@hydrian You can get it work with a single public IP, but probably not with a MAC lock. CARP uses certain MAC addresses, which cannot be spoofed as far as I know.

@viragomann & @Gertjan Thanks for your help! Managed to solve it with a floating firewall rule! I only tried to block it from the interface that I thought the traffic originated from first. But now I tried to add a floating rule that blocked the traffic from all interfaces that shouldn't have access to it, and it worked!

@alexhen You cannot schedule NAT rules. You have scheduled the associated firewall rules though, but even if these rules are disabled, the NAT rules are still active and do what they meant to do and the first one wins. Not really sure what to try to achieve with this idea. If you just have two internal servers listening on port 80 set up HAproxy. Doing so you can also let HAproxy do the lets encrypt stuff. Also you can run a proxy on one of the backends themself.

Revisa/Lee: https://docs.netgate.com/pfsense/en/latest/firewall/index.html Muestra, lo que hiciste..... (capturas de pantalla)