Need more info and keep in mind this is coming from an amateur but I would give the client who is allowed access a fixed lease on your network, then write an allow rule to the specific website(assuming the site has a manageable ip set) with the client as the source, then write a second rule blocking everything else to the website. Make sure to place this rule set above your allow rules(depending on your rules)…I believe this is a form of "whitelisting". Not sure that answers your questions but need more info to be more help...

After some reading i understand now that this will lead to bigger problems … the cisco router is routing because of fixed routing tables ... bah im changing the big subnet in smaller ones on the client side

@maymaster: @jimp: The Let's Encrypt CA on your system does NOT include the key, it is only the certificate. You can't make your own certificates without the key. Let's Encrypt automatically signs requests only if your request can pass validation. Since you don't control the domains or sites in question, you could never pass the validation and thus could never obtain a certificate from Let's Encrypt for those sites. The only way you can do MITM is with your own self-signed CA installed on every device/browser. Period. What kind of certificate should I buy to make Man in the Middle to filter https? And some place that you recommend me to compare? The USA government cannot even do this. You make your own and manually install them on your local machines.

Hi Greg everything worked well so far, excep that cluster pfsync doesn't run anymore :-) Will need to fix that now,… Best regards Rafael

@johnpoz: That why it was labeled "Notes" ;)  But ok not a big deal.. Users are stupid in general.. A short and to the point list with all the common stuff seemed like a good idea to me.  All of those items come up all the time.  I am about ready to make the statement of how rules are evaluated a hot key stoke for pasting it ;) Same with the wan is not the internet thing, just a thread started the other day where user just doesn't get it.. Even after multiple attempts of pointing out its just the wan net, and not the actual internet ;) edit:  BTW it was my idea for the wiki, not danc idea.. So any blame for that falls to me..  Nice to see a new user trying to help out the others here.. I agree though I can understand that a proper place for these tips might be hard to find on the wiki. Sadly, most of the learning pains I'd initially ran into were forgotten as I became accustomed to the "quirks" of pfSense. I applaud the efforts of OP. Seems like a good start. I don't really see any downside for pfSense to make the learning curve for newbies easier.

Thanks Johnpoz again for your help…

Did you enable the new interface? Interface->new interface…make sure Enable is checked.

There's a nice CIDR/subnet calculator online that shows you exactly what addresses are part of a particular subnet and the details of the subnet in address/CIDR/netmask notations. http://www.subnet-calculator.com/cidr.php

@jimp: That's just how IPsec works. It has no concept of routing, so you have to nudge the traffic to use the correct source: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Bingo. Add the static route with a /32 and now it's working perfectly. Thanks Jim!

^ you can get SSD for very reasonable prices these days.  For you firewall even something a small as 8GB would be more than enough.  I see some small ones 8/16GB for under 20$ on amazon.

i had same problems starting with pfsense there is something with the Firewall Rules and WAN net WAN net is the subnet between pfsense and Router and not "the internet" So the rule "any from LAN net to WAN net" does not give you internet access but "LAN net to any" does. you can setup an alias for internet or do it like i do: On interface LAN block LAN -> OPT allow LAN -> any On interface OPT block OPT -> LAN allow LAN -> any

@irs: still no reply while ping the nas from remote And what states did you see in pfSense whilst doing that? You should see states from the remote client IP if the port forwards are working correctly. Steve