I found the solution : I checked "Bypass firewall rules for traffic on the same interface  " under "System /advanced"  ,now all the different subnet can communicate .

You cannot have a /32 as WAN (unless you have PPPoE WAN). And from what you desribe it seems that you just can use the 24.x.111.143/29 block. You could go with the "transparent bridge" approach where the pfSense has no IP out of this range. In fact the IP you have on the pfSense is only to manage it. The clients have then public IP's out of your usable range. They have the gateway you have now on the pfSense directly. –> The will not send traffic to the pfSense and pfSense will not NAT it. Make sure you set the correct gateway and the correct subnetmask (are you sure you mean 255.255.248.0? this is a /21 subnet instead of a /29 --> 255.255.255.248) Search the forum and the tutorials on how to set this up.

It won't delete any rules already there but if AoN is enabled no rules will be automatically generated for new LAN type interfaces, just like it states.

Take care! What routers like the afore mentioned do with one of the hosts on a switch port is far from being a DMZ! This is called an "Exposed host". Only SOHO marketing calls it a DMZ… Once you have a host exposed to the untrusted network (internet) completely, this machine can be compromised. Since it resides within the other machine's subnet it can easily spread malware or access other resources on your LAN. Make sure this host is really safe and locked down… An option you could choose is to get a VLAN capable switch and define virtual subnets. This way you can setup a real DMZ and filter or block traffic between your subnets. Wikipedia has an article about it: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) but the german article describes the "exposed host" way better (it isn't mentioned in the english version at all...). http://de.wikipedia.org/wiki/Demilitarized_Zone

Thank you for the layout, in the mean time: Figured it out, evidently VMware infrastructure WON'T work on a NAT'd port forward!  So in order to make it work I either have to build a VPN, or give up an external IP (yuck!), unless someone has a bright idea. mckoz

Similar problem here. I'm running pfSense 1.2.1 live from the CD as a test, in hopes that it can be used more permanently. I've got an alias defined that contains the same ports (80,443,3389), and in the same order.  80 is the first port defined in the alias. I have a NAT rule using this port alias that has automatically created a firewall rule for me, and… this rule works for me over port 80, but not over port 443. If however, I add an additional NAT rule that specifies port 443 instead of referencing my port alias, and give that rule higher precedence over that of the rule using the port alias, my test is a success... even across port 443. I too would like to know if I have overlooked something. Any suggestions you can offer are more than welcome. Thanks

OK… I'm a moron... I looked a little closer and realized that the servers that I was attempting to connect to using a NAT defined on PFSense1 had PFSense2 defined as the gateway (both have IPs on the same subnet).  (that may cause some arp issues).  Given the fact that the inbound and outbound traffic is taking different paths and ending up on different interfaces on the PFSense box providing NATing services, I'm surprised that the SYN/ACK was ever received and that the session established. I additionally corrected the Static Routes to NOT include any locally attached subnets. After taking these two steps, the NATs work as expected. Brian

I never actually tested this. I "think" if you create an "advanced outbound NAT" rule that NAT's from the WAN to your LAN it should rewriting the source.

@GruensFroeschli: Are you talking about a bridging firewall or about a router without NAT? first case: no second case: yes I was thinking about bridging but you've convinced me to do it by routing! :-) Thanks a lot, GFK's

I'm not sure i understand correctly what the problem is. If you forward traffic then this traffic gets forwarded. There is no "However it does not send URL with with the port forwarding request so my ISA2006 does not like the request and apply the default behaviour of dropping/ignoring the request." part. Either it forwards the traffic or not. Also i'm not sure how exactly you did use your additional /30 subnet. If it gets routed to your public IP, you can add the first usable IP in the /30 subnet to an interface on pfSense and the second usable IP to a server. If you created VIP's on the WAN the you should be able to make use of the first and the second IP. Just NAT forward from the VIP's to your servers in your private address-space.

And you're trying to access the WebGUI of the AP? Can you ping the AP from the ping tool in the pfSense webGUI? Did you set the corrent subnet on the LAN interface? (it can happen) Did you set the corrent default gateway on the AP? (I've had one where you couldnt set a default gateway…..)

Hi, Ooops, I dind't see it…so why is VIP configured? I mean, it is completely normal that WAN/LAN addresses are in different network range. I'm not using VIP so may wrong but first backup current config then can you delete VIP config and all the rules back to default, then add port forwarding only to see the packets are flowing pfSense and your linux box(172.22.41.2?). Turn your box back to factory default, check one by one, one at a time. That's all I can say for now. cheers,

pfSense developers confirmed that the behavior I am seeing is a known bug in pfSense 1.2-release.  The bug stems from the way that the ftp helper applications are started with CARP-type virtual IP addresses.  This is fixed in pfSense 1.2.1 Cubert

Read the link above again. You have a to create a rule above your loadbalancing rule with as destination the IP's of your ADSL-routers and as gateway *

You can try. System/Advanced At bottom of page under Network Address Translation Disable NAT Reflection Uncheck box

Then you have to configure your ADSL modem correctly or set it into bridging mode so pfSense can handle the additional IP's.

Can I help to find the right way??? 1. You have 2 pfSense machines? 2. Every pfSense have NIC's(number them all, and list all ip's here) 3. There is a difference betwen NIC configuration on pfsense and stations configuration (subnet behind "pfSense1") Configuration with 1 router ("pfSense0") works fine…No additional tasks required! Now the "pfSense0" must know what subnet they must pass to "pfSense1" (so you must write static route on "pfSense0" for each subnet working behind "pfSense1" like). On "pfSense1" you must use only 1 "default Gateway" on NIC, that looks to "pfSense0"(it will be the WAN for this router). No additional  steps required. I think you must understand the principles of routing... Now, the sample configuration: "pfSens0" NIC's: pfSense0WAN0, pfSense0WAN1, pfSense0DMZ, pfSense0LAN "pfSens1" NIC's: pfSense1WAN0, pfSense1LAN0, pfSense1LAN1, pfSense1LAN2 pfSense0WAN0 :Static IP: 70.169.215.103 Subnet: 255.255.255.24x Default Gateway: 70.169.215.102 pfSense0WAN1 :Static IP: 34.69.200.89 Subnet: 255.255.255.24x Default Gateway: 34.69.200.90 pfSense0LAN    :Static IP: 192.168.0.1 Subnet: 255.255.255.0 pfSense0DMZ  :Static IP: 192.168.1.1 Subnet: 255.255.255.0 pfSense1WAN0 :Static IP: 192.168.0.2 Subnet: 255.255.255.0 Default Gateway: 192.168.0.1 pfSense1LAN0  :Static IP: 192.168.2.1 Subnet: 255.255.255.0 pfSense1LAN1  :Static IP: 192.168.3.1 Subnet: 255.255.255.0 pfSense1LAN2  :Static IP: 192.168.4.1 Subnet: 255.255.255.0 now we have IP's, but have no routes. Add static routes on "pfSense0": 1. Destination network : 192.168.2.0/24 Gateway: 192.168.0.2 2. Destination network : 192.168.3.0/24 Gateway: 192.168.0.2 3. Destination network : 192.168.4.0/24 Gateway: 192.168.0.2 now, we have configured  both routers... now, we'll configure the STATIONS in subnets, not routers! in subnet DMZ you must use 192.168.1.1 as default gateway, in subnet LAN0 you must use 192.168.2.1 as default gateway, in subnet LAN1 you must use 192.168.3.1 as default gateway, in subnet LAN2 you must use 192.168.4.1 as default gateway. now disable DNS Forwarding on "pfSense1" and in all subnets use 192.168.0.1 as DNS Don't forget about Firewall rules!!! Any questions?