Thank you very much. Very informative

Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security.. Here is from one of my vps box out of the net Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.015s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1022 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds Here is from my home connection Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.062s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1012 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 55/tcp filtered isi-gl 67/tcp filtered dhcps 77/tcp filtered priv-rje 80/tcp open http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 496/tcp filtered pim-rp-disc Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...

You can't reach the 192.168.2.1 gateway from this 192.168.3.0/24 network. Add one more network card to your pfSense or use VLANs to create these Interfaces virtually separated. You need a capable VLAN Switch then though. -Rico

Sorry, the txt image is a liitle broken. Right picture is here: 

@Gertjan Hello, thanks for commenting. I had set it to 8.8.8.8 to test if I can get to ping to google. At the time I didn't trust the router. Thanks to your comment I have changed my dns to my router and it worked fine. [image: 1558992321628-8fb612f3-17f0-40bb-b8a7-2e8f577c5bef-image.png] The rules for lan are ok now because I can go to the internet.

In that case I would BLOCK LOCAL_SUBNETS then PASS ANY

@johnpoz OK it's noted. However, we have other server that is in this range of address: 10.1..1.x, how to do not saturate Chimpanzee switch requests that will be issued by other hosts who want to reach the other server via this chimpanzee switch?

Yeah Rico hit it on the head.. Where you can run into problems is when the site could be really any IP owned by the CDN its being hosted on.. So the specific IP you use could change all the time.. And some of these have ttls as short as 60 seconds for example... So when the filterdns process runs (every 5 minutes by default) that populates your alias for www.somedomain.com you get IP 1.2.3.4... But then 3 minutes your client wants to go there and you get 4.5.6.7 which is not in your alias. Even if you put in the whole swath of IPs that are owned by CDN.. you now get sites that you might not want going through the vpn since they are hosted on the same CDN, etc. So while yes you can do it.. Be aware that there could be complications based upon if that fqdn is hosted on CDN..

Yes having the same GW for multiple WAN IP:s worked (at least for me) fine for a while. This is basically the only option you have if you want to run with multiple wan IP:s and your operator is providing you with multiple IP:s with DHCP (mine gives up to 5, no static IP:s available) . Off course for monitoring of GW one must use different targets for every GW. For testing purposes I did do a fresh install of Pfsense 2.4.4-RELEASE-p2 and the problem seems to stay. Annoying part is that this setup now works, for a while, then it goes offline, and soon works again :).

@Rico Hi , I have tested this approach and configured CoDel Scheduler and used it for a while and tried diffrent combination of it's options but the mai nproblem is that is causes web access slowness on entire clients, no body can use internet correctly, some websites not opening right a way and take a long time to load but as soon as we disable schedulers every thing is ok! i think configuring scheduler and CoDel and Queues needs some advanced expertise. guidelines provided in the video and pfsense docs not enough to use them, at least for me.