Thanks.. it worked :D

Ah… When I put on a unic VHID Group on every carp IP everythig was ok... :-)

Becouse i want to disable NAT on router, maybe all port forwarding to pfsense wan interface wont make sense. If helps: [image: pfwanint.jpg] [image: pfrouter.jpg_thumb] [image: pfnatfor.jpg_thumb] [image: pfnatfor.jpg] [image: pfnatout.jpg_thumb] [image: pfnatout.jpg] [image: pflanint.jpg_thumb] [image: pflanint.jpg] [image: pfwanint.jpg_thumb] [image: pfrouter.jpg]

thanks for reply. i wait 1.3 release with impatient.

when Server A (192.168.4.250) tries to connect somewhere its "public" ip shows up as 200.200.200.250 However when someone tries to connect to 200.200.200.250 the port forward should route any packets on ONLY port 80 to Server B (192.168.4.240). technically if i were to 1:1 nat when someone connected back to 200.200.200.250 it would get sent to 192.168.4.250 and not to 192.168.4.240 and thats the problem :/ If i understand you correctly you want the VIP 200.200.200.250 to point to LAN IP 192.168.4.240 and the only thing you haven't done so fare is setting up NAT -> Outbound -> Manual Outbound NAT WAN  192.168.4.240/32  *  *  *  200.200.200.250  *  NO

Well to be honest i find it a bit strange that you have a subnet of 10.0.0.0/8 on your LAN, and at the same time traffic destined for 10.0.0.0/8 should be sent to a gateway. To me this seems a bit conflicting. I mean if something is in the same subnet than the interface itself this means you shouldnt have to send it to a gateway because it's directly reachable.

Do you know some possible things to look for that would interfere with this working? We have dual wan. We have multiple FTP servers tied to different virtual ips.

I'm not sure i really understand what you are trying. But you cannot NAT traffic into a IPSEC tunnel.

Just wanted to let everyone know it wasn't a Pfsense problem, but a Barracuda Webfilter that was causing the problem, still not sure how, but it was the problem.

I only have the backend code which has to be applied to the firewall at every reboot. I dont write interface gui code. But I can walk a coder to what needs to be done in the gui to make it work with the backend. Until someone is willing to do ti its not worth my time and effort to do so.

Well you could do it like this: Internal net: 10.1.1.128/25 External Net: 192.168.1.128/25 translates to 10.1.1.192/26  to  192.168.1.192/26 10.1.1.160/27  to  192.168.1.160/27 10.1.1.144/28  to  192.168.1.144/28 10.1.1.136/29  to  192.168.1.136/29 10.1.1.132/30  to  192.168.1.132/30 10.1.1.130/31  to  192.168.1.130/31 10.1.1.129/32  to  192.168.1.129/32 like this you dont have to create 125 rules but only 7

@tdickson: I would love to use this feature to get around - or mitigate PPTP issues. fricken seems to have hit a wall (either that or I can't figure it out)  and I have 90 public IP's I would love to randomize to help with PPTP connections… You said you can set it up non-GUI?  I've been searching around, and this post (with no answer) is about as accurate as I can come by. Any pointers are more than welcome. have you managed to get this to work? I'm looking into doing the same thing…

Yes. Search the forum for Advanced outbount NAT. EDIT: sorry i just realized that LAN per default gets NATed to all Interfaces. You shouldnt have to create any AoN rules. It should just work.

I am still getting this problem, I don't know if anyone can help…

Thats very enlightening, it looks like that should do the trick, but it doesn't want to cooperate. I also tried static DNS mapping while I was at it and if I tried pinging the host in question, it would show the ip address I mapped statically, but the ping would time out. This made me wonder if I had a firewall rule stopping traffic from flowing, but I tried a basic config with all interfaces allowed to pass all traffic to  all other interfaces (all wildcards), but still nothing. For now I'm content to use the local ip of the server when on the LAN, it's not that big a deal to have to remember. Thanks for the help though!

Ah, including SSH in the search term was showing other irrelevant postings.  Thanks for pointing me to those. To summarize for people who run into the same search pitfall: If you are running 1.2RC3 or later, adding the following tag to the <system>tag within config.xml will increase the timeout: <reflectiontimeout>3600</reflectiontimeout> where 3600 is the number of seconds worth of timeout. James</system>