Hint: Use aliases if you don't want to change multiple settings.  ;)

Hi,
I succeeded into making a similar config up and running.
I had to add Firewall rules on the OPT1 to allow traffic to 192.168.1.231

jy  :)

@Cry:

This has previously been discussed, if you searched the archive you'd already have the answer.

Firewall -> NAT -> Port Forward

Assuming you're trying to direct all systems on the LAN to an external mail server on an alternate port, pick LAN as the interface, "any" as the external address, 25 as the external port range, the public mail server's IP as the NAT IP and 2525 as the "local port".

Thanks. I didn't guessed this used in such way.

NAT through IPSEC won't work. There even has been a bounty for such a feature but the problem is that the traffic goes into the tunnel before we could even send it throgh NAT the way it is implemented into freebsd. There is no way to do this currently.

search "ping VIP" –> http://forum.pfsense.org/index.php/topic,4499.0.html

Afaik you cant ping PARP VIP's.
Use CARP VIP's instead (even if you dont use CARP-functions)

I found what problem. but need help
1. if i have this cheme. all NAT working
workstation (ip 10.0.0.30) –--->pfSense/bridge(10.0.0.3)----->cisco1700(10.0.0.1)
gw 10.0.0.3 <=-

2. but on this scheme Nat not worked
workstation (ip 10.0.0.30) ----->pfSense/bridge(10.0.0.3)----->cisco1700(10.0.0.1)
gw 10.0.0.1 <=-

What i can do in 2 scheme for working NAT?

Thank you dotdash,

I had an error in my thinking… I did have the private natted LAN set to use the FW lan ip as the GW.

I will go back and double check everything now and reset the default LAN allow rule.

ok thanks for the help

I Alread Try to put the 78.10.1.97/28 addres in the Lan and conect other computer to a OPT1 and make a rule to pass all trafic from that OPT1 to the Banck Address Thru the lan  but the VPN not Estabilish. The vpn only work when that especific address is in My network

I didnt notice before but dotdash is right.

With PARP you need to specify the correct IP with /32 If you want to map only one IP. With CARP you need to specify the actual CIDR subnet of the IP in your case /29.

PARP should work in your case too but if you want to run services on the pfSense on this VIP you should use CARP.

You can do this with a properly configured apache.
But not with pfSense directly.

that fixed it, thanks man :)

Hello I have tried that but doesnt seem to be working

see my picture for how its setup in the port forward page

portforward.jpg
portforward.jpg_thumb

Thanks to cmb and mrzaz for the response.

Now that I have checked from an outside host, I seem to be able to browse the web server – which I couldn't from inside, which means redirection is working. Also, I didn't know that they could be handled in such a different way in PF -- apparently a lack of experience with that.

But that solves the trouble for the time being. Thanks for the links to pf doc, I'm reading it at the moment.

Thanks again.

Regards

The port forward needs to be on WAN, not OPT1.

Ok.  I added a rule to forward port 80 and that works great!  Thanks!

But I don't know all of the ports that need to be forwarded.  Ideally everything.  I see that reflection is limited to <501 ports.

Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

Can you recommend a better approach to solving this?

Thx

firewall, rules, lan:
tcp,lan net,,,443-https,wan-gateway
Make sure this rule is before the default that point to the load balancer.
Better solution is to make a balancer pool and a failover pool. point to the failover for https, point default to balancer.

Update - since what I have been reading pointed to the issue being resolved with AON I decided to try it.  I kept the default wan rule and added a copy of it pointed at opt1 (wan2).  After resetting the states and waiting a short period of time I tested the remote phone and it is working perfectly now.

Thank you for a great product!!!