Thank you. The PAP box is not in the same network with the server. The registration is being made through the WAN address (in the Proxy of the PAP box). The thing is, when we use the WAN2 address as Proxy in the PAP box the registration is solid and voice is OK, when we use the WAN1 is not. Best regards Kostas

@cmb: It is best to decrease keep alive rather than increase state timeouts, though the latter generally works. The problem is the SIP registrations get dropped rather than calls dropping, calls never have idle time to be dropped, but if your SIP registration gets dropped you're going to have a wide range of issues. This is true of all firewalls and everything that does NAT because of the way they have to fake connection tracking for UDP since it's connectionless. You'll have better results with everything by having a lower keepalive on the SIP. Thank you cmb! I agree, when I experimented with the conservative option the states tripled. I started to realize having public DNS servers with a fair amount of queries caused states to build faster then they would expire. The problems I had were strange, Like you said, a call has no chance to be idle so the only thing I could think of is if the RTP ports were open on a call but the SIP port went idle, then the signaling would have been unavailable. This might explain why an established call was ok but when the call tried to bridge (conference) another party it would sometimes drop both sides. It immediately cleared up with the conservative option. So far the SIP ping is working, I set the firewall back to normal. It's amazing, everything can be working perfectly on a network until you introduce real time traffic like VoIP. I even had to setup LLQ QoS on the cisco routers so during traffic peaks it gives voice priority.

There's lots of documentation linked from the pfSense site. There's also no shortage of information found in this forum. 1. I suspect that existing sessions aren't affected since they're in the state table 2. Rules (as explained in the documentation) apply to the interface the packets arrive on and run in order top to bottom. To block LAN to WAN traffic you have to ensure that the rules are on the LAN interface and above any rules that allow traffic. If you're having problems then post a screenshot of the rules page and a detailed description of the problem. 3. To OPT1 from LAN or from OPT1 to LAN?

Thanks for your reply, CMB. So, at this point, we can say that my Endian firewall box is our villain. I just don't understand why it would be sending its traffic through its gateway(pfsense is the default gateway of endian) if the communication is happening on the same network. To be on the safe side, endian and pfsense are installed in two different hardware, not vms anymore. Endian is a linux box. I looked at its route table, but there is only the default gateway route. I even cleaned up all the iptables rules, but the packets still going through pfsense. Google tells me that two more people faced the same issue when trying put an endian box behind a pfsense, but it seems that they just given up. :-( I am running out of ideas so if anyone has any, I'd love to hear. My next test is to put a different linux box(probably an opensuse as Endian is based on RedHat) and see if I will see the same problem. I doubt it, though.

manual outbound NAT

THX, we managed to trick it out with curl-loader, everthing worked fine. Next time! ;)

Thank you again for your quick reply. @podilarius: IF the DMZ is in a bridge, then there is not really a DMZ subnet. You could create an alias that says ExternalIPSubnet and put in your External IP subnet. That worked great. I have also done a lot more reading about the alias feature so I understand it more. It has given me some ideas to try. @podilarius: As for your rules, you WAN is wide open. You need to start restricting that to prevent unwanted access. I have now. I just wanted to get a starting point where I knew everything was working after the initial problems I had. After your reply yesterday I added rules only for the services I need http, https, DNS, email etc. I then deleted the wide open rule. @podilarius: The reason that LAN can get to DMZ even with the DMZ rule is that all rules are inbound block on that interface. So you will need to modify the LAN rule to block access to DMZ and put that rule above the default allow rule. I do need the LAN to access the Public IP's on the DMZ interface for email and admin of the servers etc. After your first suggestion it is working great now. I assumed that rule on the DMZ interface lets all traffic from the DMZ interface to anywhere except the LAN interface. This is something I will be working on to lock down more as I get a better idea of all the settings. So as it is now the LAN has the default rules. The DMZ has the same rule as above. The WAN now has multiple rules only allowing the specific services I need to use. Regards Dave

You don't have anything there that appears to need manual outbound NAT, best to keep to automatic as it'll take care of the proper rules for you (and what you showed in the last screenshots is very wrong). With automatic outbound NAT and the firewall rule shown, you're set as long as the VLAN in general functions and is setup correctly on your switch(es). Make sure you can ping the firewall IP on that VLAN. See if DNS resolution works.

@podilarius: If you look in the rule properties in the Advanced feature -> Advanced options section, I think you will find what you are looking for. Thanks a bunch podilarius. Been busy lately but I sure miss these forums and trying to help out when I can. Between the creators of pfSense and people like you supporting it, sure makes a great system.

Thanks for the reply. Ok so basically if I take my firewall rules for opt1 and make them specific then this won't happen?  If this is true is there any way to make a group of rules that apply to just that interface? I have setup now for any to opt1 to have access so if I make it specific then It should not access the 192.168.0 subnet from the 10.x.x.x subnet. Also when I use my public ip address it access the admin page for pfsense, is there a way to change the port that the web interface uses to listen on? It is on default https now and http 443 and 80 id I choose to put it on http. I need to be able to use dyndns to access the servers on the  10.x.x.x network using ports 80, 443 21, 22, 53 for a grade in the course. Thanks again

They look like they are on the same subnet, so, traffic will not route to the firewall. If you want to filter the traffic, I would suggest going with a filtering bridge setup. I think this is described in the book and there are probably some resources in the forums and doc site for pfsense.

Actually, I'm not sure if it's new for 2.1 or not but we do use all IPs returned in a query for aliases. A rotating answer (one that changes each query) can't be used effectively, but if a query always returns the same set of IPs, that should work. If I add an alias for "www.google.com" and add it to a rule, the resulting table contains many IPs. I'd have to track down a 2.0.1 box to see if the behavior is the same, but I thought it was there. Perhaps it's the method used by your DNS server to return the IPs that isn't working. $ host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 173.194.37.49 www.l.google.com has address 173.194.37.51 www.l.google.com has address 173.194.37.48 www.l.google.com has address 173.194.37.50 www.l.google.com has address 173.194.37.52 : pfctl -T show -t google   173.194.37.48   173.194.37.49   173.194.37.50   173.194.37.51   173.194.37.52

The default is the recommended value: : pfctl -st tcp.first                  120s tcp.opening                  30s tcp.established          86400s tcp.closing                900s tcp.finwait                  45s tcp.closed                  90s tcp.tsdiff                  30s udp.first                    60s udp.single                  30s udp.multiple                60s icmp.first                  20s icmp.error                  10s other.first                  60s other.single                30s other.multiple              60s frag                        30s interval                    10s adaptive.start            27600 states adaptive.end              55200 states src.track                    60s You can change some of those timers by adjusting the firewall optimization mode under System > Advanced on the Firewall/NAT tab. IIRC both FIN and RST will tear down the connection, but that would be something you'd find in pf's documentation in OpenBSD.

@costasppc: What is preferred squid+squidguard or squid+dansguardian? it's up to you. squidguard is free and dansguardian can do antivirus as well content filtering @costasppc: Where should I configure the floating rule? go on firewall -> rules -> floating @costasppc: What about https? I have now an https failover rule, because of round robin problem with banking sites. It's normal on sites that do not accept request from the same session on different ips

Hi There was a routing misconfiguration on the server which was being blocked, it had 2 default routes set and for some reason today it decided to start sending traffic down the default route bound to the LAN interface as far as I can tell. Anyone, there is now one correct default gw and i'm looking good Thanks again -Mark

thnx for your reply galaxy60, I guess I have to activate/enable snort and see how it is going with blocking/alerting/logging and then decide if I need to copy the logs to some other server as well. cheers

If you are running a telephony client or server behind pfsense, don´t use port forwarding and only allow inbound from your voip provider´s ip range. I see pfsense blocking quite a lot of connection attempts on port 5060 these days.