@arushi: cmb wrote it. Put your rule in the floating rules and use the quick option. valle

Well, I would have an alias for each subnet. In that I would put the IP ranges of all the other LANs. I would then create a rule on that LAN that says !MyLANAlias, allow. This will block all access between the LAN but allow traffic to the internet.

You can also try using L7 filtering, see this post: http://forum.pfsense.org/index.php/topic,49555.msg263168.html#msg263168

Thank you. I will post screenshots of my rules later and a diagram of my problem. Best regards Kostas

In that scenario, just avoiding bridging does what you want, DHCP requests will not be routed. Sounds like you already have a setup that accomplishes what you're looking for.

It depends, how are you blocking/filtering sites?

No that will not make them show in the GUI.

That means you have asymmetric routing, those are not packets that create a connection (those would be TCP:S) those are part of an existing connection or an attempt to establish one. The firewall rules only match on packets that create connections, so if (for example) the initial traffic takes a different path and pfsense only sees the return traffic, it gets blocked. Some more information about the context in which you are seeing those errors would help.

I'm not sure but I think better ways are "pfctl" or "easyrule".

Port 110 and 25 are email ports, squid will handle http ports/protocols. Create your 110/25 access on firewall rules.

It's the same as any stateful firewall. Basic explanation here: http://doc.pfsense.org/index.php/Firewall_Rule_Basics detailed explanation in http://pfsense.org/book

I know that feeling!  ;D

What exactly are you trying to accomplish here? Your x.x in the middle of your network with a /24 makes them look like the same network segment?  Are they?? If there different segments, then show that with say 192.a.a.253/24  and 192.a.b.254/24  – but with just .253 and .254 seems like same segment, if they were different you could use .254 on each segment, etc.  Are they public space??  If not just so the whole thing, 192.168.x.x is private address space, no reason to hide it. If same segment, why are you multi home pfsense?  And if different segments, does that switch support vlans?  If not your running 2 different networks on the same wire, normally a bad idea! Why don't you spell out what you want to do with pfsense, and what your current network looks like, and we can tell you if you can do that and if how, etc.

The 192.168.0/16 includes the other 2 networks, so those would never initialize as the traffic would try to be routed through the 192.168.0.0/16 (Amazon VPC).

Done! Thanks!

The interface rules only apply to packets physically entering the firewall on that interface. If you have a rule on LAN1 allowing "Any to Any" then clients on LAN1 can browse the internet. You do NOT need any rules on WAN (since the packets originated from within the firewall itself after routing and did not physically enter the WAN interface). However if you create a floating rule on WAN, it will process the packets from LAN1 as it leaves WAN for the internet. An interface rule on WAN will not process any internet bound packets from LAN1 even if you set the source address to LAN1. In a nutshell, all incoming is blocked by default and all outgoing is allowed by default. By default, it will only appear to LAN clients that outbound is blocked whereas in reality their packets are being blocked from entering the firewall. In this state if you use the firewall's physical console, you will be still able to access the internet through WAN without any rules since firewall traffic doesn't originate on a physical interface.