Hi all
How is it possible to forward all incoming wan traffic to an additional firewall?
I build a load balanced mikrotik that will pass all source wan traffic to an internal pfsense firewall.
pfsense should see incoming public ip’s to process it’s own firewall rules.
Is it even possible?
Sounds like you want to create a bridge out of 2 ethernet ports - first one is WAN, second one is pfsense. Do not assign any IP for such bridge.
If you don’t use bridge firewall in Mikrotik, then Mikrotik will not analyze traffic at all. Your pfsense will become “main router”.
Correct me someone if I am incorrect. 
I have dabbled with this but you would need to have source and destination addresses in the rules?
Or interface in/out?
Please describe your network. What MikroTik device do you have and how is it connected to internet, why can’t you connect the PFsense firewall instead?
When it is for a Wifi link, as said, configure it in bridge mode and it will not touch the traffic at all.
What rules do you mean, the PFsense firewall has the rules, right?
I have been using the load balancing method for a while now on several sites.
Based on the instructions https://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-pcc-complete-script-by-zaib/
It works nicely.
Is it possible to pass traffic to pfsense as public ip’s.
I can’t see it is possible doing this way.
Is there a different way to load balance and achieve my objective?
Thanks
It is possible to place the pfSense between the load balancer part and the rest of your network. The pfSense will see the remote addresses (the source ones of the incoming traffic from the internet), but it will not know to which WAN interface that traffic has arrived. Is that sufficient for you?
As long as pfsense can see the origin of the incoming traffic for further processing.
Geographical filtering etc.
In that case, let’s suppose the pfSense has two physical interfaces (or two VLANs), a “WAN” one and a “LAN” one.
You will partition the Mikrotik into two virtual routers - one will forward the traffic between pfSense’s WAN and the Mikrotik’s WAN interfaces, and the other one will forward the traffic between Mikrotik’s LAN interfaces and pfSense’s LAN (unless you have a single subnet so you can use Mikrotik as a switch alone and the pfSense’s LAN IP as a default gateway in that single subnet).
As Mikrotik states somewhere in the documentation that use of VRF is not compatible with assigning routing-mark values using mangle rules, it may not be possible to assign the interfaces into a VRF, and you’ll have to do everything using the mangle rules.
If this is not enough, post a drawing of your network as @pe1chl has recommended, and an export of your actual configuration rather than a reference to the template you’ve used.
Sounds interesting. Can you point me to a documentation example?
I don’t think there is a documentation example that would cover exactly this. Search for “policy routing” (nothing to do with IPsec policies), i.e. how to create multiple routing tables and choose one for each individual packet depending on its origin and possibly other properties, and also for VRF which is a simpler but less flexible method for the same, but the explanation of the latter in the documentation is quite BGP-centric so there is a lot of information you don’t need for your case.
Maybe have a look here as well.