To enable voice and video communications with Windows Messenger through a non-UPnP firewall, configure the firewall to allow incoming traffic on UDP ports 5004 – 65535.

For other purposes, enable the following ports:
•

File Transfer: tcp 6891 (to allow 10 simultaneous file transfers open ports 6891 through 6900)
•

Application and Whiteboard Sharing: tcp 1503
•

Remote Assistance: tcp 3389

@Bunz:

I understand from previous threads that the filtering bridge blocks everything unless there's a rule.

I don't see this though. WAN blocks everything by default, LAN allows everything by defualt.

If I set BLOCK rule on LAN

Proto  Source  Port  Destination  Port  Gateway  Description 
X *         *              *     *                 * *               block all

I can stilll connect to 80 and ssh. there doesn't seem to be any filtering on LAN

There is an anti logout rule at lan (so you don't shut down access to the webgui accidently). You can disable that at system>advanced as well.

Awesome.  I'm not aware of anyone working on this package, go for it.

Yep, unless these are two or more PPPoE-connections.

@eskild:

Hi,
make sure you have NAT on WAN IF, if not you will need to add static routes in the modem for your LAN and opt's.

Could you please explain me what I've to do? Thanks!

This is cosmetic.  You can ignore it and it should be fixed in beta2.

I want to stick together two links as mums make it after step step DSL 4096kbit

Option 1)
If you don't need a firewall go to System>advanced and shut it down completely by checking "disable firewall". This will shut down NAT and convert pfSense in a routing only platform without filtering.

Option 2)
If you need filtering for some reason don't check this option and go to Firewall>NAT>outbound and enable advanced outbound NAT. It will create some rules in the table below. Delete these (as you don't want NAT this will shut it down completely). Now you even can use the WAN-Interface as non natted Interface.
Then create rules at all Interfaces to allow desired traffic between the subnets.

Needed for both options)
Add the needed routes at System>static routes.
If all the other routers you don't have access to have the right routes back to you everything should work fine now.

No. Carp Loadbalancing is for sharing the load between different firewall-machines in a cluster, not for sharing the load to different WAN-gateways.

Thank`s

I was thinking that can it be done with vlan`s.

on ZEUS put in
10.0.0.0/22 via 192.168.125.1 or default via 192.168.125.1
on CERBERUS put in
10.0.0.0/22 via 192.168.125.65
on DEVROUTER put in
192.168.125.0/26 via 192.168.125.65

got here a 150 km ipsec vpn between 192.168.1.0/24 with localadress 192.168.1.1 and 10.141.254.0/24 with localadress 10.141.254.254
my routes are on the 192.198.1.0/24 network:
10.141.254.0/24 via 10.141.254.254
and on the 10.141.254.0/24 network:
192.168.1.0/24 via 192.168.1.1

ping is 32 milisec

if i olso had 172.178.1.0/24 beheind the 10.141.254.0/24 network
then on the 192.168.1.0/24 network this route had to be add
172.178.1.0/24 via 10.141.254.254
and on the machine with 10.141.254.254 there has to be a route to 172.178.1.0/24 then
and from 172.178.1.0/24 there must be a route back to 192.168.1.0/24 via the gateway that has contact with the 10.141.254.0/24 network

Nice! And sorry that I didn't catch all the details from the asciiart  ::)

IFStated is already a pfSense package.  I haven't personally used it for a bit, however.

Hi,

I do have it setup as described in my post and it doesn't work. If I manually change the default gateway on the OVPN server I can connect through either ISP (not at the same time though).

An Ethereal trace shows that the arriving packet has a real IP address 86.1.x.x and when the OVPN server responds it sends the reply to via its default gateway, which may or may not be originating one.

Tony

170212 rule 10/0(match): block in on rl1: 149.217.134.251 > 10.0.0.2: ICMP echo request, id 512, seq 59649, length 40

If I put OPT interface DHCP, IP address is 149.217.50.100 /24, and it work.
If I put OPT interface Static, IP address is 149.217.134.211 /26, doesn't work.

help me please

Congratulations. Great!  ;D

never mind. I was a fool without a pool.

I would add virtual IPs for your WAN /29 subnet and use 1:1 NAT to map them to internal machines.

To make use of WAN1 and WAN2 just create rules for the desired traffic and set the appropriate gateway at the bottom of the "rules edit" page.

One odd thing I've just encountered, is that WAN 2 (OPT 1) is not able to connect to FTP servers.
I always get a "time out". I'm using Firefox web browser to view these FTP servers.

I tried FreeBSD, OpenBSD, Slackware, Debian, etc sites. (Official download link and various mirrors
around the world for each project). All "time out".

To make sure it isn't my connection, I connected a M0n0Wall box to it, and I was able to access FTP!
I double checked by using a Linksys WRT54G router (with third-party Linux firmware installed), and had
no problems with FTP.

I've tried enabling and disabling FTP-Helper. As well, I've opened up ports and such…It did nothing, as
I would still get "time outs". (I've sent all logs via Syslog to a PC on the LAN side, but I don't see any
pf rules blocking FTP connections).

Do any of you folks get the same problem?

This is specific to pfSense's policy routing approach.
(As discussed in Dan's Tutorial, see tutorial section)

Can's or Benefits

Manually assign which service/server or PC goes to which ISP. Manual failover. (As in if one ISP fails, you manually re-assign your LAN PCs) Consolidate multiple routers into one box. (Save space and electricity) Manually distribute the users on the LAN side to available WANs. Simpler to implement in complex situations (especially with VPN connections, etc).

Cannot or Disadvantages

See ZGamer's comment.