The Avahi package is meant to pass Bonjour traffic between firewall segments. Because it's multicast/broadcast it will not cross between subnets/interfaces.

The format is right, it's just one IP per line, or a CIDR masked net per line, it should skip whitespace and commented lines. If you cat /var/db/aliastables/test.txt it should show only the IP/CIDR lines

@nikhilve999: Hi, I have just implemented pfsense and i liked it so much….....i configured proxy filter on my org. and working good. I am facing Following issue: 1. if i m unblocking(whitelisting) an IP from proxy filter and then again try to blocking its not working (user is still able to open blocked sites) 2. i want people in my org. can access ONLY social networking sites in break time. But according to my acl pfsense unblocking all sites in break time. ACL example:  Monday 06:00-13:00                          Monday  14:00-19:00 kindly help to resolve this. if possible pl'z share acl snaps. Regards Nikhil kindly help to resolve this

Hi Marcello, That seems to have fixed it. I set the Firewall Maximum Table Entries to 999999 (the default was 200000), made a rule blocking 209.69.0.0/16 In and Out, set pfblocker to "Deny Both" for Oceania and "Deny In" North America, enabled pfblocker, rebooted,  and there were no error messages this time when I accessed the web config page. It's till not blocking all the outgoing access it should, I can still access the Indonesian, Nigeria, and Togo shortwave stations among others it shouldn't, but it's just me using the network. I'm not going to trip on it as long as it's blocking incoming and the pf firewall itself seems to be working fine. Thanks a lot for helping me out and getting it fixed for me, I appreciate it. :)

Hello, I heard that pfsense is very reliable, and some people says to me that a reboot is useless, and will not resolve my problem. Since nobody helped me, i took the decision to reboot my pfsense server. After reboot and without modifying any setting, my pfsense is working well again.  ??? Maybee it is beacause I do not know how to troubleshot this kind of issue. Don't anyone know how to troubleshoot this kind of issue ? Thanks you  :) Fred

Please provide screenshots of the rules and details of the IP address ranges (including netmasks) you're using on each interface.

@podilarius: You might have a Virus program monitoring those ports or something. Try disabling that and the Windows firewall and see if you get a different outcome. Yup. Avast was picking up the requests and dropping them. That was such an obvious candidate too  >:(::) (where's the head-bashing-against-the-wall smiley when you need it) The XP machine doesn't run any a/v (it's just for testing like I've been doing!) so was reporting correctly. Still, it was an interesting couple of days debugging (even to the point of setting up a wireshark machine and port mirroring to see what was happening on the network for the first time…) and lesson learned.

In order for logs like you're seeing on the LAN interface to show up, you'd have to somehow have gotten LAN and WAN mixed onto the same subnet. The logs such as: May  9 14:31:41 lascolinas pf: 00:07:13.689474 rule 1/0(match): block in on bge0: (tos 0x0, ttl 64, id 14828, offset 0, flags [none], proto TCP (6), length 75) May  9 14:31:41 lascolinas pf:    22.42.215.213.40849 > 209.85.145.188.5228: Flags [FP.], cksum 0xaf5e (correct), seq 3655068907:3655068930, ack 2331443737, win 8011, options [nop,nop,TS val 6610240 ecr 4266176071], length 23 showing blocking of traffic with both source and destination of public IPs indicates that, you'll never see such traffic unless WAN and LAN are somehow interconnected (or a few other possible but much less likely scenarios like some host on LAN with a public IP manually configured). Given it stopped when the wireless AP was turned off, I suspect maybe somehow that was combining your LAN and WAN networks?

@marcelloc: @roymayr: Ok… let me try this way. For those who are using "Maximum connections per host" option in your rules.  Have you ever seen a user in the virusprot table or any other table? If so, which PF version are you running? Did you do anything "special" to make it work? or just as it is. thanks! I do. I'm using version 2.0.1 amd64 Thanks marcelloc… it seems you are very lucky! so far, the only one getting something in the virusprot table.  ;) I'm using same version, but i386 in a VM - ESXi.  I'm not sure whether that could make any difference.  I've tried everything, but I have never seen a user listed in the virusprot table, even knowing there are blocked users.  Any further advise?  It is hard to know what is going on with your rules if you cannot see this. Thanks again.

cmb, Thanks for your support, time and answers!

@radicd: I had the same issue, many hours of googling led me to http://forum.pfsense.org/index.php?topic=37824.0 – which worked great, the only step missing was to bridge the LAN and WAN which you have already done! Thanks for the heads up. someone else pointed out I missed that step, I am going to add that in tonight.

If I'm not mistaken, your LAN host will see a windows share on the network only if said share is on the same subnet, or you have a WINS server in place. Otherwise, as you stated, you can point directly to it by IP address or resolvable host name. On a side note, I believe you can delete all but the first of your rules without breaking Windows file sharing, and if you truly do want to access DNS services on another network then you need to enable both TCP and UDP to port 53. DNS usually uses UDP, but does require TCP in some cases.

Due to X-Forwarded-For and squid proxy :D

Thanks for the reply, @cmb: captive portal with RADIUS authentication and accounting can. Really? I thought the accounting part of Radius was only for user logon tracking… So will PF send information to Radius accounting server about bandwidth use of each user? I'll read about Radius accounting. Have you seen an example of this? Unfortunately, Captive portal settings are possible only once.  It is true now you can select several interfaces, but like setting DHCP server for each VLAN (I have 14)... I would like to have Captive portal for most of them, but some with accounting other without, some with some limits, other without... I think that is not possible, right?

It's not hurting anything so I'll just leave it as is for the graph. Thanks a lot.

It's reloaded every time a change is made that touches filter rules, and sometimes in the background when things need updating as well. If something is broken in the ruleset, it can't be reloaded, so it may have been failing because of that. Sometimes broken packages can also prevent the filter rules from being reloaded properly.