Matching a firewall rule wouldn't be the best way, as it would log any connection, not a login attempt. The system log records actual login attempts (good or bad) like so: Feb 3 09:38:48 php: /index.php: webConfigurator authentication error for 'admin' from 192.168.1.2 Feb 3 09:38:50 php: /index.php: Successful webConfigurator login for user 'admin' from 192.168.1.2 If you send the syslog messages to another box (remote syslog server) then you could have any standard syslog tools look for those strings and alert you. There are several such syslog setups out there.

What I am curious of is any security risks.  This is a just a home firewall system but a bit overkill but I tinker and had a old computer sitting around doing a whole lot of waste spacing.  But it is a apt building and there are people who would love to use others networks. If you do not have the same Allow any to any on wan, I think It's fine

@dhatz: So to summarize, is GRE-over-IPsec between Cisco and pfsense 2.0.1 configurable from webGUI ? Yes.

I've changed my Interfaces:ModemAccess static IP slash notation from /32 to /30 and all is good; consistent access. (an hour later) … and it stopped again.  Oh well.  I'll just plug a laptop into it.  I've used /32 /24 /30 all with inconsistent access.  /30 seemed to last the longest.

The first rule on (opt2) image is an outbound rule, you just need to change sourceport to any and destination port to 25 attached is a sample of smtp outgoing rule from hosts on dmz interface. [image: smtp_out.png] [image: smtp_out.png_thumb]

bingo! thanks for the link marcelloc :)

Unfortunately, I can't do it that way. All of the hosts have public IP addresses, as does the BGP gateway, from the same /25 block of addresses. I don't control the BGP gateway, so I couldn't change that if I wanted to. The fact that the virtual IPs on the front and back interfaces have to be public is what makes me use it as a bridge.

Ok, thanks for you help, I was able to leave owa at https and change the port on the other https service.

@marcelloc: If you are not using ftp proxy, you need a rule to allow traffic com ftp server source prot 20 to client ip any port. I have a rule allowing unrestricted access from the server to the client to and from any port TCP <server ip="">* <opt subnet="">* * none   allow fs1 to imaging </opt></server>

I'm gonna study it a little deeper because i just created a floating rule to separate the interfaces/requests as needed and left the rules on the specific interfaces on default gw (unspecified gw). The rule is ignored and the default gw is taken anyway unless i disable the proxy. This is making me crawl up the walls. I'm gonna work some more on it. Either i crash or squid does :D

Just saw that on the forums :) Had just hit enter on the rule change after i created the alias. Thank you very much for the reply :D

@Floddy: If I'm not mistaking, Someone would pretty much have to steal my laptop (getting the certificate) and get my vpn login/password to be able to get in? That's it. :) If you have your laptop stolen, change certificate, password and rename your user as well.

I will this week!

Good point, but watching the traffic for a bit should show you the fqdn it uses. So I exited dropbox, flushed my local dns cache and then did a quick sniff while I restarted dropbox.. I showed these queries client84, client-lb and notify1.dropbox.com The client84 could be something random for sure.  I would fireup dnstop or something on your network and have it logging all the queries for anything.dropbox.com and then creating an alias including all of them. You might want to contact dropbox for all the possible dns queries their client might do, etc.

There is a anti-lock rule to avoid rules mistakes. If you are 100% sure you are not blocking your access to web gui, you can disable it on system->advanced

I'm experiencing the opposite: whenever I add a L7 rule - doesn't matter if it is on WAN, LAN or floating interface - all traffic is halted. See my post at http://forum.pfsense.org/index.php/topic,45240.0.html My settings look identical to that of @terryd. Strange… BTW, I'm running 2.01 with squid/squid filter. Not that squid should make any difference.

johnpoz, setting the virtual ip and routing worked for gaining access to the internal network. However I have came across a new hiccup. To configure the media server it uses a udp broadcast. I have tried making a virtual IP, iparp, and using nat to the Ip of one of the streaming devices.  Any suggestions here?

@kirlox_kitoy: I have observed that there is a previous rule still being active but is already deleted, and also I must reset states inorder to take effect the rules That's the way a state-full firewall works. If you start a ping(or pint -t on windows) to an external host and delete rule, the ping will not fail until you stop it and firewall close session.