The windows firewall will block any private IP that is not on the same subnet as any of the LAN addresses, by default. You can of course change this. But, rule order is also important, if your block rule is above the single allow rule, it will get blocked. FW rules on everything except floating is first matching. Perhaps you could post a series screenshots of your rules.

Brilliant, not 192.168.0.0/16 did the trick! Thanks.

Thanks for your answer. I didn't find anything too.

Thanks for advice.  I won't have an opportunity to try implementing PF Sense again for a week.  I will follow up if I get stuck again.

Please search this forum. It has been done many times. You can also search docs.pfsense.org.  If you have troubles configuring then post where you are having problems and we can help out.

@marcelloc: Just to be 100% sure you undestood me. Did you put the dns name or the ip address of apps.facebook.com? hii you I setup squidgruard on pf2.0.1 error,when server restart shows /usr/local/pkg/squidguard_configu  54 I dont know edit you help thanks!

I solved the problem: The reason was a misconfigured Firewall rule for PPTP access. I switched back to "allow autoconfigured rules" and deleted all manualy created rules and now it works. sorry if I bothered you but thank you very much for your help Andxreas

Yeah you can do what your wanting at the switch level.  Just need a managed or smart switch that provides that functionality. Now you can filter using traffic between different lans using pfsense, if your pfsense handles the routing between the multiple lan segments.  Or I do believe even if the pfsense bridges the 2 different physical networks, even if they are using the same ip ranges.  but you would not be able to block traffic between devices on the same physical network.

Ok it seems that you've successfully created a container. However, you still need to add an all pass rule to the firewall - under advanced - specify your L7 container. I've found that this halts all traffic. Strange - this must be a bug I think.

It depends on what you're actually talking about there. The LDAP auth can be for the GUI, for OpenVPN, etc. Not for the "network" (so to speak). So you can have access controlled to the GUI by the user (specifying which pages they can see), for OpenVPN you can have CSC's assign a specific user a certain IP and filter on that if they're coming in over VPN, etc. There isn't a way to associate firewall rules on an interface with a user though, no matter what authentication method you're talking about. About the best you can do is static IP assignment to a PC and filter on that. Or perhaps force browser preferences to use squid and have squid do auth to lock down web access by username.

:o So you can use Aliases on WAN side things as well?! Cool! And of course thank you!

Sorry, my bad. Mr. GruensFroeschli way, is the right way  :-[

to accomplish the same thing as you are trying i did the following; first created aliases of the ips of all printers and file servers i wanted seen by other lans and subs called fileservers created a alias for the ports required for the subnets and lan to talk to the printers. this is based on the os of the client called it nfsports here is a list of some ports you may require netbios-ns - 137/tcp # NETBIOS Name Service     netbios-dgm - 138/tcp # NETBIOS Datagram Service     netbios-ssn - 139/tcp # NETBIOS session service     microsoft-ds - 445/tcp # if you are using Active Directory Other ports Port 389 (TCP) - for LDAP (Active Directory Mode)     Port 445 (TCP) - NetBIOS was moved to 445 after 2000 and beyond, (CIFS)     Port 901 (TCP) - for SWAT service (not related to client communication) and the the port 631 for cups there might be more if you require file sharing across subnets after that in the  subnet or lan (opt tab) in firewall rules i created a rule as below TCP/UDP WIFI net * fileServers nfsPorts * none   NFS/CUPS NETBIOS traffic the wifi net is what i name the opt(x) that was allowed to share files and printers also in cups there is a command that has to be set  for it to talk to different subnets if i can remember it is BrowseAllow all and Browsing On and there is BrowseAddress xxx.xxx.xxx.xxx is the ip of the subnet this should help.

@joe_cowboy: What exactly are you wanting to do?  Are you wanting to bridge the Wifi with your LAN? Or have it seperate? Well, I built a box with 4 NICs: LAN, WAN, WIFI (OPT1) and DMZ (OPT2).  LAN and WAN cards work, no problem.  I want to keep the Wifi and DMZ separate.  I even bought the Pfsense book, but there are only general items regarding the OPTs.  No step-by-step items.  I must be overlooking something so simple.

@marcelloc: whitelist can be done using host url alias and firewall rules. User auth can be done with captive portal. Yes Marcello , I successfully followed a your previous post , so now I can implement a working wihitelist. Harder is to solve the 2nd step: a) how to surf the whitelist sites avoiding the captive portal window come up? b) how to implement the firewall port 80 forwarding rule , if in the rule I can't evaluate the users login status? thanks again

@chocoboss: first of all thank you for your answer, but I don't think we can apply this atm. [image: newnat.png] do you think this will work ? It should redirect all 80 port to 800 Why don`t you enable transparent squid proxy? when you enable it, squid create a rule on pf to forward http traffic to squid port.

I know exactly what a routed subnet is – you still don't put the same IPs on both the wan and lan interfaces of a device. if anything you might put say firstip in routed segment on the wan, and secondip on the lan. If you were actually routed the subnet and your pfsense was seeing an IP in that subnet there should be NO nat going on and all ports should be open to the pfsense wan interface. Do you see this traffic being blocked on pfsense? Do a sniff on your pfsense wan interface -- do you see the packets hit the interface for any traffic your sending to it, be it 21, 443, etc.  If not then clearly something is blocking it before it gets to your pfsense.  Be it a NAT in your "modem" or a firewall before it, etc.  IE is it possible your ISP is filtering traffic to your public ip space that you have from them?

You don't need to allow any ICMP. Any ICMP messages associated with a permitted connection are automatically allowed. the SA and R are: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

I agree with jimp, using alias you do reduce de amount of rules. http://forum.pfsense.org/index.php/topic,30093.msg156278.html#msg156278