I would to like access my clients to the 3 virtual machines depending on the client.

If by "depending on the client" you mean that you can identify your client by specific IP ranges/addresses, then it isn't that much of a problem. You can create Port Forwards with specific source addresses coming to the WAN IP to specific internal hosts. So for example:

Src | Dst | NAT

1.2.3.4/24 | <wan ip="">| 10.0.0.11 (Host 1 in DMZ)
2.3.4.5/32 | <wan ip="">| 10.0.0.12 (Host 2 in DMZ)
3.4.5.6/28 | <wan ip="">| 10.0.0.13 (Host 3 in DMZ)

That is completely possible. Only if you want to allow access from ANY (whole internet) or you want to address the same host twice with a source already configured (e.g. 1.2.3.4/24 shall also access 10.0.0.12) that would only be possible with proxies of any kind.

Otherwise just use different Forwardings for different clients :)</wan></wan></wan>

@Teo:

Yes, I am accessing pfSense firewall sshd and web gui public IP from the LAN side.

And you have answered your own question.

If you're still having this issue I would go back to a very basic setup. No pfBlocker, no other packages. Check again. One of those things must be causing this problem.

Steve

PfSense was never designed to be a replacement for a proper switch so don't expect it to perform like one.

I assume you're still trying to workaround this: https://forum.pfsense.org/index.php?topic=142665.msg777764#msg777764
You'd get better responses if you'd actually described what you want to achieve instead of asking for random nonsense snippets.

Read the link in my signature, and describe your problem accordingly.

I haven't figured out your problem yet but this may give you something to check.  Website not being reach while Google.com is reachable can be a sign that IPv6 internet is working and IPv4 internet is not.  You could be reaching google via the IPv6 internet only.

???
What kind of packets?  With TCP, the packets are received and buffered while waiting for late packets to arrive.  With UDP, it's up to the app to decide what to do.  With some, it may also buffer in a manner similar to TCP.  Others, for example VoIP, will simply discard any packets that don't arrive in time.

Well then welcome to pfSense.

Yes.  I ruled this out on the last time I was present.
SSH attempts didn't magically make the firewall pass traffic on the native interface again, as it appeared to have in October.

During the last ten minute span the "event" occurred I noted this:
The switch port the firewall is plugged in to never went "down"
ARP requests to the IP of that interface came back empty when requested by a workstation on that VLAN.
I could not ping the firewall interface IP
Traffic passing over VLAN2 to the internet (same physical ingress interface) was unaffected.
Traffic passing over VLAN3 to the internet (again same physical ingress interface) was unaffected.
SSH attempts didn't "wake up" the interface (didn't expect them to but had to rule out the coincidence)

I updated to the latest firmware and rebooted.  So lets see what happens.

bump

https://forum.pfsense.org/index.php?topic=112072.0 and https://forum.pfsense.org/index.php?board=37.0

Sounds like they messed up VLAN behaviour for the multi-SSID part. On top of that, they probably couldn't do this in the ASIC or accelerator, so as soon as you use those (rather common) functions to spit 802.11 traffic into 802.1q VLANs the bad performance of the (supposed) MIPS device shows. I suspect that if you use no VLAN (or default 1) and no multi-SSID it all works fine because the switch is in hardware forwarding mode.

Way better than what cisco box?  i would compare pfsense to say the ISR line…

While I love pfsense to death, it can not compete with say a 12000 series router... Nor is it meant too..

But yes I would say that pfsense for sure is a better deal than a ISR from cisco... But you could not compare it to say a Firepower 9000 firewall, etc..

@keyser:

You can’t do that with RDP directly.
But if you install “Remote Desktop Gateway Services” on a Windows Server, that will provide RDP access tunneled through HTTPS.
When going through HTTPS you can do exacly what you are looking for with fx. HAproxy as a reverse proxy on pfsense. There you can do an ACL that only allows connections over HTtPS with the proper URL entered by the client.

This works - I have it running on my home fw.

A port forward needs the frames to be TCP or UDP (ethertype 0x0800 for IPv4, 0x86DD for IPv6).
No other protocol has ports.

EAPOL frames are a L2 protocol with ethertype 0x888E which is NOT based on IP.

Thanks. I was having the same issue and the alias works very well.

Thank you!

I can see how that would be annoying for people supporting pfsense as, depending on how fast the browers might autofill stuff. You don't know what autofilled it, and might not even consider the browser as the culprit.

Btw, can i connect to the vpn if i'm connected to the local network that pfsense is hosting, just on the 192.168.1 subnet. Or would i have to find a separate network to test the connection from?
Not sure how pfsense feels about that.

Remove GW_LAN. Also on the DHCP on pfSense make sure the default gateway is set to 10.0.0.1

no
same picture as  the old pfsense computer

strange
I deleted the picture
And I loaded it again

And now it's all right