his new thread for those curious:
http://forum.pfsense.org/index.php/topic,61616.msg332302.html#msg332302

well i have a problem with the same, i have bridged lan to wifi on pfsense and static mac id/ip pairs set with static arp and deny unknown client ticked, i use a tp link TL-WA850RE wifi range entender and wifi clients get the proper ip but with staic arp wifi clients r not able to surf at all untill i untick that, any solution to this

I think you're going to have to define those two concepts before anyone can comment on that in any detail.
I don't imagine any firewall specific code is deliberately designed to be anything other than as secure as it can be. You could say that because Astaro is offering a wide range of services it offers a wider attack surface to potential hackers.

Steve

@rakeshvijayan;

i appreciate your reply but the "ouapapaladam" is asking about allowing the facebook for about 5mins. Assuming ouapapaladam has already blocked  it using squid either using a proxy mode or manual ip list in squid!

In my case I am not able to block https with proxy .ouapapaladam did you check in your client side with https facebook . Hi  srk3461  you point a good knowledge to me also I will try it on my virtual machine for testing purpose

thanks

Glad to see your reply.
I can't understand your explain,but…
I add my local domain in here,the dns is answered correct.
Services -> DNS forwarder -> Domain overrides
Thanks so much.

YOU DONT NEED TO ADD ANY SETTING OVER THERE YOU HAVE TO INSERT THE CORRECT DNS ENTRY OVER THE GENERAL SET UP SELECT THE CORRECT GATE WAY FOR THE DNS . OR TRY TO INSERT GOOGLE DSN FOR CHECKING 8.8.8.8 AND SELECT GATE WAY YOU WISH ,THEN TRY TO PING TO GOOGLE FORM THE DIAGNOSITC TAB ,BY THAT YOU CAN REALIZE IF IT IS DNS PROBLEM OR NOT  .Services -> DNS forwarder -> PAGE YOU HAVE ONLY PUT A TICK MARK ON (ENABLE DNS FORWARDING TAB)

Communications between LAN machines that are connected together via a switch go across that switch. They never reach pfsense even though it's also on the same switch.

There is nothing for pfsense to log because it never sees that traffic.

That is how you are setup, right?

old topic..anyway..

I'm facing the same problem. you can't set that second rule via web gui but I put it in "by hand":
I added the rule in /tmp/rules.debug and then pfctl -f /tmp/rules.debug

so the rules I have now are :

rdr on bridge0 inet proto tcp from any to any port = http -> 127.0.0.1 port 3128 pass in log quick on bridge0 route-to lo0 inet proto tcp from any to 127.0.0.1 port = 3128 flags S/SA keep state

but it's not working!

bridge0 = (em1, em2)
client is on em1 side
I can see
IP clientip.3002 > 127.0.0.1.3128: Flags SYN
on the other side of the bridge member em2. no traffic on lo0 interface.

so route-to lo0 dosn't work.

or better.. it's the rest of the rule that doesn't work, if I place the (wrong and temporary) rules like:
this one: pass in log quick on bridge0 route-to lo0
or even: pass in log quick on bridge0 route-to lo0 inet proto udp

then I can see traffic on lo0.

I tested on 2.0.3 and 2.1 beta1.
it's been reported here long time ago :
pfSense bug #1620
http://redmine.pfsense.org/issues/1620 there's

on FreeBSD 9.1 it works fine.

Yea im new to pfsense but have been on Checkpoint SPLAT that a tcpdump doesnt show the NAT'd address in the re-written source address (I think it had something to do with the order that the packets are processed).  Hence me asking for clarification :)

I'll have a play around and check when I get home!

In my firm we have more 60 computer using internet connection with load balancing .In my pfsence i configured dhcp squid firewall ip forwarding to web what else we need rather than pfsence . yes you can save more money if you have knowledge to problems in pfsence here more Ideal and technical persons available here to help us with their experience . from ISP all fiber end are ended in a GE converter out put connection may vary base on 10/100/1000 in my firm I have one 100 based and 1000 base card is used to handle the incomming connection .so you have to know about that configure it before

@ljadmin:

My gateway status is 'online' but i cannot ping my gateway from the IP of my Firebox but I can from other systems on the switch.
[Gateway (#.#.#.217)] – switch -- [Firebox (#.#.#.219) & ServerA (#.#.#.220)]

What does ping report? (a png report is nearly always more informative than "cannot ping").

How many interfaces have you configured on the firebox? How many of them are in the same IP subnet as the pfSense WAN interface?

I presume the switch you mentioned is connected to the pfSense WAN interface and Server A such that Server A can directly contact the gateway (bypassing the Firebox).

@marvosa:

When using FTP behind a NAT Firewall, I've always forwarded the passive ports.  Unless the firewall dynamically monitors FTP connections and opens ports dynamically when it detects a passive FTP connection, which I'm guessing is what the FTP helper is trying to achieve.

From -> http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes:

FTP helper now in kernel

So, maybe it's a kernel bug or the "FTP Helper" has been deprecated.  If someone has a more official explanation, feel free to chime in.

I think you are correct. I have not disabled it so maybe there is some kind of bug on the FTP helper since although enabled i have to port forward the passive ports my self.
Except if the FTP helper on pfsense is not supposed to do this as the [ Tracking / NAT Helpers - FTP nat helper ] i said.

Who knows.

Regards

Try looking for the VLANs tab on Interfaces -> (assign)

I realize this was posted in wrong place. I just want to update in case someone was scared off by my experience, When I downgraded to 2.0.2 I had the same issue when I restored the config backup. So apparently there was an issue with my config exposed by the upgrade process, unrelated to version 2.0.3. I am now running 2.0.3 with config rebuilt by hand (with aid of the xml file open in notepad) and all seems fine. Was probably a good time for a config 'spring cleaning' anyway..
Thanks again to maintainers of this project for this solid update!

@pvoigt:

@dig1234:

I'm on nanoBSD i386. upgrade from 2.0.2 to 2.0.3 was a disaster. Bootup would hang at Starting Firewall.
Turned on verbose logging, eventually bootup finishes but packages did not reinstall.
Getting message in syslog and console:  kernel: t_delta 15.fd984de3455432fc too short etc.
Will try installing from scratch, maybe upgrade process just crapped out. Otherwise I'll go back to 2.0.2

Well, these issues are looking even more serious than those nsswitch warnings. Maybe I missed it but are you getting the nsswitch warning besides your other problems? If yes, could you please give feedback I they do disappear after a clean install? I'm runing a NanoBSD image and it is a real pain to exchange CF card for re-imaging.

Thank you all for your help. I also found out that every night comes the night guard to this company with his own laptop which was also infected:)