my mistake, the deny rule does not has the not in dst action Proto        Source              Port        Destination        Port          Gateway deny any          LAN subnet        *              my_nets          *              * allow TCP          LAN subnet        *              !my_nets          80              *

This guide has screenshots about firewalling your VLANS. This is what I have used in the past. http://networktechnical.blogspot.com/2007/04/pfsense-how-to-setup-vlans.html

OK thank you for help. It was a double ".00" at the end. Don't know why I don't noticed this  ;D

Automatic outbound NAT rule generation

It's likely NAT that's breaking it rather than the firewall. Static port is generally necessary to not break NFS.

Digging a little closer, got a packet capture of the DNS request they're sending. It's just a NS root query, which is used at times in DNS amplification DDoS attacks (when hosts actually respond). So my guess is they're checking if the host is likely to be one that's taking part in a DDoS attack because it's configured poorly answering to the world. What relation that has to the iPhone app and apparently nothing else, I don't know.

Ok good point.  Ill do some tests as you suggest. The point to points are 3.0mbps up/down. Thanks. @cmb: How fast are the point to point connections, and how loaded are they? Windows file sharing performance is very poor over anything with > ~20 ms latency by the design the protocol. You can take the firewall out of the equation completely by adding a static route to one of the test hosts, and I expect you'll see the same behavior. It's most likely latency induced from the sounds of it.

If you're blocking traffic destined to VLAN2, then yes you want out. In on VLAN2 would be traffic initiated on VLAN2.

You can add a route to the server to test.

@marcelloc: mac addresses can be spoffed/changed too and it's quite easy to do this. one extra 'protection' may be static arp entries on pfsense to fix mac -> ip. I know about arp spoofing, but my users don't. ;-) Enableing "Static ARP" on pfsense "DHCP Server" is exactly what I want, but the problem is that I should turn on pfsense dhcp server while i have another dhcp server on my network. i want  pfsense dhcp server to be on so I can enable static arp feature, but in the meantime block any dhcp request from lan to pfsense . (or block answers) I believe the long description in the first post made it difficult to read ;-) Anyway thanks for your attention.

Last I heard from others, that was working as a monitor IP. You just need to make sure that if you have two WANs, you don't set up a conflicting situation where under System > General a DNS server is set to WAN1 and then used as a monitor IP for WAN2, that wouldn't work.

What did you do to get it working? I have a transparent bridge with Ips on the interfaces and want to remove the ips for security. What trickery do I need to get it to work smoothly? Thanks.

Thanks. That's what I needed to know.  Looks like I can use the SIP one, but not the RTP one.

I am pretty sure it was an internal VPN client communicating with an external network.  Sorry I missed you reply!

Create a firewall alias with apps.Facebook.com and then apply it on rules

@Cry: Note that you should do everything via the web interface, not on the command line (at least until you fully understand the differences between pfSense and a standard FreeBSD install). Well, that's why i'm doing this, just for fun and learning  ;D Now, another question related, i know that if i do: fwd 10.1.0.1 ip from 10.0.0.100 to any in this will redirect, but it will not change the header in the packets, so i can't redirect to a external website (i.e. google). In that case ¿did i need to use natd? ¿can i do it from the webgui? (i've tried with nat options but with no luck) Thanks for your answers!