That sounded like an ideal solution, but it doesn't work for me. I disabled the helper proxy, and forwarded the ports to the computer with the server. There doesn't seem to be a way to configure the FTP server to only use passive mode, but I configured IE to do so. Nothing shows up in the FTP logs, either from my local network, or remotely. Direct to the IP address within my network still works fine. Any ideas?

@Everen: Gredd, I have many (more than 80) Axis cameras going through a pfSense box without any issues. I can't promise anything, but I would like to assist if possible. Which Axis model are you having trouble with? Which Axis firmware version is it running? Which version of pfSense are you running at your location? Thanks for helping :) Its a 207W but I don't have the firmware version at hand right now. PfSense box is a 1.2.3 and I'm about to try the 2.0 beta, mostly for the traffic shape stuff but maybe it solves the web cam issue too.

Thanks for the reply and your right it was a rules issue. So now I have moved on with a fresh install. I am bridging switch0 with switch1 (0 is on the wan interface, 1 is LAN interface) and I have followed the bridging guide. I can ping traffic from the LAN connected switch to the Wan connected devices with out issue but can not ping from wan connected devices to the LAN connected devices. I can if I go to advanced setting  and disable filtering. I have a rule for everything to everything on the wan interface but no luck. Any help would be much appreciated. One more question, if I build a new system and put 3 interfaces in the system, bridge LAN and opt1 and just ignore wan all together would that get around any funkiness? Thanks again everyone and thanks to the PFSense devs. You guys have done a fantastic job with this product. I am really looking forward to 2.0. Rich

Placing of those rules depends somewhat on the firewall and nat rules involved between segments. You might also try killing all processes that match pftpx and ftpsesame and then re-saving any firewall rule to trigger a change. See if it restarts properly after that.

Just realized that I made a typo, it should read "can't get or isn't assigned an IP."

The two rules should go below the allow everything rule, since you will be having "Apply the action immediately on match." unchecked on the 3 rules.  Rules are evaluated top to bottom, but with that unchecked (something you can only do on the floating rules), it will only apply the action from the last matching rule of that type, waiting until it hits the end of the rule list, a rule that matches and has that checked, or a regular rule from one of the tabs with an interface name. It is kind of complicated to explain, but basically if you have "Apply the action immediately on match." unchecked on those 3 rules, the rules on the tabs for the interfaces or anywhere else can still override it.  Some of the built-in hidden rules, like the default deny rule, are made this way.  They are actually above other rules in the list, but allow other rules after them to match traffic and override them.

Yes you would need portforwards. Also you would need static routes on your existing router, telling it over which IP the VPNs are reachable. I didn't mean disconnect in the sense of not existing, but that you connect your existing network to the WAN. Something like this: |–-------------------------------------| inet-----router-----|----virtual_WAN                        |                         |                |                            |                         |        ---------------                  |                         |        |  pfSense    |                  |                         |        ----------------                  |                         |                |                            |                         |            virtual_LAN                  |                         |                                              |                         ---------------------------------------- Basically, the WAN is the interface to which your VPN clients connect to, and the WAN is the interface which is used to talk to the rest of your existing network.

Thank you Jim. I think I might try a vanilla install again, and see if same problem comes back.

@PixelsGC: I cant seem to get the router to give out ip's You want to enable DHCP server on the LAN interface? See Services -> DHCP Server, click on the LAN tab, fill in the details, tick the Enable DHCP Server on LAN interface box at the top and click on Save near the bottom.

I suggest you work on your reading comprehension, then.  Here was my first reply on this: "I have pfsense on FIOS.  If you are not using their TV, have VZ switch the ONT from COAX (MOCA) to CAT5 and just throw the AT in the rubbish."  How that gave you the impression the ONT wouldn't do this is beyond me.  I am done with this thread :(

@jupiters_spot: My company has been using pfSense on a Soekris Net 5501 for several months.  It has been stable and happy, until yesterday when it became non-responsive.  By non-responsive I mean: would not respond to http requests on Lan interface DHCPD would not provide leases upon request Firewall allowed no traffic through the appliance If you connect to the serial console, is there any reaction? If the system just 'hangs', it's a good idea to replace the power supply of the soekris as (even though the soekris boots initially), a broken power supply will hang the system without much diagnostic, it's a very frustrating problem to debug. You can use any DC power supply between 7 and 28 volts, I usually use my IBM laptop power supply (it's 16 volts).

@kpa: @XIII: for pfsense: 253 users per subnet/nic PfSense is not limited to /24 on a network, you can easily use more addresses for a network if you just set it up with a wider netmask. For example 10.13.0.0/16 for LAN would give 65533 usable LAN addresses 10.13.0.2 to 10.13.255.254 if you reserve 10.13.0.1 for LAN interface. Same applies to other firewalls as well, not just pfSense. What addresses you use on your own private networks is really up to you. I meant a basic class c network supports 253 devices besides the pfsense box, you could get it to support up to 131,072 devices via /15 or if you really wanted to 134,217,728 devices via supernetting (/5). OP doesnt say what size network he wants to utilize though. I agree with jimp, you shouldnt have any problem reaching the speeds that you want.

Thanks mhab12, It seems that ftp is old, insecure and frowned upon by today's network gurus, including the pfsense development team.  Unfortunately it is still very popular which makes it hard to avoid. I found this page with a discussion on the subject and a few alternatives to ftp.. http://blog.pfsense.org/?p=212 ..some of which, SFTP for instance, can be a simple as changing a setting in your ftp client. This does, however, require the equivalent setting at the other end of the connection, which means you have to motivate your prospective file sharing partner to include the same setting (or possibly to implement a different server application). Cheers Nigel Australia