@-RYknow: Ohh… ok. Well then, what would the answer be to that question? Maybe I should clarify that my issue is while using a VPN. If I'm not using my VPN, everything works just fine. I don't know much about pfsense at all, but in my poking around I found there is quite a number of errors that appear squid related in the firewall section. Here are a few; Jun 22 20:00:03 php: rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc. Jun 22 20:00:01 php: rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:21: syntax error' I'm completely clueless what this all means. I haven't changed anything with squid, nor updated anything? I'm running 2.2.2 on a netgate APU. Any help would be greatly appreciated. There's been a galore of issues with Squid* on 2.2.x; obviously when your firewall rules are broken by it, it's not a good thing. Look at the reported line and see what's there. Otherwise, there's a dedicated subforum for Squid and proxy junk in general.  :P

Ha!  ;D Somewhat off topic but amusing anyway.

Obvious question, but which NIC are you trying to access the box from? Unless you've made specific changes to the rules, by default you won't be able to access the management GUI from the WAN side, only the LAN.

If you want low-cost and reasonably power-efficient, consider a refurb SFF (small form factor) PC with a Core2Duo that is at least 2GHz.  I have a 3GHz (E8400) with SSD and a dual-port Intel NIC that only pulls 38W when idle and 50-65W under load.  It cost me $75-$85.  I spent more on the refurbed dual-port Intel low-profile NIC and the SSD. There are dozens/hundreds of reburbs out there with 90 day warranties from places like NewEgg. My estimate is that the C2D 3GHz would be able to handle about 1.2-1.5 Gbps of bidirectional traffic routing.  Maybe 1/2 to 1/3 of that if used with a lot of packages or VPNs.  Since I only have a 50/50 WAN and only need about 100Mbps between the various VLANs, it's enough for the moment.

There's PPP log in Status - System Logs. Look there.

Thanks for your reply and I will use this solution

@BlazeStar: I didn't disable de DNS Resolver. I set host override IN the DNS Resolver. The DNS forwarder is not active. Should I disable de DNS Resolver and activate de DNS Forwarder ? No. The point was that you can just run one at a time. (And as I recall, the checks to prevent running both were/are somehow incomplete.)

dude who is 192.168.0.3???  Something is WRONG with that box..  Why is is talking dhcp ever couple of minutes???

Like @mer says, you should be able to achieve this with rules on your LAN(s). To keep it simple and avoid having to think hard about !this and !that I would put some pass rules first for the traffic you already say you want to let through unchecked: Pass no logging source * destination * port 80 and 443 Pass no logging source "internal DNS servers" destination * port 53 … Then: Pass with logging source * destination * and of course include block rules for anything you know you actually want to block from day 1. Then see what comes in the firewall log. Then add "pass no logging" rules for stuff you understand and want to let out. Add block rules for stuff you now understand and want to stop.

Got it working! Thanks all  :)

Yes, the same mechanisms work on NanoBSD and a full install, the only difference is that if you edit files on the NanoBSD filesystem you have to flip it to Read/Write mode first.

If an External IP that is in the NAT 1:1 is disabled, why is it pingable? I assume you have IP aliases for these public IP addresses you're using?  I also assume you have a WAN rule that allows ICMP with a Destination of *?  I don't believe that removing the NAT affects whether you can ping the public address or not.

Yes my WAN is DHCP and I have absolutely no packages installed.  This is why I am a tad stumped as to what could be wrong here.

0.0 interface what interface is that .0 is normally not a valid host address unless for example you were using /23 vs /24  And it wouldn't be valid in your setup with 192.168.0.?  192.168.0.0 would be the network not a host address. Windows by defaults blocks pings from networks other than the local network..  So while if machine A was on 192.168.1.14/24 and other machine was at 192.168.1.15/24 they could ping each other, but when you move one to 192.168.2.14/24 then the local firewall would block it. How about answering my question.. Can the box on 192.168.2.x ping the pfsense IP at 192.168.2.110 ? Can the 2.x box talk to the internet?  Can you post the ipconfig /all from these 2 machines?

Yes, I can always remove the team. However now I'm curious because I have a NAS that has an adaptive load balanced nic team with 2 nics. No log entries from that nic team - however that is running Linux. This machine has windows. Interesting…. Thanks for the help! :-)

@johnpoz: If you bridged 4 ports together you would have a "HUB".. Since all packets seen on 1 port would go out all the other ports.. This is how a bridge works.. Not true with our bridges, they learn MACs the same as a switch and send traffic accordingly just like a switch. The "use an actual switch" mentality is largely for performance reasons. People tend to show up wanting to use some Pentium III they pulled from a dumpster with a handful of crap Realtek NICs shoved in it then wonder why they can't push a gigabit of traffic between internal hosts. Firewalls aren't switches. In some limited circumstances, where you don't care about performance between internal hosts much, and require filtering between every internal host, it's a fine idea. People just tend to expect it to work the same way as the switch built into their consumer router, and it's not the same at all. Huge diff between multiple NICs in a firewall or router and a switch.

@kiyu: …as I mention I have no idea about it.. ... State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config. Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.