@Metu69salemi: change your range ending to 192.168.1.254 and as it says interfaces:assign:lan change it to static OMG How did i miss that? I've been starring at the screen for awhile. Thank you.

Thank you for the reply. I ended up figuring out how to use SquidGuard times in order to block internet usage after hours. For anyone out there wondering the same thing. Reference this thread: http://forum.pfsense.org/index.php/topic,42059.0.html

First, is the Fritzfax box on the WAN interface? If so, did you disable the block private LAN address in the properties of the WAN interface? LAN usually has an allow all rule. Did you remove this? Where are you putting this allow rule? Can you provide a little more detail on he setup?

If your nas is on lan, all machines on lan will reach it without asking anything to firewall. There is no route on same network.

I had thought I made that sortable, guess not.

If you reduce the time that ip is blocked, it will work. Install cron package to edit crontab and reduce the time that ip is blocked. change virusprot crontab to: *  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot and then set advanced options to your smtp rules. when all set up, when ip reach the rate limit it will be 02 minutes blocked by the firewall. It's not exactly you want, but works.

@sgb: I can see that there is a flag in System->Advanced->Firewall/NAT - "Bypass firewall rules for traffic on the same interface".  I'd like to enable this flag for the internal LAN interface only, because the firewall rules feature is extremely useful to me in the DMZ, or implement a rule that will do the same job. This option is usefull only you have traffic that pass only on INE interface, for example, when your gateway is the firewall and the network you want to reach will be router on lan interface instead of wan. Check your lan rules to see if local lan ips has access to internet and check pfsense routes to see it knows how to reach your internal network.

When using bridge, you must use same network/subnet on both sides. You can also leave lan and wan without ip and set it on the bridge interface that you created. Check system tunables for bridge filtering  options.

Yes, that is exactly why it doesn't work. Your modem and pfsense box cannot have the same LAN subnet. Change your modem IP range or your pfsense LAN IP range.

Here's the output of a rejected packet from the console : 00:00:01.005635 rule 198/0(match): block in on bge0: mypc.internal.net.tpdu > dominoserver.internal.net.lotusnote:  tcp 21 [bad hdr length 0 - too short, < 20]

The answer is here: http://forum.pfsense.org/index.php/topic,38310.msg197715.html#msg197715!

I just read the following thread http://forum.pfsense.org/index.php/topic,25795.0.html. It also points to http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F, which states that "It is harmless, and does not indicate an actual blocked connection". However, users are still reporting problems connecting to a web site or to a mail server (on port 443). Anything else that can be done?

changing the modem IP might be an issue, but just changing lan should work - if not then you will have to do the write up as linked to..  Mine just works, I can access 192.168.100.1 from any of my lan machines without any special config on pfsense to allow for it.

I also want to restrict LAN connectivity to specific machines.  In pfSense's DHCP server, I've created static entries for the designated machines.  I've also selected both "Deny unknown clients" and "Enable Static ARP entries". Is there anything else that I can do in pfSense to further prevent unauthorized access?  Would it be useful to create additional firewall rules, or would that just duplicate pfSense's implementation of the DHCP server options? In my case, said pfSense instance is a VM in VirtualBox, with LAN bridged to one of the host interfaces.  Are there vulnerabilities in the way pfSense and VirtualBox interact that might permit unauthorized access?  Maybe that's a question for the VirtualBox forum  ;) Edit: I forgot to note that I've also set the available range to 192.168.1.1-192.168.1.1 (effectively null).

It's probably not NATing between the sites, it wouldn't by default at least, you would have to setup manual outbound NAT for that.

what rules you have, what kind of topology you have, is there anything suspicious in the logs while trying to connect with outlook?

UG!  :-[  I found the problem. Apparently at some time ago when I first attempted the wireless setup I created a "Gateway" under Routing. Im not entirely sure why this impacted everything but in the GUI it was shown as: name wlan1  192.168.7.254 192.168.7.254 Id have thought that would only impact the wlan1 interface. Regardless a typical case of PEBCAK. Upon removal of that gateway all my problems vanished. Sorry for the run around, sincerely.