pointing to pfSese on your workstation. If you use a DHCP you may set the DHCP server to push the route to all clients.

It was pinging. The problem is solved. I had to set the DNS resolver to all the interfaces.

Thank u marjohn56, I made mistake WAN address previously, now it is working thank you very much

Unlikely, and there is probably a better way to implement what you're after that doesn't require using port 80, such as using HAProxy and ACLs to determine how to route the requests.

Marjohn you smashed the nail on the head! set bridged network from router, config WAN interface for ppp0e and boom we're live  8). Thanks both, much appreciated. Regards, Ryan

Ok, I had configured totally wrong setup. :( I can configure each ISP router to use different lan address& network& DMZ - but cannot get public IP  - all had to use DMZ, no possibility to setup bridge mode :( I need load balancing for LAN computers, and that my servers can be accessible from all of my 4 public IP. All internal IP configuration can be changed. All my internal servers can be reconfigured (Debian). My pfSense box has 5 ethernet card, so there are many possibilities :) I don't need any additional security for now. Howto do You suggest then? for testing, simplest solution will be best.

You can use an alias there. Source: Network: Type an alias name It is admittedly not as clear as it could be.

OK, that's taken care of the remote login! Thank you. That was a remarkably useful guide. Now, as for the other issue, I seem to have "solved" it by creating two instances of my security cameras, one for "inside" my LAN and one for "outside" my LAN. Seems to work for now, but I'd still like to know what's going on.

Ok, I'm pretty sure I understand why the 1:1 NAT rule doesn't work: both IPSec tunnels run on the same virtual network interface, so the packets never go through the firewall.

Never mind, I just found my solution. I did do the 1:1 NAT but previously made some additional rules that were interfering. Deactivating them solved the problem.

@Derelict: NAT reflection is not testing connectivity from the outside, as you stated you want to test. If you want to test that you need to test from the outside. NAT reflection tests NAT reflection. It allows the convenience of inside hosts being able to connect to the outside IP address from the inside, but it does nothing to actually test connectivity from the outside. And it works. If it is not working you have it configured incorrectly. I believe I understand what you are saying; but I think there is some confusion around this situation. I only want to test that connections coming from inside destined for my WAN IP are able to make it to their destination without using split DNS which would resolve the WAN IP to an internal private IP because the source is coming from internal address. Does that make sense or is NAT reflection doing the same type of conversion? Also, I agree it must be misconfigured since it is failing; but I followed the guide exactly without success. This is why I am confused.

That drawing is horrific!!! So your clients are behind pfsense on a 10.0.0/24 network?? So pfsense wan is 125.x.x.x.. So you have a client trying to hit your webserver via your public IP..  For that to work you have to have setup NAT reflection.  But if your client on 10.0.0.5 wants to talk to client 10.0.0.10 why you not just resolve abc.com to 10.0.0.10 on pfsense via a host override!!

anybody?

Check if the WAN interface network mask is set correctly on both boxes.

"I have to define 6 WAN interfaces. Any other way?" Huh???  You would normally just put the vips on the interface actually connected.  I don't even think pfsense will let you bring up another interface in the same network??  So at a complete lost to what you have done. If you have been given say 1.2.3.0/29 where gateway is 1.2.3.1 and you can use .2 -.6  You would say give pfsense the .2, then create VIPs on this interface for your .3, .4, etc.  You would then forward your traffic that hits your different vips.. Ie if dest is 1.2.3.6 port 80 forward to 192.168.1.100:80, if hit .5 then 192.168.1.99:80, etc. You can name optX anything you want.  If you gave it a gateway on the interface then it would auto think its a "wan" interface and allow for natting to this interface, etc.  This is how you bring up different wan connections when you have different ISPs etc. But again I am like 99.99% sure pfsense will not let you create another interface and put an IP on it that overlaps another interfaces network..  So what you have done I have no idea.