Am I missing an outbound NAT rule?

jeff

In my testing configuration, LAN is 192.168.11.0/24, and WAN is 192.168.0.0/24. See the attached pictures for configuration details. Basically, I want to be able to forward from 192.168.0.202:80 (a CARP IP address) to 192.168.11.4:80. The web server is definitely running, because it serves pages on its 192.168.11.4 address. Its firewall is set to allow all traffic. For instance, I can telnet from pfsense to 192.168.11.4:80.

On the web server, I can run tcpdump -i any -w 80.pcap 'tcp port 80', which yields 2 incoming "HTTP [SYN]" packets, and no outbound traffic. This is also exactly the traffic the MASTER pfsense router sees. The slave sees no port 80 traffic, as you would expect.
![firewall forwarding.png](/public/imported_attachments/1/firewall forwarding.png)
![firewall forwarding.png_thumb](/public/imported_attachments/1/firewall forwarding.png_thumb)
![firewall outbound.png](/public/imported_attachments/1/firewall outbound.png)
![firewall outbound.png_thumb](/public/imported_attachments/1/firewall outbound.png_thumb)
![firewall rules.png](/public/imported_attachments/1/firewall rules.png)
![firewall rules.png_thumb](/public/imported_attachments/1/firewall rules.png_thumb)
![firewall virtual ip.png](/public/imported_attachments/1/firewall virtual ip.png)
![firewall virtual ip.png_thumb](/public/imported_attachments/1/firewall virtual ip.png_thumb)

routes.png_thumb
![web server packet capture.png](/public/imported_attachments/1/web server packet capture.png)
![web server packet capture.png_thumb](/public/imported_attachments/1/web server packet capture.png_thumb)
![carp status.png](/public/imported_attachments/1/carp status.png)
![carp status.png_thumb](/public/imported_attachments/1/carp status.png_thumb)

jeff

This turned out to be a problem due to the web server having an interface on the 192.168.0.0/24 network. Taking that interface down allowed packets to flow freely, how they were meant to.