More FYI -BOGON and block private are disabled on both int (both are private) Disabled DNS Rebinding Checks,  HTTP_REFERER enforcement check, all packet filtering, PF scrubbing option , Disables the automatic creation of additional NAT redirect rules,  Disables the automatic creation of additional NAT 1:1 mappings,  Disable hardware TCP segmentation offload, Disable hardware large receive offload… Here are some screen shots: [image: lan.jpg] [image: lan.jpg_thumb] [image: nat.jpg] [image: nat.jpg_thumb] [image: wan.jpg] [image: wan.jpg_thumb]

ok so i found a bit more info as to my issue. It looks as though the bridge is not setup properly after all. maybe a layout will help. First Hardware <router>–---<switch>-------WAN PFsense|                                                                   LAN pfsense||                                                                                Server1  |||                                                                       Server2 |||| Software config When I use the OPT1 as BRIDGE0 and set LAN as NONE for IP and WAN as NONE for IP, It shuts my network down when i try and access pfsense. (The way I had it configured in my first post was LAN = BRIDGE0 - WAN static IP.) This was not woking properly. So what am I missing to setup this bridge?</switch></router>

First thing .. remove any scheduled rules until it is all working, then you can have fun with it. Next, since we don't know the aliases, I am going to guess. On the slingbox network rules you are blocking the slingbox network inbound first. This means that anything on the slingbox network is going to be blocked. perhaps you need a rule that passes anything but LAN so set to pass and choose destination as !LAN. remember, rules other than floating are first match with a block all as the final rule.

Hello, Just wanted to add my experience to the topic as it shows up in google. I was also seeing the "php: : filter_generate_address: is not a valid source port" message in my system log for 2.0.1-RELEASE (i386) I found that I was getting the error for each NAT rule that covered a port range forwarding. Creating an alias for the port ranges and updating the NAT rules stopped the message from being logged.

Further question, what's the correct way to create a rule when the desired action on matching is to policy tag the packet for later use, and continue processing other rules?

Interpretation of your two firewall rules, this is what will happen: Rule#1: All your devices will be able to connect to port 443 and 80 on your firewall and every other server on the internet. They will not be able to connect to DNS on port 53 to look-up domain to IP, so no internet. Rule#2: All you Admin Devices will be able to connect to your admin ports on you firewall and 443 and 80 to websites on the internet. Probably the same issue with DNS as in Rule#2. You probably want to set it up like the guide shows. http://doc.pfsense.org/index.php/Restrict_access_to_management_interface

If you feel that 20 needs to be forwarded - you clearly do not understand how ftp works. There is NO situation in ftp where you would need to forward port 20..  There just isn't I would suggest you take a look at http://slacksite.com/other/ftp.html Its a great easy to understand writeup on how ftp works both in active and passive mode.  After you look at it, in what scenario would you need to allow unsolicited traffic to be sent to your ftp server behind your firewall on port 20? Nutshell: In active server makes the data connection to some client port, client told server to connect to from a source port of 20 – this is outbound traffic so no forward! In passive, client makes some connection to data port (not 20) that server tells client to connect to, which helper would open or you would have to manually configure on your firewall and setup on your ftp server to use. As to pfsense being complicated - I would agree that much more can be done with it then your typical soho, etc.  But in general operation I don't see it any more complicated than any other web based ui to any soho router out there.

@Mazzokun: But.. If I don't whant that pc on LAN interface can ping any other pc behind wan interface? From lan to lan(on same network segment) machines can communicate without passing through firewall. Take a look on pfsense book and doc.pfsense.org it will help you on first steps.

@jmaynard: My LAN is on a non-RFC1918 network That's bad, fix that. Your work around will work, but will leave you with broken connectivity to whoever actually owns those IPs.

For the original issue, thanks for your help and information on forum, solved awesomely by re-ordering the rule list, putting the blocking rules at the top. I would suggest pf put all new block rules on top of any allowing rules by default so that ignorance like me will no longer appear :D

In the screen that has the gateway setup, there is a tab just to the right that is for static routes. It is labelled "Routes". In there you will setup the remote network with its corresponding gateway.

Yes. I see what you mean. ID10T Jumping to conclusions error! The reason I said that is because I could not determine the IP Address that was assigned to the laptop with 00 MAC Address via IPCONFIG. I was able to quickly find out the IP Address via DIAGNOSTICS:ARP TABLES which had listed 00 MAC Address and Assigned IP, which was not on LAN Firewall Rules. So, this is why I, without thinking, stated what I did in previous post. However, I'm not understanding the inconsistencies with some systems not being allowed access and other systems are being allowed despite the same settings. On LAN Firewall Rules, 192.168.1.111 has permission. When this IP is removed from LAN Firewall Rules, a new system, assigned by DHCP, 192.168.1.111 still has internet access. Firewall states reset. System still has internet access. Firewall Rebooted. System Rebooted. Still has internet access. Checked again, no 192.168.1.111 assigned to LAN Firewall Rules. Transparent Proxy service is enabled and LAN is selected as proxy interface. Allow users on interface is ticked. Hmmmm..hang on sec, let me "uncheck" allow users on interface and add the subnet via ACCESS CONTROL. Ok, got it. Perfect. Now it works the way it should! So, 192.168.1.111 is not on the LAN Firewall Rules list and it no longer has access to internet. I enter the subnet via PROXY SERVICE:ACCESS CONTROL and untick ALLOW USERS ON INTERFACE on the GENERAL Page. –-- So, I don't know if this is how Allow users on Interface is supposed to work, but I'm always under the impression that the firewall has the final say and this method circumvents that final say. Thanks for your help and jogging my mind...jits. Sorry if I offended anyone, but please, please..don't take it personal. thanks again.

As you have the default allow all rule active, any other rules aren't relevant - particularly as the rules after that default rule will never be processed. Your problem is simply - the proxy is for HTTP (and HTTPS), not for POP3, SMTP or other protocols. Configure Thunderbird to use the actual SMTP and POP3 servers.

As i have my own /30 subnet my modem got a public IP too. I can reach the admin interface there. I don't know how this is handled at domestic lines. You probably have a "gateway" style modem then (one that has its own router)?  Your modem will still have a hidden private address for use by the cable company. Its how they would restart your modem remotely, among other things… If you look at that subnet (the 172.x.x.x) you will probably find multiple clients that you can reach and see all your neighbors web gui's on their modems as well as yours. Its the network that the modem goes out on to get its config file, ect...  Since its a shared network, you will see all kinds of multicast traffic. Im betting here I see 2 or more gbytes of traffic monthly just from Asia that gets blocked...

It actually uses only 1 port UDP 59102 it is what ESI calls their easy link it is VOIP but not SIP and RTP I even verified the 59102 by locking it down on my sonicwall that is now replaced and testing the phone.

Have you changed the time zone since your last reboot? When a zone is changed, the change isn't picked up until a process is restarted. So the safest way to make sure everything is in the correct zone is to restart the firewall after changing the zone.

In addition to ordering (it must be before any pass rules), you have the source and destination set to the same host from the looks of it, that's obviously not right, nothing is going to initiate traffic to itself from itself and have it go through the firewall. Probably just want source there, but depends on where you're putting the rule.

Excellent - that makes sense.  Thanks for the help and the quick response.  Much appreciated. As for using two interfaces as a 'switch', what's the best way?  Bridge the 2 interfaces?  Does that need any 'rules' as well?  Or is it fine to just set the 2 up with close IP ranges?  Say 192.168.10.2-100 on LAN and 192.168.10.101-200 on Server (for example)?  with the rules I already have. If I understand it correctly, Bridging kinda does the same thing, but uses one IP range for both interfaces, correct?  Just like connecting 2 computers to LAN with a switch? That should be my last question for this.  Thanks again.

SYN cookies has nothing to do with the state table, that only applies to traffic terminating on the firewall itself. You need other controls to prevent state table exhaustion (same as with any firewall), like the various advanced options on rules - limiting states per host, per rule, whatever methodology makes sense in your specific environment.