Marjohn you smashed the nail on the head!

set bridged network from router, config WAN interface for ppp0e and boom we're live  8).

Thanks both, much appreciated.

Regards,
Ryan

Ok, I had configured totally wrong setup. :(

I can configure each ISP router to use different lan address& network& DMZ - but cannot get public IP  - all had to use DMZ, no possibility to setup bridge mode :(

I need load balancing for LAN computers, and that my servers can be accessible from all of my 4 public IP.

All internal IP configuration can be changed. All my internal servers can be reconfigured (Debian). My pfSense box has 5 ethernet card, so there are many possibilities :)

I don't need any additional security for now.

Howto do You suggest then? for testing, simplest solution will be best.

You can use an alias there.

Source: Network: Type an alias name

It is admittedly not as clear as it could be.

OK, that's taken care of the remote login! Thank you.

That was a remarkably useful guide.

Now, as for the other issue, I seem to have "solved" it by creating two instances of my security cameras, one for "inside" my LAN and one for "outside" my LAN. Seems to work for now, but I'd still like to know what's going on.

Ok, I'm pretty sure I understand why the 1:1 NAT rule doesn't work: both IPSec tunnels run on the same virtual network interface, so the packets never go through the firewall.

Never mind, I just found my solution. I did do the 1:1 NAT but previously made some additional rules that were interfering. Deactivating them solved the problem.

@Derelict:

NAT reflection is not testing connectivity from the outside, as you stated you want to test. If you want to test that you need to test from the outside.

NAT reflection tests NAT reflection. It allows the convenience of inside hosts being able to connect to the outside IP address from the inside, but it does nothing to actually test connectivity from the outside.

And it works. If it is not working you have it configured incorrectly.

I believe I understand what you are saying; but I think there is some confusion around this situation. I only want to test that connections coming from inside destined for my WAN IP are able to make it to their destination without using split DNS which would resolve the WAN IP to an internal private IP because the source is coming from internal address. Does that make sense or is NAT reflection doing the same type of conversion? Also, I agree it must be misconfigured since it is failing; but I followed the guide exactly without success. This is why I am confused.

That drawing is horrific!!!

So your clients are behind pfsense on a 10.0.0/24 network??

So pfsense wan is 125.x.x.x.. So you have a client trying to hit your webserver via your public IP..  For that to work you have to have setup NAT reflection.  But if your client on 10.0.0.5 wants to talk to client 10.0.0.10 why you not just resolve abc.com to 10.0.0.10 on pfsense via a host override!!

anybody?

Check if the WAN interface network mask is set correctly on both boxes.

"I have to define 6 WAN interfaces. Any other way?"

Huh???  You would normally just put the vips on the interface actually connected.  I don't even think pfsense will let you bring up another interface in the same network??  So at a complete lost to what you have done.

If you have been given say 1.2.3.0/29 where gateway is 1.2.3.1 and you can use .2 -.6  You would say give pfsense the .2, then create VIPs on this interface for your .3, .4, etc.  You would then forward your traffic that hits your different vips.. Ie if dest is 1.2.3.6 port 80 forward to 192.168.1.100:80, if hit .5 then 192.168.1.99:80, etc.

You can name optX anything you want.  If you gave it a gateway on the interface then it would auto think its a "wan" interface and allow for natting to this interface, etc.  This is how you bring up different wan connections when you have different ISPs etc.

But again I am like 99.99% sure pfsense will not let you create another interface and put an IP on it that overlaps another interfaces network..  So what you have done I have no idea.

Kazzuja, did you manage to resolve your issue?
Especially the part where you can ping the external IP…

I have several WAN interfaces (8 at the moment) and it should listen on just 1 interface. I'll try disabling NAT 1:1 for this interface and do portforwarding. Otherway around it is working fine; I can reach the internet from the local server, but it is still strange NAT 1:1 works fine for 7 interfaces but not for number 8.

Thanks,
Roger

I guess they need to provide a firmware update, with the new address.  ;)

It can be done with squid as a reverse proxy (I did it).
It can be done with HA-Proxy (I'm doing it ;) )

In HA-Proxy you will need two backends.
One for each server you want to forward trafic to. (you can specify them on IP addess - no nned for DNS for that)

You will need one HA-proxy frontend listening on your wan address port 443.
On that frontend I would configure two ACL:S
one that says that if the hostname is ws1.domain.com send it to backend 1
the other one would handle the ws2.domain.com hostname and send that to backend 2.

@isolatedvirus:

PFSense as far as i can tell ignores its own PBR, and uses the routing setup in System->Routing

@Derelict:

Traffic generated on the firewall itself does not enter an interface and that leaves only the routing table.

thanks for confirming.

I found the solution.

In a virtual network there are no checksums. So what I had to do was to disable tcp checksum offloading.
Here are the two sources with more information that I used:
https://forum.pfsense.org/index.php?topic=88467.0
https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network