If you have hundreds of rules on any firewall, you're most likely not doing things optimally. I have seen some so complex and wide ranging that hundreds or more rules are required, but it's very rare, maybe one in every 500 systems I'm on. Lots of good coverage on the usage of aliases and in general keeping your rules as manageable as possible in http://pfsense.org/book

thanks works great!  ;D

OMG… I really, really, really feel stupid now.  :o My apologies for wasting your time. I completely under-estimated the pfsense-team. Issue resolved. Thank you very much

I dont think there is a package that will do everything that you want but what I use is darkstat and bandwidthd. Darkstat description: darkstat is a network statistics gatherer. It's a packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP. This will tell you when it last saw a certain IP. bandwidthD description: BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded. It will tell you the users that are on daily, and how much data they are using. Hope this helps.

Ok so my wifi network is configured as followed. It is not bridged with LAN, it does have DHCP server activated and gived out IP's in the C address range (24 bit address class). The wifi clients see the wireless network just fine and they are also able to connect and access the internet. The wifi clients also get the proper IP address and subnet mask as well as Gateway information provided by pfsense. I also have a firewall rule allowing WIFI subnet to access everything (*). I have the newest 2.0 version of pfsense. The problem i am having is complete access (Ping,NFS connections, RDP etc…). When i try communicating through ping it gives me host/destination not reachable. This only happens between wifi clients, LAN to LAN doesnt have this problem. I enven fired up wireshark on both computers i am trying to get to communicate and when i use computer A to ping computer B with wireshark running on computer B it shows no ARP request or ping protocol in capture file. I also tried capturing WIFI traffic on PFsense and i dont get any ARP or Ping traffic at all. Now with all this written up i want to share the solution to this problem for anyone else who has a stupid moment like mine. The cause for these problems are due to the fact that under my WIFI interface options for wireless AP Mode, i did not check the box "Allow intra-BSS communication" which caused all the previous posted problems. It's been almost a year since i installed a pfsense box and so i forgot that i needed this option for client to client communication. I hope this proves useful for others. Thank you wallabybob for all your help.

One more question: Later in production use I want to run pfSense on old IBM Server hardware (Xeon CPU, 2 GB RAM, GBit NICs). What is more recommended a) installing pfSense on hard disk, which could become damaged or b) to install the nanoBSD version on USB memory stick? Thanks!

Thank you. I used your solution of port forwarding and it does work. I will just have to make a list of what port corresponds to which machine so I remember.

You can do a packet capture on the interface the DHCP server is listening on and after that analyze it with wireshark or any other tool.

thank you very much. you assumption was correct. Is was regarding maxing out my upload. What limitation would be recommended on a 1024 upload speed. shall i set the limit to 50Kib/s

Hi, yes, some tunnels are configured to use a FQDN with a domain 'hosted' by dns (with a very low TTL, making the cache useless). And the problem get worse when the internet line is down so you must be right. Thanks a lot !

i fixed it guys. tried the new snapshot and its working now with the rule activated on lan however i had to insert the ip via //ip/share etc because it doesnt seems to auto discovery when click network which is no problem

the other thing i cant decide about, is why if i boot the pfsense cold with no cables, and then plug it in does it work (obivously the openNTP hang is there, because there is no internet). why does it work after a complete boot and cable change, whereas if i leave it all plugged in and boot it that way, it refuses to find the internet and route traffic? unfortunately ive not tried it with 1.2.3, as i need the features in 2.0 in order to accomplish multiple cisco vpn clients to the same VPN concentrator (a customer's requirement… and this part works fine in 2.0-RC3).

All you should have to do is port forward 25, 80 and 443 to you exchange server. That is all I am doing and it works just fine. Did you change something on exchange? Looking at your NAT, it does not look like you are forwarding port 80. Yes, I would start over as well and have only this rule in the LAN Tab LAN net * * * *   Default LAN -> any Just go to Firewall > NAT > Port forward for you Exchange services WAN TCP * * WAN address 80 (HTTP) Exchange 80 (HTTP) WAN TCP * * WAN address 443 (HTTPS) Exchange         443 (HTTPS) WAN TCP * * WAN address 25 (SMTP) Exchange 25 (SMTP) etc. The Port Forwarding will auto-create some rules in your WAN leave them there.

You shouldn't be using 1.2.2, its VERY old.  2.0 is practically released, the RCs are extremely stable.

It would help others if you could tell people how it was solved and what the problem was.