This might be something manual outbound nat can solve. Have your tried using this?

Might it be the case that you are doing double nat with the router (192.168.1.1) in front of your pfsense?
If so, you need to disable NAT on your router or even better, use pfsense as your router instead.

Thanks for the solutions!

I appear to already have this set.

http://imgur.com/6YkdwFJ

Yes, that's the purpose of source in port forwards.

For that you need extra NAT. The problem is that if your clients and servers are on the same subnet, the servers will respond directly back to the client, bypassing the load balancing, it doesn't really have much of anything to do with NAT reflection.

What you need to do is go to Firewall > NAT and switch to manual outbound NAT. Then add a rule to translate on the LAN interface with a source of your LAN subnet and a destination of your LB pool servers, so it will alter the traffic so it looks like it comes from the source address of the firewall.

//And completely miss the point of IPv6. Just route it. If you need multiple internal subnets, give up doing local SLAAC and use subnets smaller than a /64 and use NPt to map them to segments of your routed /64. Or find a non-stingy ISP that will give you a few prefixes (a /60, /56, or /48 are also common).//

Well, I don't think it's a option to drop SLAAC by going smaller subnet sizes. Static addresses are no option in roaming environments and most devices don't even support DHCPv6 :-(
I'll probably change my ISP and live with the lower bandwidth (my current ISP is switching to DS lite and dropping native IPv4 as well).

What speaks for NAT66 is that you could at least run one subnet via NAT66. e.g. :
ISP hands out an IP6 Adress to the WAN interface and delegates a /64 via prefix delegation. I could use the /64 for one subnet and the IPv6 WAN adress via NAT66 for another subnet with ULAs.
So only one subnet would have to live with NAT…

Complicated stuff. But I'm glad pfSense supports IP6 so well at this moment. I've looked at other "ready to use router distributions" and a lot don't even support iPv6 in any way...

Problem solved:

OPT1 was missing gateway declaration in OPT1 Interface settings.

Once I defined the next hop router (towards cloud) as the gateway, NAT worked.

doh. ;D

Thank you.

No, I don't need to use a VIP (I have one static IP per WAN). I need the mail server to use the specific WAN to send mail outside and if this line is down, it will not send.

So I need a LAN to WAN rule.

Best regards

Kostas

disabling "Disable NAT Reflection for port forwards" fixed the issue
Is there any downside to this?

Okay….

Seeing something different here.

My trouble IP 187 gives me this readout

$ route -n get xxx.187
  route to: xxx.187
destination: xxx.184
      mask: 255.255.255.252
  interface: em1
      flags: <up,done>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
      0        0        0        0      1500        1        0

when the good one that is routing correctly does this...

$ route -n get xxx.188
  route to: xxx.188
destination: default
      mask: default
    gateway: xxx.185
  interface: em1
      flags: <up,gateway,done,static>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
      0        0        0        0      1500        1        0

Thank you for all your help</up,gateway,done,static></up,done>

I'm no coder, but you might be able to borrow some stuff off pfBlocker?

Thanks. I'll check out the link.

Also note there is no per-rule X on 2.0.x, that is new on 2.1. There is one X at the bottom, you click a row to select it or check the box, then click X to delete them in a batch.

The pfsense have a defaut gateway set.
The serveur i'm trying to reach use the pfsense lan IP (192.168.0.233) as gateway and dns, like everything behind the pfSense set by the DHCP on the LAN interface. I have acces to internet from any computer on the LAN subnet.

Packet capture on the LAN give me this when i try to reach port 3389 from outside
20:49:37.470757 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
20:49:37.471012 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0
20:49:40.495602 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
20:49:41.898936 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0
20:49:46.491187 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
20:49:50.550320 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0

And yes the serveur (0.215) is running well, i can acces it from the lan subnet.
Thanks for trying to help.

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

Where is your nat address in those rules?

If you see above I posted the headings from the nat rules, I don't do any natting on my lan side - but only from lan to wan.  But don't you still need a NAT address to use?  In my drop down you can pick the interface address or setup a different IP, yours is just showing *?