I want to configure my webserver with an external ip address connected to the pfsense box is that possible? I want to disable NAT on that interface so I can configure my server with an external ip address

Okay sorted it out.. wow. I think this is what helped me. https://forum.pfsense.org/index.php?topic=57970.0. I am running a OpenVPN Server as well as Client, and the OpenVPN wizard adds a rule. This rule matches $OpenVPN ( not sure what that device actually is), and it matches the packet. the problem is that the rule with the reply-to isn't in there. So I had to edit the wizard created to rule to match the $OpenVPN network.

550 interfaces?  Into 1 pfsense box?  So pfsense is going to be core router for that many networks?  That you need to firewall between?  Im with dok on rethinking the design, I would think there should be a downstream layer3 switch you have all the 550 networks on..  Pfsense would really only have 1 interface then, your transit network..  Sure it could nat all of them.. But now its just a listing in your outbound nat.. How about some details of what you are trying to accomplish, and we can discuss best way to handle it.. Do these 550 interfaces need inbound fowards, how many public IPs do you have?  Do you need to firewall between these 550 networks?

You keep saying when you put the other firewall in place it works.  pfSense and that firewall have the same inside IP address right?  And the default gateway of your server is pointed at that ONE address right? Post CURRENT screen shots of: Firewall > NAT, Port Forward tab Firewall > NAT, 1:1 tab Firewall > Rules, WAN tab Don't make any changes, just post them.

@Derelict: Create a VIP on LAN for 53.53.53.53. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Not quite sure how any other hosts on your network will know to send traffic for 53.53.53.53 to pfSense but I guess that's your problem. Assuming that's their default gateway, they'll send all off-subnet traffic there. If it's not their default gateway, adding a VIP won't help since the LAN hosts won't ever ARP that IP. Don't add a VIP. The rule as specified will work, with one caveat - source NAT on LAN is required if the source of the traffic is also on LAN2, as the target server will reply directly back to the source client with the wrong source IP, breaking the TCP connection. The source NAT ensures the reply goes back through the firewall, where it's translated back to the 53.53.53.53 IP so the connection isn't broken.

Did you actually read at least the quoted part!? 1:1 NAT already sends all traffic to the configured host/subnet. Set up the 1:1 NAT and move on! (In fact,  you are overriding the 1:1 NAT with port forwards, and screwing things up.)

And this is exactly why people should post screenshots of their FW/NAT/etc. rules…

i really appreciate ur reply, but in my situation now, i realize network have enough traffic transit each other, so i replaced sw L2 to sw L3, and Sw L3 do something else in other enviroment but now i have other issue, can u help me johnpoz ? https://forum.pfsense.org/index.php?topic=94928.0 still double nat for other service thank you again

Is Port Forwarding + NAT + FW Rules all required for specific protocols to properly traverse the FW? If I have a static WAN IP for my mail server I would setup a NAT for routing the traffic back and forth. Do I have to them setup Port Forwarding for Imap,SSH,SMTP… And then setup appropriate FW rules. Or can I just do NAT and FW rules - do I have to do port forwarding? In the pfSense environment you implement port forwarding by going to Firewall->NAT->Port Forward and create the forwarding you need. Once you click Save and Apply Changes, a new rule is also created under Firewall->Rules on the interface you selected in NAT to allow the forward. You can chose the protocol(s) you want to allow in NAT and the port for source and destination. You can create port aliases and use them in NAT, although that's typically only useful if the source and destination ports are the same. For 3 or four services you want to handle, it's probably easier to create individual NAT entries.  It will definitely make it easier to troubleshoot firewall problems if your traffic isn't all tied into one rule. Gives you more flexibility in the future as well. You can get a description of any of these pfSense pages by clicking the ? in the upper right corner of the WebGUI page. Welcome to pfSense  :)

Hi thanks for the reply the diagram attached is what i want to achieve i realise that i dont need to directly tie the virtual addresses to the physical nics as they reside on different subnets for WAN and LAN but i need to know how to route traffic through the firewall between the 2 subnets and use the pfsense as the LAN's default gateway [image: Drawing2.jpg] [image: Drawing2.jpg_thumb]

No, no such configuration. It won't select any random port on your behalf.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

I havent got time atm, I'm running some other tests at the moment to check the state handling in pfsense 2.1 and 2.2, they are bit time consuming as the schedule only allows 15min increments so I cant set say a 5min time span with state timeouts set to aggressive (if thats below 5mins).

@dotdash: Curious as to what's wrong. I just took a fresh 2.2.2 box, connected the wan to my lan (double nat, but this is just to prove a point), stuck a laptop behind it. Laptop get dhcp, on the net, all good. Then I added a CARP VIP of .90 on the LAN (remember to use /24 subnet). Changed laptop to static ip, set the gateway to .90 all good, on the net… Based on this, I did a Factory Defaults reset and it works now. I going to assume I borked something when trying to configure something else. Thanks!

Do you need to RDP to multiple lan windows boxes behind the fw? If you do, then on pfsense have different ports open on pfsense with a portforward rule which goes to the LAN ip address and the RDP port Then internet side use in the RDP client IPaddress:Port1  where port1 portforwards to your server RDP port IPaddress:Port2  where port2 portforwards to your sql box RDP port. You can also change the default port the RDP server listens to on the window box, by tweaking the reg settings as well if you like accessing mutiple windows boxes from inside the lan at the same time. Then provided you can RDP onto the windows box in question from inside the lan, the pfsense portwards should work ok. If you want to hide the fact you have (multiple) port forwards setup for RDP on the internet, setup OpenVPN on another ip address range to get you inside the lan, then change your pfsense portwards from wan to openvpn. The less you expose wan side the better imo. Both work well and gives you a way to have multiple RDP clients open at the same time to multiple window boxes on a lan. Of course having multiple RDP clients open at the same time is also easier if you have multiple monitors as well if you need to work on server(s) and workstation(s) at the same time for testing purposes without having to wait to log in each time or be alt-tabbing between multiple machines. fwiw.

You need a rule to pass traffic to the VPNs that doesn't policy route, above any matching rules specifying a gateway.

Ok Thanks very much doktornotor. I prepare a post for the spanish forum. Thanks for your time.  :D

I managed to come right, thanks for you help.

Make internal DNS return the internal IP address when asked to resolve from LAN.

So you say in 4 you created port forward and let it create the associated rule.  Then in 5 you say you created a new rule with Destination: "Any" That is not correct why would you create a rule with any as dest on your wan??  When you create a forward, by default pfsense will create the required firewall wan rule to allow that nat/forward to work. Post up your wan rules and your port forwards.. And we can see have exactly..