You can if the only thing on the one side is going to be VMs But if you going to have wan and lan of pfsense on your physical network then you will need to use vlans, and need switches that understand the vlan tagging.

Indeed, files transfers of small size is always slower than bigger one. (Check for example usb to sata transfers is same stuff of lan to sata, in terms of what filesystem need to do for storing thousands small files instead of bigger one.) I'm agree with @johnpoz said of course. bye.

@bugsmanagement said in Why is there a back door for Negate forums?: Alright Hey dude, I advice you to take a break and go to get a good reading like pfsense Book And avoid to make frenzy thread. without fairly knowing how the user interface is composed, I'll not to be too harder, but we need Brains first, and pfsense Book is you first reference source available. your Holy Graal bye.

You both are right of course. Now I have I blocked access between nodes on the same subnet using client Isolation on the AP.

@johnpoz Thanks a lot johnpoz, after reading the very good link you posted I understood how works the FTP, so finally, no need to modify rules on my firewall. I just modify the mode Active/passive on to my MFP. Thank you so much

Finally we´re making some progress. I installed the firewall-pc completely new from scratch. I configured the LAN and WAN port into a BRIDGE and set net.link.bridge.pfil_member to 0 and net.link.bridge.pfil_bridge to 1 After this, I set the management IP of the firewall to the BRIDGE interface and deleted it from the LAN interface. I think this did the trick for me. [image: 1544001245460-schema3-resized.jpg] now following firewall rules are aktive: LAN interface: allow IPv4 from LAN net to any WAN interface: allow IPv4 from WAN net to any BRIDGE interface: allow IPv4 from LAN-test-pc-IP to firewall-ip port 443 allow IPv4 from WAN-test-pc-IP to firewall-ip port 443 With this settings/rules I can access the firewall-webinterface from test-pcs on both sides of the bridge. Apparently this constellation works for me in my desired constellation. More tests are in the pipeline. Crossing fingers, the firewall still works, when I connect it to the "live" network, without making trouble and causing L2 loops! amendment: apparently the two "allow any any" rules on the LAN and WAN interface aren´t necessary for the function of the bridge. I deleted them and the traffic is still filtered through the bridge as desired.

I'm also seeing traffic sourced from the link local address of some devices (my wife's phone is the one I'm now looking at) being blocked on the way to port 53 of the LAN address. I wish these IPv6 additional addresses fell into the "LAN net" macro (or whatever that's called). Am I going to have to add a rule on the LAN allowing ALL IPv6 traffic to all destinations? That doesn't sound good.

I have gone through pfBlocker - was hoping that it might be a "solution", but there are some things for which pfBlocker just isn't the "right" solution. Thanks for the idea, though.

@grimson I'm not agree with you, why stupid? I need for a ip cam like mobotix, to get direct internet access for some kind of stuff like "Door bell" and video phone calls to it after ringing, and my customers want simple setup at all. I need to sleep good by night and not good if your customer call you everytime something trouble happen. (Maybe customer is stupid but always I prefer to not add some security layer because is much hard to handle by my customers, of course in general "the customer" is normal humans, not nerd like me or paranoid like you) Bye!

BTW: Please inform yourself about "what is IPv6 link local addressing" and when is it needed. And then multicast: Even when you allow this: Multicast over L3 is another story. When this thread only is about "do not log rules" it is ok too.

No offence taken. I got pushed into this, and so it goes. I have gotten the issue resolved, with the port forwarding cleaned up. Thanks again.

@juelmk said in No inbound traffic coming into my WAN: When I set my WAN interface to get dhcp address from the modem it get 0.0.0.0 Well then how would it work? You sure your own the pfsense wan interface plugged into your router? You sure the cable is good? When pfsense does get an IP you need to make sure that your wan and lan of pfsense do not overlap - ie they can not be the same network 192.168.0/24 for example

You're welcome, glad you have it up and running now. -Rico

Hi johnpoz, Even i have disabled the squid proxy and web filtering after that, we are unable to open Microsoft sites and such pages. Please find the attached snapshot and url for your reference. https://www.microsoft.com/en-us/solution-providers/home[image: 1543472585433-website-resized.jpg]

@viragomann :)))FUNNY HUMAN

For posting the same thing in multiple forums. One post is enough. I looked at your original post and I didn't bother to reply because there was literally NO detail to go on whatsoever. Announcing that you have a problem while providing no details won't get you far here. This is simple for a default installation. It should just work. Post screenshots of your interfaces and firewall rules if you want anyone to help you.

@derelict said in Difference between "ANY" & "Interface Net" as source: When you get into allowing traffic in from downstream routers the traffic you need to pass into an interface can expand. Brain fart...Duh! I suppose I got sidetracked when I interpreted "Lan net" to mean "anything behind the lan interface" as opposed to the networks directly attached to the LAN interface. Thanks for that clarification.