Thanks for the quick reply.

I'll check it out :).

Would be cool if you could layer 7 it :)

HTTPS cannot be proxied in that way.  The client needs to know it is going through a proxy for it to work (in other words, the client needs to be configured to use the proxy, either manually or through automatic proxy detection).

It works, that was my mistake as I failed to set the WAN Adress as destination. Once corrected it works. Thank you very much

what is your exact question? what do you like to do?

@cubsfan:

Wasn't real sure where to post this one

I have a somewhat odd setup on a couple pf boxes, I will draw it the best I can

pf2   -> LAN
                         |
internet -> pf1
                         |
                        pf3   -> LAN
                          |
                        netA

I'm trying to nat from the public side of pf2 to a host on netA through the LAN subnet.  I was thinking I could setup a firewall rule on the netA interface of pf3 to change the gateway to the LAN interface of pf2 and accomplish it but it's still trying to send the replies out  the WAN interface of pf3.  pf3 has NAT enabled for netA on the wan interface so I'm not sure if that is hitting before the LAN rule and sending it out that way or what is happening exactly.

Is there any way to accomplish this?

thanks

Also, with the policy rule in place, traffic is sent to pf2 from the host on netA I'm trying to do this with, it's just the replies that don't seem to be routed back out that way.

That all looks correct with the exception of the proxy ARP, you're causing the firewall to claim every single IP in 10.1.0.0/16 there, which is creating a huge mess of IP conflicts if you have anything other than the firewall on 10.1.0.0/16.

…and made even more changes last night, it should be in much better shape now.

Previously if I unplugged my cable WAN it would switch its IPs around due to the way the modem worked, and the old states would hang around. After quite a bit of fiddling I managed to get it to clear the states when it fails to the modem's useless private IP and when it recovers to the real public IP.

The latest snapshot should hopefully perform much better, even with PPPoE WAN types.

Ok, and finally, the "non static port NAT" default feature of pfsense didn't helped either (http://doc.pfsense.org/index.php/Static_Port)
Setting static port to yes and now I2P is completely happy again.

Solved.

Could be hardware related or someone made an accidental change in the config.

@podilarius:

If you have switched to AON, then you are going to have to create a rule for pf2 subnet. Can you get to the internet from behind pf2?

As it turns out I had the DNS record published incorrectly so I was beating on someone elses firewall trying to get in.  Fixed that up and everything works nicely, amazing what one digit will do to you.  I should have just stopped yesterday and gone home.

-andy

finally i think i did get it with your help!

Thank you podilarius

I will report back here when all is online and running.

There is already another question opening about http-redirect, that i will post in a new thread. Maybe you have answers for this too  ;D

cheers

Configure your firewall rules accordingly under Firewall>Rules, OpenVPN tab. Only permit access to the mail server.

@bardelot:

You could try UPnP instead of static port forwards.

Hey bardelot,

Thanks for your response ….. I dont believe UPnP will fix this issue, as i think the problem is outbound only ..... however I will try and get back to you.

Port forwarding by NAT gateways doesn't touch packet content.

The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)

Well, I haven't confirmed that wasn't changed for any 2.0.x version, I only checked the latest development version.

EDIT:
Same for 2.0.x.  I don't really know what is going on; in firewall_nat_out_edit.php it should not be able to know the difference between "interface address" and "any" for the translation address, because in the current state of the code the HTML will always have those two fields set to the same value.  I've even tested it and the configuration comes out the same.

If you select "any" for translation address and save the rule, is it still selected if you edit it?  If so, either you must have a modified version or we aren't talking about the same page.

You are not going to forward directly to 192.168.0.22 from the cisco. You have double NAT, so you are going to have to make sure you adjust for that.
So, create a VIP on WAN and set it to 10.0.0.22.
In the port forward rule, source and source port is any.
Destination IP is going to be the VIP (10.0.0.22). DPORT will be 8800.
Then you set the NAT ip to 192.168.0.22 on port 8800.
I am not sure how you have a gateway with a port. LAN does not usually have a gateway set at all in pfSense. But for your LAN PCs, 192.168.0.2 is a good gateway so long as the PC at that address has a default gateway of 192.168.0.1. Since that just looks like a proxy, and not even a transparent one, I would set the gateway of all the machines except pfSense (which will only have a gateway on WAN address) to 192.168.0.1 and use browser configs to set the proper proxy address.

I had to use AON too for SIP sucessful registering.

Best

Kostas

After days of working on this I found a guide I understood .. http://www.packtpub.com/article/pfsense-configuring-nat-firewall-rules they have a sample webserver setup using pfsense and exactlly what I was trying to do. Hope it helps someone.

I had a lan address in the destination box, when it should have been "wan address" works perfect now.

** Solved **