Thank you very much for your quick answer! @viragomann: @shadowconnect: Here is my setup:                   Gateway-1                       |                       WAN                       | Machine-A    pfSense 2.3-RELEASE    Gateway-2     |                  |                |     ================= LAN =============== So pfSense has nothing to do with the communication between Machine-A and Gateway-2, since bothe are connected to LAN. In theory yes, because Machine-A could directly use Gateway-2, but i don't want to change routing on every machine to Gateway-2. So i just configure pfSense as default gateway on Machine-A and Machine-A don't care about Gateway-1 or Gateway-2 und just send everything to pfSense. @viragomann: @shadowconnect: There are some IP-addresses, which could only be accessed via Gateway-2. So i added a rule which just set the gateway to Gateway-2 for those IP-addresses. If the traffic has to pass pfSense you need a static route for this instead. I tried that already, but i had problems, when the MTU is different on Gateway-2. When i tried to ping with a length, which is 1 byte over the MTU of Gateway-2, the first paket was send and Machine-A got a response, that it needs to be fragmented. Then Machine-A send out two packets with correct size, but pfSense combined those two packets to one and Gateway-2 received one packet, which is over the needed MTU. @viragomann: Please explain where the captures are taken from. Sorry, my fault, i corrected the log from Gateway, which was Gateway-2.

because your website is using host headers maybe and doesn't display anything if you go to the IP? Your ddns is using the correct IP, and your typing in the wrong IP? Trying to hit your public IP from inside lan would require nat reflection to be setup?

bump anyone? thanks for help  :o

Thanks JimP I managed to set the aliases with sticky option and it does seem to work, I will see about setting the global sticky timeout for a longer period. I have Multi Wan balancing now, and some things just battle when they see requests come in from multi IP's, banking sites and IPTV systems. At times even setting the sticky options don't work as a website or service may have many IP's that it uses, pfsense then treats it as a new connection and it may go out a different WAN circuit, is there a way to keep multi WAN balancing but once a session from a private IP is initiated it then becomes sticky to the WAN interface that multi WAN balancing has initially chosen?

I found a solution: ssh tunnel I might ssh into pfsense from outside, so on my laptop ssh -N -L 1022:server_lan_ip:22 user@pfsense_wan_ip -p 2022 pfsense_wan_ip is firewall's external ip, this ip's port 2022 was port forward to pfsense_lan_ip port 22 then, ssh localhost 1022 will do the tricky.

Hey thanks for taking the time. I forgot to update. Issue solved, problem was ISP modem got reset, or ISP came in and resetted it. So the firewall was turned back "ON" after logging back into the modem and changing it back to OFF, then everything worked, as predicted when playing with the pfsense in a test environment. Long story short, to avoid further unexpected ISP management intrusion, I disabled all the factory and ISP default accounts, changed Admin passwords, create new account for myself, and …. to really avoid further modem woes.... Set the modem in bridge mode, and now I'm using pfsense for PPPOe as I was planning to do from the beginning, that being said, Now I need to build probably a few more pfsense boxes to go behind this box, for the network management stuff, since I was planning to do Fail Over, load balance 2 WAN using pfsense in 2 physical boxes, so if one physical machine dies, the over one keeps going. I was contemplating running 2 VM but unsure if the lag in VMware might cause network delay or not. I've seen such delay elsewhere before with other Network Apps that are VMmachine sensitive. Anyway, that's topic for another thread.

@cmb: https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks Thank you very much. That worked for me well.

Hi guys, sorry i forgot to update this thread. Everything is working fine since i installed a new NIC PCI-E. this topic can be closed.

You created a rule with protocol IPv6 and put IPv4 IPs in it. That's not valid. Fix or delete that rule. I fixed the input validation last week so it's not possible to create such rules. https://redmine.pfsense.org/issues/6211

I found that on: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#BSDPF Use the PF ruleset below as an example for FreeBSD and OpenBSD prior to 4.7. your internal interface int_if = "fxp0" Tor's TransPort trans_port = "9040" set skip on lo scrub in rdr pass on $int_if inet proto tcp to !($int_if) -> 127.0.0.1 port $trans_port rdr pass on $int_if inet proto udp to port domain -> 127.0.0.1 port domain Use the PF ruleset below as an example for OpenBSD 4.7 and later. your internal interface int_if = "fxp0" Tor's TransPort trans_port = "9040" set skip on lo match in all scrub (no-df random-id) pass in quick on $int_if inet proto tcp to !($int_if) rdr-to 127.0.0.1 port $trans_port pass in quick on $int_if inet proto udp to port domain rdr-to 127.0.0.1 port domain My question is first wich ruleset i need? Prior 4.7 or later 4.7 And how i can add this rule to Pfsenes? Thanks

Hello, do you have find a solution because i need to do the same thing? Thanks for help

You could bridge OPT1 to WAN and that would give you a non-NATed network with public IPs (assuming the WAN network is using routable public IPs) and you would still be able to filter the traffic with firewall rules.

I'm already accessing other cam that are not multicast compatible that way Thanks :)

Okay, I believe i've resolved my problem but would like to hear feedback to see if this is an "acceptable" solution. I created a Virtual IP on the  LAN interface and have all my internal app aliases (app1.mydomain.com, app2.mydomain.com, etc) resolve to this VIP. Then I'm setting the same NAT rule on that VIP as I have on the WAN which forwards 443 onto POUND (Reverse Proxy). ;D

I don't think this will work. You need to do this port forward in your ISP router. A specific port forward should take precedence over the "DMZ" host setting. This is generally how it works. So put a port forward in your ISP router for WAN:443 to 192.168.1.100:443 and everything else should go to the "DMZ." If your ISP router is no good, put it in bridge mode and let pfSense get the public IP address.

Isn't this what 1:1 NAT for?

Yeah you are right ip aliases on carp - i set the carp ip as parent and all is working as expected. thanks

You need to open port 3074 for the first user, 3075 for the second, etc. https://www.reddit.com/r/blackops3/comments/3rsw61/open_port_3075_for_open_nat_type/