I posted this on the forum[1] a while back but didn't get a response -
thought I'd try here.

I've got a fairly typical multi-WAN setup on pfSense 2.0.1 with one
primary WAN and a secondary WAN port.

Inbound access to servers is the same across both WAN ports so what
I've been doing is duplicating rules across both interfaces.

Then I saw the Interface Groups tab and thought - nice! now I can add
my two WAN ports to the Interface Group and then only have to worry
about a single page of firewall rules unless I want a specific rule
for one of the two WAN ports.

So I created an Interface Group with both WAN ports and proceeded to
copy a rule over, leaving my two existing WAN interface rulesets
intact.

But what I found is that this killed inbound connections on my
secondary WAN port to a NATted host. Removing that WAN port from the
interface group allowed things to continue working.

Looking in /tmp/rules.debug I rules in this order:

WAN rules, LAN rules, WAN-group rules, then OPT1 rules (OPT1 is my
other WAN connection).

Looking at the difference between the WAN-group rules and WAN/OPT1
rules it is missing "reply to ( <interface> <interface-ip> )" from the
rules.

I assume that this is the problem here - I'm guessing that the
connection reply isn't going out the right interface.

Any ideas? Should this work? Am I doing something wrong or missing something?

Thanks!

-Dave

[1] http://forum.pfsense.org/index.php/topic,48169.0.html