So I have managed to get a test VPN connection up to a SonicWALL TZW.  I have NAT reflection enabled to make the xxx.xxx.xxx.77 address accessible from inside the firewall.  The problem that I am running into now is that I can only bring the tunnel up from the TZW side by pinging the xxx.xxx.xxx.77 address from inside the LAN of the TZW.  I need to be able to bring it up from the pfSense side as well, but I am unable to ping the remote network (192.168.41.0/24) of the TZW from pfSense. It seems like maybe an outbound NAT rule would take care of this, but I don't know how to set it up correctly, and it doesn't seem like I can make a outbound NAT rule for my IPSEC VLAN.  Can anyone help? Below are some screen shots of my current working configuration to help you better understand my setup. CARP Address on the WAN where VPNs will terminate.  This must be CARP as opposed to Proxy ARP because it needs to be pingable.  [image: WAN-CARP.jpg] VPN with remote network set to WAN-CARP address [image: IPSEC.jpg] Port forwarding xxx.xxx.xxx.77:22 to 192.168.41.50:22  This si working.  I can SSH to xxx.xxx.xxx.77: from the TZW and connect to a shell at xxx.xxx.xxx.50:22 [image: PortFwd.jpg] And here is the firewall rule that lets the port forwarding work.  [image: Firewall-1.jpg]

@rmathew1973: The problem I'm running into is that we have a block of ip addresses (xxx.xxx.xxx.228 to xxx.xxx.xxx.239). Very interesting definition of problem. May we see screenshots of your NAT and rules?

@Eugene: What a day! the second smart network for today… routers do not split networks.... instead hub/switches do... pfSense with one interface. Wonderland! or it's secret screenshot from the newest Cisco's IIN design. Dear tendabiru, how do you define the word 'proxy' in you magic world? Dear Eugene, the picture is from my friend network design, but now  i can not contact him again. the router is mikrotik (indoor router) Routerboard RB450, maybe that wrong design? but i just need to know, how to NAT,  if mikrotik forward everything from(port 80) to pfsense squid port 3128(maybe use two ethernet card). i'm sorry, i'm just want to learn for how use this machine / pfsense. i mean proxy is squid and squidguard in the pfsense. i'm sorry because didn't give explain in the good word, then i change my header question. regards

Can you post screenshot of "NAT to forward HTTP traffic to a web server" here?

http://forum.pfsense.org/index.php/topic,18094.0.html

1. Switch on DHCP on Lan2 2. create a rule like: Proto    Source    Port    Destination    Port    Gateway    Queue    Schedule    Description *          LAN2      *            *            *          *          none

What are you trying to access? The webGUI? An NAT forwarding? In this case: did you read http://faq.pfsense.com ( http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F )

anyone? please?  ???

Yes of course not. On the WAN are already things running like the webGUI. 1:1 NAT is to be used with additional IPs. If you want to forward ports from the primary WAN you need to use normal port forwards. (Here the same: you cannot forward already used ports). Why do you need 1:1 NAT anyways? Usually you can do it more elegantly with the use of aliases.

ok, OCS 2007 could use NAT, DNAT and SNAT. With R2 those requirements changed. R2 will work with SNAT. Configure it with 1-to-1 and give it a try. Enable NAT reflection if you have problems. Try it and let us know. If we get it working, we will document it.

You hit it. That's what i originally thought when i was faced to this problem. As if the NAT thing would know about "public" ip ranges. I will try to test this once more.

@blak111: Use manual outbound NAT. Remove the rule that is translating traffic from OPT1 to the internet. Your ISP will have to be pointing to your WAN address with a route for xxx.yyy.zzz.0/28. Thank you. Initially I used http://doc.m0n0.ch/handbook/nat-outbound.html to set up pfSense. Looks like it was some crazy NAT setting upstream. They never told me what happened but all of a sudden the problem was gone.

@GruensFroeschli: Yes its not possible to NAT To different servers based on the source. But this is something else than originally described in this thread. Why would you need this? Why cant you forward externally on a different port to the correct internal port? Oh I can, it would just be nice (less options on the rsync command line and so on) Sorry for the thread jacking!

I did setups like this (although only temporary as a workaround). Yes you can enable AoN and create a rule to NAT traffic from the WAN to an OPT. More importantly: Why do you need that, and what is your goal? In my setup i had to access a manageable switch, but it wasn't possible to set a default gateway on this switch. With this workaround (it's sometimes called "source NAT") it was possible to access the switch, since the visible source was the pfSense –> in the same subnet --> directly reachable without a default gateway.

i use ISPconfig for all other web pages, i dont know if i should do anything to that server as is operates with vhosting, and im not that good with vhosting. heh. that said, how would you fix a problem like this? with a standalone reverse web proxy?

Its not Filezilla. Do a search on FTP how-to or look in the pfsense documentation. Pfsense is a little differnet that common firewalls are.

My main concern for this move is not security, I have been using untangle as a spam filter, and it has been working great until recently (Worked great for about 18 months, last 3 weeks it has started to give problems). I've had to reboot it a few times. Because it sits between my router and my switch (bridged) when untnagle is being rebooted everyone looses web access. I would like to move the location of untangle so that it is only filtering public / inbound traffic to exchange. I can not place it between exchange and the switch directly. I have many apps that send mail via exchange, and untangle will mark or deny those messages.

Understandable. Another option is to use overrides in the DNS forwarder to return the inside address when clients lookup those DNS names inside the network.

http://forum.pfsense.org/index.php/topic,17728.0.html would this work?