There's PPP log in Status - System Logs. Look there.

Thanks for your reply and I will use this solution

@BlazeStar: I didn't disable de DNS Resolver. I set host override IN the DNS Resolver. The DNS forwarder is not active. Should I disable de DNS Resolver and activate de DNS Forwarder ? No. The point was that you can just run one at a time. (And as I recall, the checks to prevent running both were/are somehow incomplete.)

dude who is 192.168.0.3???  Something is WRONG with that box..  Why is is talking dhcp ever couple of minutes???

Like @mer says, you should be able to achieve this with rules on your LAN(s). To keep it simple and avoid having to think hard about !this and !that I would put some pass rules first for the traffic you already say you want to let through unchecked: Pass no logging source * destination * port 80 and 443 Pass no logging source "internal DNS servers" destination * port 53 … Then: Pass with logging source * destination * and of course include block rules for anything you know you actually want to block from day 1. Then see what comes in the firewall log. Then add "pass no logging" rules for stuff you understand and want to let out. Add block rules for stuff you now understand and want to stop.

Got it working! Thanks all  :)

Yes, the same mechanisms work on NanoBSD and a full install, the only difference is that if you edit files on the NanoBSD filesystem you have to flip it to Read/Write mode first.

If an External IP that is in the NAT 1:1 is disabled, why is it pingable? I assume you have IP aliases for these public IP addresses you're using?  I also assume you have a WAN rule that allows ICMP with a Destination of *?  I don't believe that removing the NAT affects whether you can ping the public address or not.

Yes my WAN is DHCP and I have absolutely no packages installed.  This is why I am a tad stumped as to what could be wrong here.

0.0 interface what interface is that .0 is normally not a valid host address unless for example you were using /23 vs /24  And it wouldn't be valid in your setup with 192.168.0.?  192.168.0.0 would be the network not a host address. Windows by defaults blocks pings from networks other than the local network..  So while if machine A was on 192.168.1.14/24 and other machine was at 192.168.1.15/24 they could ping each other, but when you move one to 192.168.2.14/24 then the local firewall would block it. How about answering my question.. Can the box on 192.168.2.x ping the pfsense IP at 192.168.2.110 ? Can the 2.x box talk to the internet?  Can you post the ipconfig /all from these 2 machines?

Yes, I can always remove the team. However now I'm curious because I have a NAS that has an adaptive load balanced nic team with 2 nics. No log entries from that nic team - however that is running Linux. This machine has windows. Interesting…. Thanks for the help! :-)

@johnpoz: If you bridged 4 ports together you would have a "HUB".. Since all packets seen on 1 port would go out all the other ports.. This is how a bridge works.. Not true with our bridges, they learn MACs the same as a switch and send traffic accordingly just like a switch. The "use an actual switch" mentality is largely for performance reasons. People tend to show up wanting to use some Pentium III they pulled from a dumpster with a handful of crap Realtek NICs shoved in it then wonder why they can't push a gigabit of traffic between internal hosts. Firewalls aren't switches. In some limited circumstances, where you don't care about performance between internal hosts much, and require filtering between every internal host, it's a fine idea. People just tend to expect it to work the same way as the switch built into their consumer router, and it's not the same at all. Huge diff between multiple NICs in a firewall or router and a switch.

@kiyu: …as I mention I have no idea about it.. ... State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config. Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.

You can actually do both… In Unbound or dnsmasq, create a Domain override. Also use pfBlockerNG to download the most recent IPs automatically daily/weekly as required. Hurricane Electric is a great source to collect IPs for almost any site.

You must be on nano version judging by that, or else have /var/ enabled as a RAM disk. You can't run MySQL on nano or where /var is a RAM disk. Running MySQL on the firewall at all is probably a bad idea too, better to keep server roles on servers.

I don't think so. A roundabout way might be to set an alias to an FQDN and set the FQDN to a hostname dynamically updated by dyndns on WAN.  That probably won't reflect changes fast enough. Are you configuring Services > Load Balancer > Virtual Servers?  I can't think of an effective way to use a dynamic address there.  Depends on how quickly you need it to update. I looked in /tmp/rules.debug and everywhere that references WAN address has been replaced by the actual IP address, not an alias to it.