http://forum.pfsense.org/index.php/topic,50711.0.html Note the trip to "advanced settings" I forgot to mention… Good writeup!

What does your wan rule say?  Did you let it auto create the wan rule when you created the nat? As to the lan rule - it shouldn't really matter if that rule is before or after your pass rule to lan net.  But not sure why you would even have such a rule?  lan devices normally would never even talk to pfsense to talk to other lan devices. Your current lan rule as source of 192.168.1.233 would allow only that box to talk to the internet.  Is that what you want, you don't want any of your other devices to talk to the internet? edit: btw I notice your only allowing TCP, utorrent can and does use UDP as well. http://www.utorrent.com/help/faq/network If you have a firewall, you must allow all outgoing traffic on TCP and UDP. If you not getting anything to work, its quite possible your trying to use a UDP tracker, and you are not allowing any outbound udp on that lan rule you have. I just took a look at one the torrents I downloaded recently, and tracker shows udp://tracker.openbittorrent.com:80/ So with your current lan rule there would be no way for you to contact that tracker since your not allowing udp outbound. edit: so you can see all the rules.  Here are my wan rules, nat rules, and lan rule that allow torrents to work.  You will see my forwards and rules that allow inbound on tcp/udp for my utorrent ports. And then the lan rule that allows clients to go to anything outbound.  Those other lan rules are blocking 1 client that I use for websense testing to only be able to go to websense IPs, and blocks direct outbound. [image: utorrentrulesnat.jpg] [image: utorrentrulesnat.jpg_thumb] [image: wanrulesutorrent.jpg] [image: wanrulesutorrent.jpg_thumb] [image: laninternetrule.jpg] [image: laninternetrule.jpg_thumb]

Pictures are always worth a 1000 words ;) Who do you need to explain it to?  That would not understand what you just wrote? I would draw it up in visio for example showing your different networks connected to the pfsense box - which is connected to a cloud to represent the internet ;) If you just replace a couple of terms in your above write up I think it would be fine for even the most lay of people. Where you say WAN, say internet connection.  Where you say OPT ports, say local network interface.  Where you say rules for various segments use the term firewall (everyone should understand what a firewall is) that allows only specific communication between the different networking devices. As to the Nated - say something to the effect of translation of public internet IPs to our private local network addresses.  As to Carp and load balanced - just say the pfsense boxes are designed for high availability and redundancy if one where to fail.

Sweet it does work as it should!  Thanks again, I am not sure if I made a mistake or perhaps a false assumption previously, or if modifying my NAT rules is what killed me.  After reverting to defaults and then implementing your suggestions everything does work correctly.  Thanks so much. Lastly, the only thing I need to do now is block OPT1 to 192.168.1.1 (gateway/router web configurator).  Do you recommend against hardcoding a rule to block this, or can I just completely disable the web configurator for that interface?  I am hesitant to do the latter if you can think of a good reason I shouldnt,  Please let me know your thoughts Thanks

yeah, fixed

I added 88 in acl safeports in squid. And it worked Stupid I am.. Thanks anyways! :)

"it didn't even mention opening port 53." Does it really need too?  And it does mention it in the outbound dmz section If you use an external DNS server you will need to allow the computers to leave the network to connect to a DNS server. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server     Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server

Yea it dawned on me that maybe I was trying to use a wrench where I needed a hammer! Now I have a whole slew of new questions to answer, I guess I am going to have to set up windows server and move from a work group to a domain to stop them from going off the proxy to avoid the restrictions. Fun fun!!! Thanks for your reply I really appreciate it!

You should leave the original LAN as the maintenance port and create an OPT2 port for your bridge… WAN type should be None.  Bridge interface should have your "credentials".  (Although I think it will work using the credentials on WAN and keeping bridge type none Ive not done it that way.) http://forum.pfsense.org/index.php/topic,42318.0.html

Hi, Sorry to tag on the end but you mentioned updated logwatch scripts, I'm trying to find some. Are you able to share yours?

Yep, you got it

@dhatz: Having a separate "DMZ" where you put externally accessible servers is still considered good practice. However, you could (should) have strict outbound rules for your OPT1 / DMZ segment as well (e.g. should your mail-server be allowed to open a connection port 6667 to some IRC server?), in fact stricter fw rules than your LAN segment does. Thanks, that's helpful.  I agree, "Kill them all, the rules know their own" is how I have the LAN rules set.  That's been a bit of a problem on the OPT1 segment because the mail server (Alt-N MDaemon) supports some anti-spam services that don't document their port usage - I spent a few weeks with deny all rules in place and adding new exceptions everyday based on the logs before I decided to just wing it.  But that needs to change. I don't have a lot of users (~20 tops) and we're recently moved all our web hosting outside. The IMAP load can hit 30Mb/s from a single user when a new folder is opened on the mail server and we have a lot of archived folders - so IMAP seems to be the bottleneck on the LAN.

Something is wrong with your port forward, because you should be seeing 192.168.1.101 as the destination in the firewall log if it is logged, not 10.10.10.100.  Typically this means your rule does not match the connections.  Did you specify a source port?  If so, clear it.

For whic one is intereseted, I solved the problem using the static port mapping translation for the specified port of 3CX.