Not sure if I can bump here but seems appropriate. I have read many prior discussions about 1:1 NAT, Outbound NAT, reflection, VIPs, etc. Round and round I have gone but I still can't figure out the scenario I am looking for, which seems a basic implementation.

I´m doing that with Squid3 package that has reverse proxy. Don´t know where I found the howto but here is a short recap of what I did. Remove old NAT and FW rule for port 80 Add new NAT on WAN for port 80 to 127.0.0.1 and a new choosen port for example 9000 Add new FW rule on WAN with dest 127.0.0.1 port 9000 In squid3 general set interface to loopback, set you external address in FQDN, enable reverse proxy on port 9000 In squid3 webservers add your servers with their IP data In squid3 mappings map your servers to the right domain names for example "www.example.com" and "example.com" Think that was all there was to it.

Well if you want to play with ipv6 then you will have to move to 2.1  - if your setup is generic then just do clean. Maybe I am spoiled with running mine on vm, but it takes takes no time at all to try this version of that version - if need be roll back, or just switch to different vm running different version, etc.  Every now and then if someone has issue with older version I want to try and duplicate I just fire up a vm with that version on it, etc. So maybe I am spoiled with time to spend - since there isn't any really, only takes minutes to switch around what distro I use for my router - be it pfsense, ipcop, m0n0wall, etc.  Since I can have the VM use the same mac as its wan don't even need to restart my cable modem.

Dansguardian uses squid to actually send and capture the request, and since your users aren't directly using squid, it only needs to listen on the loopback interface since Dansguardian is on the same machine.

By the way, I hope I posted this in the correct section/area

Improper caching the easiest way to break the Internet. It's best left to your ISP. Decent ISPs should't charge you for cached data from their internal network.

I don't understand what you're trying to do. Is 172.16.0.1 on the LAN side or a remote address from beyond the gateway on WAN side? What do you mean by redirect? If it's coming from the WAN side then I don't see how you can DNAT to the GW address since it has already passed the GW by the time it reaches pfSense. The rules on the WAN are only useful if the destination packet is for a host on one of pfSense's other interfaces and pfSense is performing non-NAT routing from WAN to LAN. The Manual Outbound NAT rules on WAN are also applicable for traffic originating from another interface and leaving through WAN. I believe you should be creating the DNAT rules on the GW host, not on pfSense.

Yes, got it working.  Very pleased with support forum assistance, big fan of PFSense. thanks for the pic.

@husterk: Thanks for the tips… any chance I could make this work without needing to modify the Cisco ASA settings? I may not have access to this device. I can't think how to do that - the Cisco needs to know somehow that the pfSense WAN IP is a gateway to 192.168.1.0/24 Your NAT solution is the standard way, essentially faking the pfSense LAN side address using a WAN side address that the Cisco is already happy to talk with. By the way, if you do change the Cisco to add a route to 192.168.1.1 then you will have trouble when you VPN in to the Cisco from your favourite cafe/friend's house that is using 192.168.1.0/24 locally. If possible, I would change the LAN subnet to something less common - out of the 10.0.0.0/8 space or 172.16.0.0/12 space or down the end of 192.168.0.0/16.

Nope - Mine works fine.  But thanks for the help.  ;)

You need to use Manual Outbound NAT and create a rule with source the network as VLAN3 that uses the desired Virtual IP Alias for translation. The order of the rules matter. If a higher rule matches it, it won't work.

Thanks. Got this working finally. Made a mistake in the outbound rule and that's whats caused the problem. BR Chris

Oh k. I have been told to stop playing with this. I accidentally made it so no one could play Final fantasy or War Thunder but they could still go to the web. Disabled the opt1 and everything worked again.  :o thanks for reading at least.