http://forum.pfsense.org/index.php/topic,54362.0.html

@onhel: You cant just turn off the firewall function.  You need to get your cable company to put your gateway into bridge mode.  This would require a phone call to your cable company and allow them to transfer your service call to an elevated support tech who has the authority to fulfill that task.  Standard phone support employees will not be able to help you in this regard. That totally depends on which cable company serves your area. Where I live the cable company totally disowns any function of the device after the modem function. Comcast  business on the other hand seems to want to control your entire network.

The most likely place is the LAN default rule. The default rule states that LAN subnet is allowed out. 192.168.4.6 (and .5) is not on the LAN subnet, so it is blocked. If you have adjusted the LAN rules to allow your second subnet, then I would look at changing from ProxyARP to either CARP or IP Alias. I have never used proxyarp as a gateway, so I don't really know. Also, is the default gateway on 192.168.4.6 (web server) the pfsense proxyarp? if not, then you are creating a routing problem.

Yes you can created a routed network with the help of your ISP. What you will want is 2 separate public IP ranges. The smaller one can be a /30 or a /29 and you will route your bigger /24 or /25 or whatever to that smaller IP range. Or you can create a DMZ/WAN bridge. routed is slightly faster and uses less resources. bridge uses less IPs.

Try this way Create a Alias (network Type) with your desired IPs range (x.x.x.100-x.x.x.200) Use that Alias as SRC in your Rule

Hi, I already found out what to do and what went wrong. in PF 2.0.1 you need to add NAT reflection to the port forward. thanks anyway

Thanks for the quick reply. I'll check it out :). Would be cool if you could layer 7 it :)

HTTPS cannot be proxied in that way.  The client needs to know it is going through a proxy for it to work (in other words, the client needs to be configured to use the proxy, either manually or through automatic proxy detection).

It works, that was my mistake as I failed to set the WAN Adress as destination. Once corrected it works. Thank you very much

what is your exact question? what do you like to do?

@cubsfan: Wasn't real sure where to post this one I have a somewhat odd setup on a couple pf boxes, I will draw it the best I can pf2   -> LAN                          | internet -> pf1                          |                         pf3   -> LAN                           |                         netA I'm trying to nat from the public side of pf2 to a host on netA through the LAN subnet.  I was thinking I could setup a firewall rule on the netA interface of pf3 to change the gateway to the LAN interface of pf2 and accomplish it but it's still trying to send the replies out  the WAN interface of pf3.  pf3 has NAT enabled for netA on the wan interface so I'm not sure if that is hitting before the LAN rule and sending it out that way or what is happening exactly. Is there any way to accomplish this? thanks Also, with the policy rule in place, traffic is sent to pf2 from the host on netA I'm trying to do this with, it's just the replies that don't seem to be routed back out that way.

That all looks correct with the exception of the proxy ARP, you're causing the firewall to claim every single IP in 10.1.0.0/16 there, which is creating a huge mess of IP conflicts if you have anything other than the firewall on 10.1.0.0/16.

…and made even more changes last night, it should be in much better shape now. Previously if I unplugged my cable WAN it would switch its IPs around due to the way the modem worked, and the old states would hang around. After quite a bit of fiddling I managed to get it to clear the states when it fails to the modem's useless private IP and when it recovers to the real public IP. The latest snapshot should hopefully perform much better, even with PPPoE WAN types.

Ok, and finally, the "non static port NAT" default feature of pfsense didn't helped either (http://doc.pfsense.org/index.php/Static_Port) Setting static port to yes and now I2P is completely happy again. Solved.

Could be hardware related or someone made an accidental change in the config.

@podilarius: If you have switched to AON, then you are going to have to create a rule for pf2 subnet. Can you get to the internet from behind pf2? As it turns out I had the DNS record published incorrectly so I was beating on someone elses firewall trying to get in.  Fixed that up and everything works nicely, amazing what one digit will do to you.  I should have just stopped yesterday and gone home. -andy

finally i think i did get it with your help! Thank you podilarius I will report back here when all is online and running. There is already another question opening about http-redirect, that i will post in a new thread. Maybe you have answers for this too  ;D cheers

Configure your firewall rules accordingly under Firewall>Rules, OpenVPN tab. Only permit access to the mail server.