Unsolved problem - Pfsense gurus help needed
- 
 Hello pfsense fans! I need to use all these features at the same time: - Packet filtering and NAT at internet entry point
- DNS forwarding
- Multiwan links with load balancing and failover
- Content filtering with squid
- Bandwidth shaping and throttling (by ip)
 I am aware of this issues: - Squid package doesn't work with multiwan
- Traffic shaper doesn't work with multiwan
 So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea: ISP1 –-- WAN1 ---- 
 |
 |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
 |
 |
 ISP2 ---- WAN2 ----On PFSENSE 1: - NAT and port forwarding are enabled
- DNS forwarding is enabled
- Packet filtering is enabled
- Load balancing and failover are enabled
- Added a static route to private subnet 2
 On PFSENSE 2: - NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
- DHCP server is enabled for Private subnet 2
- Traffic shaper is enabled (via the wizard)
- Squid package is installed and enabled in transparent mode
- Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction
 PROBLEM: Users can't access the internet. QUESTIONS: - 
Does traffic shaper works without NAT ? 
- 
Is there something I am missing? 
- 
Comments and suggestions? 
 Thanks in advance and excuse my english. UPDATE After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet. UPDATE Based on this post http://forum.pfsense.org/index.php?topic=10524.0 
 I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)Still stucked .... 
- 
 On the inside one you'll want to disable NAT by enabling AON and deleting the auto created rules at the bottom of the screen. On the outside one, you need a static route pointing private subnet 2 to pfsense2's WAN IP. Private subnet1 and private subnet 2 must be completely different subnets. Traffic shaping does work with routing. Interesting setup to get around some of the limitations that exist in the software! Not a bad idea at all. It's less than ideal to have two firewalls, but it'll work. 
- 
 In order to use trafic shapping you would have to place the proxy in between the pf1 and the pf2. I would use ubuntu server with latest squid. SP1 –-- WAN1 ---- 
 | Ubuntu Server
 |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
 |
 |
 ISP2 ---- WAN2 ----