You can do this on 2.0 with rules on the Floating tab.

Have you run your public IP through an RBL check? Your IP may be on a blacklist, which wouldn't work no matter what firewall you're behind.

The following setup seems to work for me (using pfSense 2.0): WAN IP: 1.2.3.4 LAN (10.10.x.x) OPT (10.20.x.x) NAT-Reflection is off. On the OPT Interface of pfSense I have a Virtual IP (of type ProxyARP) with the same address as the WAN interface (1.2.3.4). I have port forward rules from WAN to LAN and the same port forward rules from OPT to LAN (using the Virtual IP from above). Now a web server on LAN can be accessed using the same IP address (http://1.2.3.4:80) equally from the WAN-Network as from the OPT-Network. Is there anything wrong or dangerous with this setup? As I said, it does work at the moment. Thanks for your answers!

pfSense can populate pf tables with IP ranges from a textfile in CIDR format, loaded from a URL. Check Aliases -> URL Table However the URL Table alias feature does have some issues, e.g. if the format of the retrieved file isn't correct, it'll prevent pfsense from working, e.g. see issue 1991

I should have previewed before posting. The text didn't bold as I wanted. Basically I want to know what the numerical values 10 and 981194 mean in the context of the message.

another way is to create deny rule deny not "single ip" blaa blaa..

Rules work on ingress.. Meaning that if you want to access somewhere from LAN2, then you make rule on LAN2

You rule needs to come BEFORE (higher up the page) any allow rule the packet might match. Packets are compared with rules from the top down. First match stops the comparison. Otherwise rule looks OK.

Hard to say, because your config isn't viewed

I would have to do a sniff, but from my understanding it runs on 80 and 443 but does not use the http or https protocol - so you should be able to use a layer 7 filter to block that traffic? Just did a quick sniff of running it and it only used port 5938 outbound.. Could block that to see how it tries if that port is blocked. For dns it used ping3.teamviewer.com and master12.teamviewer.com, I would think simple way to prevent access might to just create dns for the teamviewer.com domain and send bad info ;) Ok just blocked 5938 and it went out on 443, this time to master5.teamviewer.com but it was not HTTPS..

@johnpoz: Why don't you just do a simple capture on pfsense to see what is used? When I get a chance I will give it a go, but did you take a look here? Not yet. I will for the next test. (you think Status > System Logs > Firewall ?) http://support.microsoft.com/kb/927847 Network ports and URLs that are used by Windows Live Messenger Its a bit dated, but I would have to assume still applies? I already use this informations (see my first post). Thank a lot for your help !

You would also consider pfblocker against p2p trafic

Try 'top -SH' in a shell to see detailed CPU usage. My experience with the Intel 'em' driver is that it threads well, so throughput should benefit from multiple cores, at least with that driver. It has been said on this forum that you should turn hyperthreading off, although last time I looked into that I couldn't really see a good reason why.

Very good! Thanks

@jimicus: Switching to a LiveCD with the same configuration isn't an option, unfortunately - the firewall in question is in a live environment which I can't risk messing with. That's why you could use a LiveCD. It will be a question of rebooting from CD, which will down the Internet connection for about 30 sec. and 2 minutes for you to to setup up a LAN interface. Then, using the GUI interface, your import your settings XML file (take the one you saved on your PC from your hard disk install). Booting from CD will not touch the install on the hard disk !!Rebooting without CD will boot the hard disk install as before. Normally, you should be allowed to bring the firewall down for a minute or 2 - otherwise you could even apply patches and updates that need a reboot. If you can't reboot, then you have a mission critical setup. Your hardware will be doubled, so … test on your spare system then  ;)

Excellent! Thanks.

If you don't want that log to show up. In the settings tab disable "Log packets blocked by the default rule" Hint: packets that are blocked by the implicit default block rule will not be logged anymore if you uncheck this option. Per-rule logging options are not affected. All the 255.255.255.255:68 messages will not fill the firewall log anymore.

Google is your friend as well as the search here at the site http://forum.pfsense.org/index.php?topic=10448.0;prev_next=next January 02 is the first post and it helps. http://www.hostmedic.com/tag/pfsense/ http://blog.myitdepartment.net/?p=143 It would be nice if someone with a great knowledge would write a how to on this subject. As there is many users on here that could benifit from this. I know I could as I have just started my pfsense journey.

@marcelloc: If you block Facebook networks but allow any other site, then users will turn around your rules and use external ssl proxy servers. Google will help them. Yeah, I did not mention that of course I was also blocking anon-proxy sites and letting squid doing the rest.