I have done this on odd occasions where the WAN side has an "ADSL modem & WiFi AP device" and the small site had no other WiFi AP. They wanted to be able to connect laptops to the WAN-side WiFi and still see resources on the LAN as well as get out to the internet. I think these were roughly the steps: a) Add a firewall rule on WAN to pass traffic from 192.168.2.0/24 b) Turn off any DHCP on the real internet modem/router that is between the WAN and real internet. c) Give DHCP on the pfSense WAN, so it gives clients on the WAN side an IP address with gateway and DNS of the pfSense WAN IP. (e.g. pfSense WAN IP = 192.168.2.1) d) Add a NAT rule to NAT from 192.168.2.0/24 to the pfSense WAN IP 192.168.2.1 - this will NAT your WAN-side clients when they browse the real internet, so replies will come back through pfSense, which can keep track of the states. e) Put something reasonable in the DNS forwarder - e.g. a domain override that refers requests for internal names (like *.internal.mycompany.com) to a DNS server on the DC on the LAN side that can resolve the names. pfSense will happily route between the LAN and WAN subnets in both directions. You can't browse the LAN, but you can use the names of LAN servers to reach them.

Very stable

Hello, I know this is marked as closed, but Im having trouble forwarding a port. Port 8081 to be exact. Here is my setup: I am running VirtualBox with two guests. Guest one is pfsense with two nics (WAN and LAN). Guest two is Windows 2008. pfsense WAN gets an IP from my HOST network, and pfsense LAN is set to a different network. WAN = 192.168.1.35 LAN = 192.168.2.4 The other Guest has an IP of 192.168.2.1 with a gateway of the pfsense LAN(192.168.2.4) This allows my windows 2008 internet access from VirtualBox internal network. I have apache installed on windows 2008 running on port 8081. If I change Windows2008 Nic type to Bridged Mode allowing it to be on the same network as my Host, I am able to connect to the apache server, so i know its running and works. With windows 2008 Back on VirtualBoxes internal network, I am trying to get port 8081 to be forwarded through but cannot. Attached is a picture of my settings. Its not working, can someone help me with what I am doing wrong? EDIT: I must have messed something up else where in the settings while playing with this. I reset to factory defaults, disabled the "Block Private networks" and its connecting just fine now.  

I've just checked the file content, i'm sorry, but /tmp/rules.debug contains way to much private data, i'm sure you will understand that i can't send it to someone without some serious NDA. In order to let you investigate properly, i will try to reproduce my problem in a lab, i'll come to this topic as soon as possible. Sorry for the delay.

This might be something manual outbound nat can solve. Have your tried using this?

Might it be the case that you are doing double nat with the router (192.168.1.1) in front of your pfsense? If so, you need to disable NAT on your router or even better, use pfsense as your router instead.

Thanks for the solutions!

I appear to already have this set. http://imgur.com/6YkdwFJ

Yes, that's the purpose of source in port forwards.

For that you need extra NAT. The problem is that if your clients and servers are on the same subnet, the servers will respond directly back to the client, bypassing the load balancing, it doesn't really have much of anything to do with NAT reflection. What you need to do is go to Firewall > NAT and switch to manual outbound NAT. Then add a rule to translate on the LAN interface with a source of your LAN subnet and a destination of your LB pool servers, so it will alter the traffic so it looks like it comes from the source address of the firewall.

//And completely miss the point of IPv6. Just route it. If you need multiple internal subnets, give up doing local SLAAC and use subnets smaller than a /64 and use NPt to map them to segments of your routed /64. Or find a non-stingy ISP that will give you a few prefixes (a /60, /56, or /48 are also common).// Well, I don't think it's a option to drop SLAAC by going smaller subnet sizes. Static addresses are no option in roaming environments and most devices don't even support DHCPv6 :-( I'll probably change my ISP and live with the lower bandwidth (my current ISP is switching to DS lite and dropping native IPv4 as well). What speaks for NAT66 is that you could at least run one subnet via NAT66. e.g. : ISP hands out an IP6 Adress to the WAN interface and delegates a /64 via prefix delegation. I could use the /64 for one subnet and the IPv6 WAN adress via NAT66 for another subnet with ULAs. So only one subnet would have to live with NAT… Complicated stuff. But I'm glad pfSense supports IP6 so well at this moment. I've looked at other "ready to use router distributions" and a lot don't even support iPv6 in any way...

Problem solved: OPT1 was missing gateway declaration in OPT1 Interface settings. Once I defined the next hop router (towards cloud) as the gateway, NAT worked. doh. ;D

Thank you. No, I don't need to use a VIP (I have one static IP per WAN). I need the mail server to use the specific WAN to send mail outside and if this line is down, it will not send. So I need a LAN to WAN rule. Best regards Kostas

disabling "Disable NAT Reflection for port forwards" fixed the issue Is there any downside to this?

Okay…. Seeing something different here. My trouble IP 187 gives me this readout $ route -n get xxx.187   route to: xxx.187 destination: xxx.184       mask: 255.255.255.252   interface: em1       flags: <up,done>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire       0        0        0        0      1500        1        0 when the good one that is routing correctly does this... $ route -n get xxx.188   route to: xxx.188 destination: default       mask: default     gateway: xxx.185   interface: em1       flags: <up,gateway,done,static>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire       0        0        0        0      1500        1        0 Thank you for all your help</up,gateway,done,static></up,done>