No idea what you are doing with metasploit, so I can't comment there. Reflection is only needed if you are trying to hit the public IP of a box on your local network. e.g.- you have a web server on the lan that local clients hit via a public IP. Port forwards are not that hard. A typical forward for a web server would go something like- IF WAN Proto TCP Dest WAN address Dest port HTTP Redirect target IP 192.168.1.100 Redirect target port HTTP Description HTTP to web server Note that pfSense usually listens on TCP 443 (and maybe 22), so If you only have one IP, you'll need to change the webgui port to forward HTTPS to your WAN.

After two days I just found out that I should select LAN on Remote Logging Options / Source Address, to bind the correct interface. Now is working as expected. Thanks.

I tried to access it from another computer but web page is not opening. Pfsense is showing "192.168.1.1/24" but that is my router password, pfsense's system password is 192.168.1.2 and both of them not opening pf webui on other computer connected on same network, seems like i have done some mistake in configuration :) which ip address is needed to assign to pfsense lan interface (em0)?

Thanks for the clarification cmb. Noticed that when doing a ICMP traceroute it currently looks like this with 1:1 NAT and a ICMP-req permit any ingress rule: root@mybox:~$ traceroute -P ICMP www.mycorp.com traceroute to www.mycorp.com (178.29.55.4), 64 hops max, 72 byte packets 1  192.168.0.1 (192.168.0.1)  4.286 ms  0.853 ms  0.793 ms 2  * * * 3  * * * .... 12  isp-gw.isp.com (178.29.55.1) 37.324 ms 36.232 ms 37.232 ms 13  web.mycorp.com (178.29.55.101)  38.349 ms  37.285 ms  37.907 ms  <--- this would probably be the pfSense box at 178.29.55.100 14  web.mycorp.com (178.29.55.101)  37.661 ms  37.410 ms  36.496 ms So yes, it really seems that Freebsd 10.3 changed something.

ok man thanks for all of your help i really mean that you have got me further that anyone else on the other forums i really appreciate you i will read that link and hopefuly i get it thank you cheers

@johnpoz: you should be able to ping pfsense vlan20 address.  You allow ipv4 any any which would include icmp.. So if your not pinging something is wrong. You really can combine your block and allow rule and just make it allow ! rfc1918. So if I add your ICMP example (at the top?) and combine the last two rules I'm better off? I sure do appreciate you taking the time to help.  Not only do I want the rules but want to understand what's going on as well and you're helping with that.

@phil123456: ok I added a core and put 2gb instead of 512mb of ram, and now it seem to work fine jee snort is such a resource hog Yes, all IDS/IPS systems are resource hogs because of what they have to do.  If you start to run a full Snort or Suricata rule set, you may find even 2 GB of RAM can get a bit tight.  4 GB is a good RAM number for either Snort or Suricata in my view.  I suggest at least 2 cores for CPU, and 4 is even better. Bill

You can't negate table entries inside of a table. Create the table you want, then negate it in the rule where you're using it.

cu works great! Thanks

Build a firewall rule on your WAN with your PBX address as the source and your Linksys ATA LAN address as the destination. Make the ports whatever you use for SIP.  Generally 5060 on both sides. See if that helps.  Don't bother with port forwarding.

I have the US-150W-8 switch. I'll have a read through the links you posted.

Hi jimp, Thanks for the ultrafast reply :-) Yes indeed, it's the check_mk package. We're monitoring with it the firewalls and then we have all 5 minutes a login to the firewall via ssh from the monitoring host. I know check_mk can be used over a tcp-port but our development here decided to use it strictly over ssh, even when problems like this arise. (Which I don't understand why over ssh). On my private installation I'm using Zabbix as the monitoring, much more advanced, also encrypted direct agent/proxy communication and also great it is supported as a package by pfSense ;-) No problems with the Zabbix Agent there.

If it's in the FreeBSD base system dhclient you should file a PR against FreeBSD directly. At least from the description it sounds as though it may be a bug.

pfBlockerNG's DNSBL does this

At the moment we do not have a portal for that functionality. You can download any backup from any other firewall also running AutoConfigBackup, however, so it hasn't been a critical need. It is something that has been on our radar for a while, however we do not have an ETA on when it might be available.

I was wondering about this as well. ROOTer Firmware (http://ofmodemsandmen.com/) supports this with no issue on pretty much any Android phone that supports the standard NDIS USB Ethernet Tethering. Really worked well for getting me out of a pinch where the ISP messed up a transfer and left us high and dry for a week. The only other way I can think to achieve this using PFSense is to have it going into a basic TP-Link router and then expose that to a WAN port on a PFsense router as a failover.

dear, please can you more specific where to add"::" at line 125

@porcomaster: Hi guys I just purchased an h81i-plus, Pentium g3285 and 8 GB ram for a FreeNAS machine, but after some advice, I decided to buy a better suit hardware to my FreeNAS machine with ECC and hookers, but I do have now a real nice hardware at hands that I could just sell it and lose some money or transform it to a router, my router is already on its end of the lifespan , I know that this CPU would be too overkill, and it will consume a lot more power than a router, but it looks better than sell it, my actual router is a wdr4300, and it's already my third router with OpenWRT, my questions are, pfsense is a good choice for this? , H81i-plus just have one LAN card and one pcix16, so how is the best option to connect to my FreeNAS machine?  (I may buy a switch, for this one,  I do have an IPTV at home too) Which wifi card do you guys would recommend me? it's any wifi card that would be able to do 2,4 and 5 GHz? any advice? regardless I do ask sorry for any grammar mistake as I am not a native speaker, and I do ask sorry if this information is at any place, it's hard to find information about this matter I would think of your new hardware not as overkill, but as headroom. Pfsense can be configured as anything from a simple no frills router, up to a full fledged UTM type device providing deep security and a wide range of services. Naturally, the resources to power that activity scale up as well. Concur with stan re wifi. If you do on board, you take on the limitations of whatever the upstream FreeBSD sources provide, and no use case for that springs to mind. I use Cisco AP's myself, as we were already using them at work when I took us off the Cisco routing path and moved to pfsense. If you haven't purchased a switch yet- you may want to consider the Cisco 300 small biz series. They cost a bit more than I would like, and rarely hit the used market at much under retail, but they are a supported switch for PacketFence should you choose to go that route. Quad port nics are widely available on the secondary market for less than you'd pay for a new single port. You can do everything with a single nic and vlans, but it can make your brain hurt at times. 3G/4G is another story - if you have a need for out of band remote management, on board can be a good option, as the external devices aren't all that great - but you need to check the HCL carefully.