Can i ask for help this is my  link too http://forum.pfsense.org/index.php/topic,45251.0.html

It should work fine with sbs 2008 right out of the box. You only need to worry about opening ports if your are having outside users connect to the the sbs 2008 . For example, for email, web services, remote desktop etc.

Check for 443 deny or reject rules on firwall-> rules -> lan. Also check if you are using squid or not.

As i read in the monowall handbook. PPTP server sounds like a good solution to remotely control the Reverse proxy server. This way you can use mstsc on a windows machine to connect to the 192.168.1.1 subnet.

alias by host type is really what i need and it works. thanks marcelloc  :)

Well, I got it working.  I found this http://www.freepbx.org/forum/freepbx/tips-and-tricks/asterisknow-freepbx-and-pfsense post that helped me.  It's totally backwards thinking to how I'd normally do it, but my FPL line is now up and working.  We'll see how long it lasts…

no you can not block 2 hosts on the same segment from talking to each other with pfsense.. Pfsense as the gateway for your segment is never used for hosts talking to each other, other than if your using dns on pfsense to resolve host to an IP.  But this does actually prevent host from talking to host b. Now if your hosts were connect to 2 different interfaces to pfsense and pfsense bridged the interfaces then sure you could create some firewall rules to block talking.  But if 2 hosts connected to some switch/hub which is connected to pfsense – then no not possible. If you want to prevent hosts from talking you need to put them on 2 different segments/vlans and then since traffic is routed you can block hosts from talking to each other.  Because pfsense would be doing the routing. Or you could get a smart switch that allows for ACLs, Port Protection, etc and prevent the hosts from talking to each other that way - even if on the same segment. Normally if you have hosts that you do not want talking to each other you isolate them with putting them on different segments/vlans - this standard practice. Other than the above methods -- you could run software firewall on one or the other or both and block them from talking to each other with the software firewalls on the hosts. another somewhat off the wall method would be to create static arp entries on the machines for the ips of the machines that are the wrong macs.

You must be on 2.0.x for that to work properly. In 1.2.3 you can put a dummy entry as the first entry in an alias, and use hostnames in the second and later entries. They are only resolved once when the filter reloads. In 2.0 and beyond, you can use them anywhere in an alias, and the system keeps track of them and re-resolves them every few minutes.

Okay, I see the misunderstanding now.  VPN is not something that my ISP is providing on my connection.  It is something that my Ooma router establishes with the Ooma VoIP servers.  In other words, the VPN tunnel connection is initiated from within my own network.  Also, the only thing going over a VPN connection is my VoIP communications.  That is why I'm confused, given I have my LAN traffic open to go anywhere it pleases, why I should have to do any other configuration to get the VPN tunnel established?  I know that it isn't my ISP restricting connections to VPN tunnels since my Ooma router will connect successfully when it is in front of my pfSense router.  Also, I can connect to other remote VPN networks (as in, beyond my LAN). In truth, I shouldn't have to setup any NAT rules or additional firewall rules to make this thing work, so I'm not sure what is wrong.

Blocking SA is one of two things - either the firewall isn't getting the SYN (asymmetric routing most commonly), or it's a spoofed SYN ACK that wasn't preceded by a SYN.

No, just http requests.

@onissd: I have several VLAN's and I want to stop internet access to one of them. Can any body help? Go on Firewall -> rules and create a rule to allow traffic between networks create a rule to deny traffic to from vlan_net to any

I'm going to try this tomorrow. I!ll  write to result thank you

it is the approved internet usage policy for that group on our company and we (the IT's) are just implementing it.  :)

Pfsense os a statefull firewall, so all rules are applied where communication begins. To restrict access from lan users, create rules on lan interface

I'm not using pfsense to manage wireless clients, I have a dd-wrt ap that is doing that for me. I had the thought of picking up a managed switched. Perhaps that is my best go-to. As for arp spoofing I'm not working with people that technical. In fact I'd be impressed if they managed to pull that off and probably give them a better grade. Thanks for your help. If there are any other thoughts or ideas please feel free to share I'm all about 'the learning'!

@jimp: There isn't one. Why not just use the FreeBSD man page website? http://www.freebsd.org/cgi/man.cgi (You could use links on the command line to load them in the shell if that makes you feel better :-) It's a little annoying when you are connected via ssh and have to run a command to browse to see the man pages. It will be very helpful to get a package to install with the main man pages. I understand that mans require space, and on embedded devices it is important to save such space, but for  a normal install having man pages could be very useful.

"pfsense router –> Switch --> 4 switches --> computers" In that setup WHAT does any rule that you could do on pfsense have to do with computers RDPing or pinging each other or even sharing files between each other?? As you have drawn that network, packets would never even touch the pfsense lan interface for traffic between devices connected to any of the switches.  The only time traffic would go to pfsense is if on a different network, ie internet. Do you have more than 1 lan interface on the pfsense -- are there multiple vlans or lan segments involved that pfsense could in fact firewall traffic between?  is traffic between device on wan side and lan side of your pfsense box?? If not then rules on pfsense would not have anything to do with traffic between devices connected to your switches.

If you have php skills,  take a look on pfBlocker code, there are many checks and manipulation on rules.