As a statefull firewall, all rules are set where the connection begins, if is a rule To allow access from clientes, it will be in lan. If is internet going To your web server, it will be at wan. When using nat the rule is applied after translation, so wan rule will give access to internal web server ip, no To wans public ip. Except for nat, all rules are set by source or destination ip/port.

Hi marcelloc, Yes, already done that - am currently working on getting my head around the standard PRIQ shaping. Right, Ive found that floating rules partially satisfies 'rules that do not pass/reject/block' - it has an extra option, 'Queue'.

Gravy!  Works like a charm, thanks for the terminology lesson.  ;)

I can ping both - external ip and dns address. PFSense is a virtual machine. I set accept promiscuous on my vswitches.

now it works, I added a static route: LAN 10.139.0.0/24 GW: 10.128.0.245 (LAN IP PFSENSE) Local LAN into TUNNEL

There could be any number of reasons, but from what little you've posted I'd guess that your chosen DNS server isn't working.

Ok, this one has been resolved after a bit of research and testing. Advanced -> System Tunables Set net.link.bridge.pfil_member = 1 Set net.link.bridge.pfil_bridge = 0 (If set to 1, you will see routing issues and problems with passive FTP) Create your limiters (up/down) and apply them to the LAN or WAN rules. no need to use floating rules. If you will be using both WAN/LAN rules create 2 parent limiters and 2 childs for each such as: limiter1_downstream -> limiter1_downstream_wan -> limiter1_downstream_lan limiter1_upstream -> limiter1_upstream_wan -> limiter1_upstream_lan now, here is an example of how it's applied to the rules. WAN Rules wan -> lan  IN/OUT = limiter1_downstream_wan/limiter1_upstream_wan LAN Rules lan -> wan IN/OUT= limiter1_upstream_lan/limiter1_downstream_lan Notice 2 things: The limiters are using childs so they do not conflict with each others traffic but they still share the same total bandwidth for the parent. The direction is reverse on wan/lan, otherwise the wans upstream will share the lans downstream and vice versa, not very symmetrical. From my own testing, some FTP traffic on a NAT pfsense will not get limited. However, on the transparent firewall with the above setup FTP is being limited properly for both pasv/active (no FTP proxy in use). If some of your traffic is not being limited, make sure to check the wan/lan rule order. I can't tell you how much time, research, confusion and frustration went in to this but you get the idea… :-) Hope this helps.

unfortunately, in practice, many people leave open, a small sample is to access the site  SHODAN and to search for SonicWALL will appear many ips with exposed to the web Back to pfSense, it´s good to remember of the wireless, some people just plug your routers in your networks,… []s.

it does work now, thank you very much, i really appreciate. s.

The rules of lan interface is simple. There are rules having only lan network (192.168.1.0) as source address. Because packet that comes the pfsense lan interface has spoofed source adress 1.1.1.1, TCP:SYN packet should not be passed to DMZ machine. Am i wrong? Normally, I should see that first packet is blocked from the logs. But i could not. What is also strange is that considering pfsense passes the TCP:SYN packet, why i could not see any logs that shows me first packet is passed to DMZ machine. Only log i see in pfsense lan interface through tcmpdump. What kind of additional information is needed to interpret and solve this situation? Thanks. [image: Drawing.jpg] [image: Drawing.jpg_thumb]

@Metu69salemi: @Bai Shen: we're trying to block it Yep - and preferably - with a schedule. Out of both applications, WoW should be OK without UPnP, but the XBox definitely isn't. It's a known problem, and there are many posts about it. This one is helpful, but again, it requires UPnP. http://forum.pfsense.org/index.php?topic=13887.0 I don't there is a way around the UPnP issue, unless Microsoft redesigns the way the thing works.

When you create firewall rule, then you determine what protocols you want to allow or block. port aliases main job is to ease out to apply those rules. so you don't need to apply rule for every port you need

@bmeeks: It seems I need to work on my pfSense documenation search skills… :D you're not only one ;)

Hi Bob: I missed that about 1.2.3, it is setup a little different then 2.0. That PDF guide would be your best bet. I will look at your post again and comment

It seems to work like this… forget the wildcards in FQDN's in aliases... (Only proof is, did one succesfull update with DMZ/2k8R2, 3 updates of yesterday) Add Alias "WinUpdate": windowsupdate.microsoft.com update.microsoft.com windowsupdate.com download.windowsupdate.com Add DMZ Firewall-rule: Proto Source Port Destination Port Gateway Queue DMZserver * WinUpdate * * none Before I had protocol and ports specified, that seems have been too narrow... It seems to work now... But don't know why actually (compared with previous rule setup) Maybe some ICMP/ping is needed for startup of the updater?!?

Please post a screenshot of the actual rule, not a mockup.

@jimp: http://doc.pfsense.org/index.php/What_are_Floating_Rules%3F Thanks dude=)

@pcboarders: wasn't asking for people to google i did that and the options found didn't solve the problem. i was asking for some people that had experience with pfsense I have a MagicJack, and tried the traffic shaping, but ended up taking it off.. The only NAT /FW rule I have is port 5060 (SIP)  to the box.. Not sure what speed link you have but we have Cox where I live.. The Premier package.. Up to 24 Mbps Down Up to 4   Mbps Up.. hth rk

firewall rules work on ingress. so you got it right.

@Metu69salemi: for a start https is on port 443 and not in 445, so you've either changed original port or have portforwards on that? If you have anything open from pfsense, and i assume you're not having any proxies, the possibility to say that problem is in pfsense is quote minimal. If your firewall allowes anything then you have problems with another end of the line or something is not correctly set. Like what is your wan ip, i don't want to know your public ip, but is it an internal ip? are behind another firewall? IIRC, IPCop's web gui defaults to 81 and 445 to allow you to run any normal web servers on your network.