I'll prepare diagram and post it to the forum, if that may help, but in FW-A, there is no NAT. Only manual routes to subnets (allready NATed) on FW-B. For now, here is textual representation of a process: For example let's assume, that 10.10.10.0/24 are routable addresses (real internet addresses) and 192.168.0.x/24 non-routable (e.g. local). FW-A configuration involves 2 NICs: WAN: 192.168.0.5/24 (I know, that this is non routable, but I switch internet subnets on another machine before here, and do not do NAT on this, just pure routing. And there everything works. LAN: 10.10.10.1/24 FW-B configuration involves several nics, from where one is WAN, the others - OPT for each individual VLAN, and NAT is involved here: WAN: 10.10.10.2/24 LAN1: 192.168.1.1/24 - whole network here> LAN2: 192.168.2.1/24 - whole network here> According to my understanding, if a packet comes in in FW-A looking for IP from FW-A LAN subnet, then it stays there, if WAN rules are OK. Because this packet anyway appears on WAN, rather LAN. And routing is done via simple transfering of data to relevant NIC port, as FW knows the subnet there. In case packet should go to another subnet (via static routing), than for not to allow this packet go out again to FW-A WAN gateway, I direct them to FW-B WAN IP address, which is specified in static routes of pfSense. From here comes the process: 1. Packet arrives at FW-A WAN 192.168.0.5/24 looking for Reverse proxy for IMAP in DMZ for ex on IP 10.10.10.10/24 2. Due to specific WAN rule, this packet is allowed to go to this proxy, and connection is made 3. This proxy proxies this packet to IMAP server (according to DNS) in FW-B controlled subnet in specific VLAN, for ex 192.168.1.10/24 4. In this case packet from IMAP proxy arrives on LAN port of FW-A, as it comes out from LAN subnet 10.10.10.0/24. It comes in FW and understand, that there are no interfaces for subnet 192.168.1.0/24, and looks for record in static routes. 5. Static routes record says, that, if on FW-A LAN port packet asks for 192.168.1.0/24 subnet, route it to 10.10.10.2/24, which is on the same LAN port network, but actualy is WAN of a FW-B. 6. Afterwards FW-B takes care for NAT and routes exact packet to specific server. The problem arrise in fact, that in this case responses on FW-A LAN port are OK, but why are they blocked, if FW-A LAN rules say - allow any to any? The second, when I experimented with NAT and rules, if I forward to 10.10.10.2/24, then nothing works, I have to make FW rules for exactly natted subnet, in  my case 192.168.1.10/24. Why it is so? Hope this makes a little bit clearer the situation. Working on diagram. [EDIT]: NAT is done on FW-B WAN port (Port Forward tab), stating, that if WAN port external IP (from 10.10.10.0/24, or specificly VIP on FW-B WAN port) with external ports are such and such, nat them to IP 192.168.1.0/24 with port numbers such and such. If I define FW rules for 10.10.10.0/24 IP address, nothing works at all. I have to define WAN rules for 192.168.1.0/24 LAN, despite fact, that it is not on WAN network port.

The problem with squid its the lack of support for load balance, but in other way its a package that can not be installed in any system for the need of resources. And there is no manually way to put a rule that read and alias of host and do the redirect? Captive portal might works but its hard to set up all white macs in pass trough.

Ok, so I've just got in and checked the logs. Its full of those weird entries that seem to originate from my WAN address to the Internet. Image attached with my IP blocked out. A raw log output of some of these entries reads as follows, (again, starred out my IP): pf: ...114.58775 > 209.85.229.188.5228: Flags [FP.], cksum 0x2550 (correct), seq 0:74, ack 1, win 32044, options [nop,nop,TS val 1648272 ecr 486655357], length 74 pf: ...114.60183 > 17.172.237.93.5223: Flags [FP.], cksum 0xb104 (correct), seq 0:37, ack 1, win 32965, options [nop,nop,TS val 21515052 ecr 1739744880], length 37 On this occasion, these seem to be the main 2 addresses the WAN is trying to connect to. That would be a Google address and an Apple address. The only thing this (Apple) attempt is going to be (at least from the inside of my LAN) is 1 iPhone). That still doesn't explain pfsense showing the WAN interface sending traffic however. The block rule that fires for these 2 blocks and all others that are attempting to leave via the WAN with the WAN address as the sending address is: @2 block drop out log all label "Default deny rule" Does this help in any way to narrow down the problem? Thanks again. [image: log.png] [image: log.png_thumb]

Hi! Thank you for your answer! I understand what you are saying. I must admit, that this was the fastest way to grant internet access for both wifi users and my neighbour. But you totally convinced me. I will re-arrange my network first. Unfortunately I'll have to keep my primary router for VOIP which makes everything a little bit more complicated… :-( Today I bought "pfSense - The Definitive Guide" and started reading. Hopefully it will clear things up a bit... Again thanks a lot for your comment! Regards, Tom

i have enabeled NAT reflection… works now ok... Thank you guys! ;D

You can group hosts and networks, and even moreso in 2.0 A host in a networks alias just has a /32 subnet mask. You can have port aliases as well. In 2.0 you can even nest aliases within other aliases, use hostnames, pull an alias' content from a URL…

Problem solved: http://forum.pfsense.org/index.php/topic,14607.msg77308.html

ok, i found the solution by myself. groupware has pop3 (110) and pop3/s (995) enabled, pfsense nats both of the ports to groupware server. on my PC I installed avast with virus mail protection.. avast intercepts my pop client request and automatically translates request to groupware 995 port.. so, both of them (telnet to 110 and pop mail client) have success via 995. blocking also 995 solved the question. Obviously telnet to 110 fails if you disable antivir mail check.. tnx anyway, bye, luca.

I'm sure its something simple i'm missing. I even changed the gateway within the firewall rule itself and was still getting deny logs.  Arg!!!!

firestrife23, Curious, What made you think ALL ports were being port forwarded to SSH port recently.? Did you manually add a port number(proxy port #) in the Squid config after installing Squid initially( in the WEBui)? I would guess that was in fact your prob as you stated this prob didn't happen until you installed Squid and lightsquid. Just trying to help things make sense,rather wondering why a reboot fixed your port forwarding, or so it seemed, problem. Barry

I have DHCP Server running on 5 of my 6 interfaces.  None of my interfaces are bridged at this time. RC

Source port isn't the same as destination port, usually should be any.

Awesome, that worked. Thanks guys.

It's easy to overlook since it's hidden behind a button (which is good since 99% of people will never need to touch that option, but it's handy for those that do!) :-)

ok2.. :) understand :) to jargon to me…