@defiantmofo: Is there a way an admin could run a script from the local network to enable/disable a firewall rule?  I wouldn't need to do this remotely, only at home on the same network.  I've searched around a bit, but couldn't find any solid info. Thanks! Not sure about disabling a rule… but here is what I have implemented... Via a web page I update the file pointed to by a URL alias (see Aliases->URLs tab, then select URL Table when creating the alias). The web page then calls some PHP code to tell pfSense to update the URL table. In order to implement this approach you'd have to run a web server (see vHosts package). Why am I doing this? I've got a list of addresses that are used by a rule. The web page updates the list of addresses - which changes the function of the rule. I know this doesn't do exactly what you are asking. However, with a little digging and creativity, I'm sure you could find the code that disables a rule and call it from a web page.

Well that looks right – you have a public on your wan and then private on lan..  So 213.64 is inetnum:        213.64.0.0 - 213.64.255.255 netname:        TELIANET So what is your vpn IP, that 10.8.0 you see is PRIVATE rfc1918 addressing -- that is not traceble or routable on the public net..

Hi Jimp @jimp: Having such NAT on each WAN works fine, provided your firewall rules and WAN config are proper. #1 - Make sure you do NOT use an interface group for WAN firewall rules - Rules on interface groups won't get the reply-to tag to ensure the return traffic exits the proper WAN. Make the rules on the actual WAN/WAN2 tab. #2- Make sure the firewall rule(s) do not have the box checked to disable reply-to. #3- Make sure the master reply-to disable switch is not checked, under System > Advanced, on the Firewall/NAT tab. #4- Make sure your WAN and WAN2 interfaces have a gateway selected on Interfaces > WAN/WAN2, not having a gateway selected on the Interface page will also make the system omit reply-to on the rules. Great post, thank you for this. It provided me with the needed pointer to make this work for us. The only thing I had to do different to make this work, is not select a gateway for the individual rules. With a gateway for the individual rules, it created route-to rules (pfctl -sr), without it creates reply-to rules. We are running 2.1-BETA1 snapshot from 1 April. I do have a gateway selected on the interfaces pages. Thanks again McGlenn

It's only possible for HTTP, but yes you can. You can use Squid3 for this as a Reverse Proxy.

What?  I think you might get better help in forum section with your native language.. That does not seem to be english. What do you mean by balancing and returns with 1241??  Yes it will have a source port – all tcp connections will have a source port and a destination port.  So pfsense send the traffic to 1420 with what source port?? So your taking inbound dst port to 9090 and forwarding to server on 1420, that is all good..  But the server would then answer to the source port that communication came from. So the return traffic would be from source port 1420 to whatever the source port that traffic came from.

Problem Solved, it was wrong IPs in Nat

Thanks so much! The option to put my external address fixed the issue.

Thanks for your reply. no i successfully added a manul NAT rule and its working fine

Nevermind.. it started working. I suppose it was an issue from my "wan" that is actually a nat to someone else.

Any chance this is on a residential connection? I.e., are you sure your ISP isn't filtering inbound port 80?

Not sure if I can bump here but seems appropriate. I have read many prior discussions about 1:1 NAT, Outbound NAT, reflection, VIPs, etc. Round and round I have gone but I still can't figure out the scenario I am looking for, which seems a basic implementation.

I´m doing that with Squid3 package that has reverse proxy. Don´t know where I found the howto but here is a short recap of what I did. Remove old NAT and FW rule for port 80 Add new NAT on WAN for port 80 to 127.0.0.1 and a new choosen port for example 9000 Add new FW rule on WAN with dest 127.0.0.1 port 9000 In squid3 general set interface to loopback, set you external address in FQDN, enable reverse proxy on port 9000 In squid3 webservers add your servers with their IP data In squid3 mappings map your servers to the right domain names for example "www.example.com" and "example.com" Think that was all there was to it.

Well if you want to play with ipv6 then you will have to move to 2.1  - if your setup is generic then just do clean. Maybe I am spoiled with running mine on vm, but it takes takes no time at all to try this version of that version - if need be roll back, or just switch to different vm running different version, etc.  Every now and then if someone has issue with older version I want to try and duplicate I just fire up a vm with that version on it, etc. So maybe I am spoiled with time to spend - since there isn't any really, only takes minutes to switch around what distro I use for my router - be it pfsense, ipcop, m0n0wall, etc.  Since I can have the VM use the same mac as its wan don't even need to restart my cable modem.