"and you always have to specify a gateway specific to that subnet to enable that subnet to see the Internet"

Yes you set a gateway on the clients to IPcops lan interface IP - but you don't set a gateway on that interface to itself.  This was my point.  Yes devices on that segment that wants to get OFF that segment need a gateway which would be the lan ip of either pfsense or ipcop.  But the interface itself on ipcop nor pfsense do not point to itself as the gateway.

edit:  I just booted ipcop on virtual machine, and NOwhere did it ask me to setup the GATEWAY on my GREEN (lan) network

Do you mean what you put in the RED (wan) interface for a gateway if set to static?

Where would you ever get the idea that you would set an interface to use itself as the gateway?  You can not talk to yourself to get OFF the network.  Yes it would use itself to talk to the network its on, which could be seen as gateway for that network.  But NO sorry you don't set in IPcop or pfsense to use a LAN gateway –-> unless you were going to have routes off that interface to some other network inside yours.

green.jpg
green.jpg_thumb
red.jpg
red.jpg_thumb

It's best to leave the loopback rules, they're for traffic from the firewall itself.

If no NAT is applied, the source address is left alone.

Most people would never need such a rule, but there are some out there that do. It's sometimes more useful to "do not nat" based on the destination rather than the source.

If you have rules allow any any, then they will see each other.

Turns out they had given me a set of static IPs that were invalid. So of course the netmask and gateway didn't correspond with them either.  When I attempted to plug them into my pfsense WAN interface, I didn't have any connectivity.  Since they've reissued a new, valid set of IPs that are entirely different than the original set, it's no wonder I couldnt connect.

What a relief.  Looking back I would've never connected.  And it wasn't until I assisted on a new block of IPs that it would've ever worked.

Nice explanation i know understand that part. My next question is how can i assign a static ip to one interface I'm using the watch guard firebox 550e
interface 0 is WAN
interface 1 is LAN 1 10.0.1.1
i want interface 2 to be a public ip how can i achieve this that's my second biggest problem.

You could also change from auto nat to manual and remove any rules. This will keep the FW rules in place. This is called a routed solution. Your upstream devices just need a route to make sure that any traffic to and from your LAN net (in pfense) goes to the correct gateway. Otherwise, you just have to make sure that you have allow traffic from the different subnet nehind pfsense.

I'm trying to run multiple VPS that requires a dedicate IP and switching them into local ips.
I have 5 static IP
3 servers
one gigabit switch
2 pfsense firewalls
2 IP for the dns servers
1 IP for the SSL for payments gateway.
and 2 IP for the Nat

VPS will have class A local IP's 10.0.1.2-10.0.245.245
Each DNS will be hosted inside a VPS with a dedicate public IP listed below.
DNS IPS:
dns: 196.xx.xxx.226
dns2: 96.xx.xxx.227
SSL: 96.xx.xxx.228
Firewall will use
96.xx.xxx.229-230

I will do a port forward from public ip to the local IP which i learn how to do.
I just can't get the public ip to be NAT to another public IP. how do i achieve that?
i will be using the following interfaces
sk0= for 96.xx.xxx.229 WAN
sk1= local NAT 10.0.1.1/24
SK2= dns1 96.xx.xxx.226
sk3=dns1 96.xx.xxx.227
sk4=ssl 96.xx.xxx.228

I am not sure exactly what you mean here. The default action is to block on all firewalling tabs except for Floating. So your block rule at the bottom is redundant unless you have special options set. So you are only going to allow certain ports through. First, if it doesn't need to be open, don't open it. using alias grouping is ideal for that. put all your web servers in an alias and then open a port 80 for that alias. If your servers are not running on port 80 and you open it, traffic sould be allowed to the server if the firewall port is open, there will not be any to respond.
In 1:1 NAT there isn't a way to tie a rule to a VIP other than putting it in a rule manually. It doesn't work like port forwards.

I totally forgot about this.

The providers system was busted. Junked them and went with another provider and it all went away. Not sure how it was busted, just was.

@PurpleOfPants:

if it's that simple…

For the avoidance of doubt, it is that simple. Fantastic  :-*

If you set up an outbound nat rule for it, that port forward should work.  All forwarded traffic will be seen as coming from 1.1.1.1.

Humm… why 1:1 NAT???

I (witch is just a personal opinion) think that just normal nating is better as you have MUCh more control.
Secondly why do you not just us AON, and there you just say what subnet or host should be nattet out on what public IP..
THis is what i am doing here with 3WAN's with 5 Public's on each. works like a charm.

Just be aware if you are not using AON and are going to switch to it MAKE Sure that the config is correct as you are saying that killing the internet would be very harmfull.

Anyway hope you get this solved.

No because the proxy is the one making the outbound connection to the web server, not the originating client. Nothing you do will make that appear to originate from the actual client IP.

There were some kernel hacks/patches for Linux out there (tproxy, I think) but I'm not sure anything like that exists on FreeBSD.

Very good, I will try that next. Thank you so much for your reply!

I suspected it might have been a technical limitation. I was aware of the split DNS solution but I didn't really like it. NAT reflection is what I would prefer, cheers for the tips.