@00goat: I have a near copy of the default lan rule allowing traffic out, with the change of allowing it from the opt1 subnet, that should do it, yes? Sounds like it should. Check the firewall logs to see if you're blocking anything.

@johnpoz: That really wouldn't be very nice of your ISP to do if you ask me.  The isp roll is to connect me to the internet, not decide which ports I may or may not want to use ;) Is it possible your behind a nat?  Is the ip on the wan interface of pfsense public, or private 10.x.x.x, 192.168.x.x, 172.16-31.x.x ? Do you have anything in front of your pfsense box other than just a plain jane modem.. Not something doing any sort of firewalling or nat, etc? i know it isnt nice of them to block port 25, but it is common that most of them do (for residential). for the rest of your questions, see below (or above, but it seems you missed it above) did you read why i am using the service? that will answer your port 25 question. did you see that i copy pasted that i can get port 21 to work but that i get an error when i try other ports? did you see that i can open the standard rdp 3389 port but i get an error when i try other ports…85, 8585? i know that we are all here for help, but come on…. isn't it assume that anyone willing to install a more advanced firewall for their home network would know if there was an additional piece of equipment that needed to be configured, as well? thank you for the security tip, you obviously didnt read what i was doing with port 3389. edit- also, my original post shows the confirmation messages i get for when a port is seen and not seen from the internet to my network.  that should be another good indication…

Can you attach a packet capture from the LAN interface, taken when you are attempting to do a ping towards 192.168.100.50? Are you sure that the ping isn't being blocked further upstream, or that this is an ARP issue or something similar?

I can! Thank you marcelloc! I always wondered what that sub-menu was for… :-)

Thanks a lot jimp for the explanation. I see now why the rules that I specify has no effect. It's because I haven't configured any OpenVPN server on the pfSense machine, only a client.  ;D

It works now, really only 2 ports needs to be allowed, 80 and 53. I do not know why it did not work before, maybe some cache (?)

Thank you all for the answers  :) I didn't know pcflank had rigged the scans, but I confirm that it is true : I did several scans, just to check, and apparently the Netbios ports are randomly shown as closed instead of stealthed :o Using the other provided websites, the other ports appearing as closed were indicated as filtered for some of them, but I found out that my ISP is also doing some custom blocking on specific ports ! I checked with a tcpdump monitoring the WAN interface : some external requests never came trough, meaning that they were trapped somewhere before  :P

I just ran nmap using your example above (nmap -p 1-1024 xxx.xxx.xxx.xxx) I was on my brand new Linux Desktop install (Ubuntu 12.04 vs Windows 7 last time) and here are my results… Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-05 11:12 PHT Nmap scan report for <public ip="" address="">Host is up (0.19s latency). Not shown: 1023 filtered ports PORT   STATE SERVICE 80/tcp open  http I then went in blocks of 1024 (nmap -p 1024-2048 xxx.xxx.xxx.xxx) and found my rdp port and nothing else! Thank you all for the help and calm the freak-out factor! ;D</public>

@mjorud: So there is no way to automatically kill already-passed connection when the block rule kicks in? No. That's true of pretty much every commercial and open source firewall (I'm not aware of any that do that and I've worked with pretty much all of them, there may be some though).

I've just moved to routeros Pfsense also present some stability issue on one of the boxes. Using vmx3 should work better but using routeros with e1000 its better -_-

"block   May 31 12:38:32    LAN    10.0.30.204:45860    74.125.225.72:443    TCP:FPA" I started noticing blocked packets like these with the RA flags set about a week ago and it returned to MarkMonitor.com, which is online brand protection, and had me wondering why since I don't download music or anything. I blocked everything belonging to MarkMonitor.com ended up blocking Google and Youtube. :P I'm glad to find out why I was seeing it too. :)

you CAN use pfsense + swisscom tv with any VDSL Modem. Use the Config: IGMP Proxy LAN IF as downstream: 192.168.1.0/24 WAN IF as upstream: 224.0.0.0/4, 195.186.0.0/16, 1.1.1.0/24 (I'm not sure if these IP's are correct, I took these IP's from http://forum.pfsense.org/index.php?topic=27155.0) Firewall Rules Allow IGMP any to any on WAN IF (Advanced option "This allows packets with IP options to pass." turned on Allow IGMP any to any on LAN IF (Advanced option "This allows packets with IP options to pass." turned on PLUS: http://doc.pfsense.org/index.php/IGMP_Proxy "You also need a firewall rule on the downstream side (typically LAN) that matches/passes this traffic which has the advanced option checked to allow packets with IP Options." regards Jan

Kudos to phil.davis for knowing how this works. Here's his howto: /etc/inc/system.inc has the code that write /var/etc/syslog.conf This does "exec /usr/local/sbin/sshlockout_pf 15" sshlockout_pf.c takes the failed attempt limit as a parameter. In the current system, you would have to manually edit /etc/inc/system.inc to change the parameter.

just adding a rule does nothing assuming you have NAT. http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

Source port has to be any (or at least 1024-65535). Getting a list of all of AT&T's IP space would take a whole lot of time, not aware of any such list, but you could build one by spending a ton of time on arin.net.

Solved: I deleted all the rules/NATs/Virtual IPs and recreated them. Still don't know how that came to be.