I think now it works.  ;D On TestVM I enter V1000 interface ip as gateway, same for FTP VM and FTP interface Then I created 2 rules for FTP interface Proto - Source - Port - Dest - Port - Gateway ICMP - FTP net - * - V1000 net - * - * ICMP - FTP net - * - FTP NET - * - * and 3 for V1000 interface ICMP - V1000 net - * -  FTP net - * - * ICMP - FTP net - * - V1000 net - * - * ICMP - V1000 net - * - V1000 net - * - * Now I can ping from TestVM (VLAN1000) to FTP VM Testet it also on second TestVM2 from VLAN1001 and it worked Thanks so far

Ok thanks I will test it out

@GruensFroeschli: You can use aliases in aliases with 2.0. Although i'm not sure that helps in this situation. What i would do is have an alias for each type of service you want to provide. Basically your approach 3 "Create a new HR alias for that single rule not including that host." But if you have 10 rules using a single alias, –> 10 aliases with each for a single rule. Thanks, I think the simplest way so far is just a block rule above, but any way it goes there are bound to be situations where if you heavily rely on groups, like I do, a simple exclusion becomes non-trivial. Also I leverage groups quite heavily, some nested 3-4 times. I've set up a policy framework where all zone flows are inherited the instant a subnet or host is added to a specific single groups.

Look at our log parsing code (in /etc/inc/filter_log.inc) there are definitely ways to know if a line is a single entry or a continuation. They couldn't end up out of sequence that I'm aware of, but when doing UDP syslog across the network, anything is possible. Most software like that should have some code for actually parsing the logs that can be edited/hacked/adjusted/etc.

You cannot use a URL like that to block in an alias. You can't even block HTTPS by URL in a firewall anyhow - you can't tell what URL is being requested in an HTTPS connection, only the IP, because it's encrypted. You could try to put "www.yahoo.com" in as an alias, but it typically resolves to a sizable set of randomized IPs, so good luck with that working properly…

no problems

Well you could capture the traffic at your pfsense box (under diag) and load that up into say wireshark to see what is going on exactly. Or you could turn on netflows, be it pfflowd or install softflowd, and send that to flow collector - prtg or ntop can do this for example.  You could then see who your top talkers are and what specifically the traffic is and where its going vs the generic stuff you get with bandwidthd You could also just run for example pftop or iftop to see who your talk talkers are in real time, or install the darkstat package - not sure if runs on 2.0, have not used it since my 1.2.3 days. You can even install ntop right on your pfsense box, but sending the flows to a different machine would work just as well.

LoadBalancing in general is working with more than two links. If i remember correct a user in this forum is LoadBalancing up to 8 lines. Because I am not using LoadBalancing and squid on one machine I do not know if it will work with more than two lines but I think it would be possible.

@ericab: My WAN is behind another HW-router @Metu: I tried to make a Gateway but i havent a static openvpn ip and i cant inster an alias as gateway

Then you start over and think what you want to achieve ;) Can you take your last added rule from wan side. and create port forward as previously mentioned?

Thanks! That worked perfect.

@cmb: does it work if they're IPs rather than hostnames? Im sure it would work with IP addresses but a lot of the host are dynamic and I need to be able to do it with host names any help would be very much appreciated. ???

You have asymmetric routing because the host is dual homed, which will cause problems with any stateful firewall. You either need policy routing on the host itself to ensure all traffic leaves the same interface it enters via the appropriate gateway when off-subnet, or only use the interface IP where the default gateway resides when off-subnet, and only the local subnet IP when on subnet. Please don't post the same thing to both the forum and mailing list unless you don't have a response on one or the other after 24 hours.

You must set the rules in OPT1 to allow traffic towards LAN The default behavior is "deny" ALL traffic from OPT to LAN, so you must create a rule allowing the desired traffic to pass. Otherwise the OPT1 hosts can not see the LAN hosts.

You can also use an alias like "local nets" then when you add new interfaces etc you add that network to local nets so by using pass !"local nets" rule you can do what you desire. But how this notation works is out of my hands.

37 days old install. but nevertheless, old config along with old password was indeed restored when this fw replaced old one. will go over the conf with finetooth comb.

Thanks for these incredible pointers guys! I've been experiencing MANY problems with this in the past months. Never was able to figure it out. It actually only occurred for all IPv6 traffic between two VLANs on my network being connected via pfSense. Since IPv6 traffic is prioritized over IPv4 traffic, when connecting using DNS or NETBIOS names instead of an explicit IPv4 address, it would always cause trouble. It wasn't just one protocol, it was with every protocol and every type of traffic (i.e. RDP, filesharing over NETBIOS, streaming audo, SSH sessions). Very irritating. Strange that it didn't occur with IPv4 traffic though. Switching the setting at System -> Advanced -> Firewall/NAT -> Firewall Optimization Options to conservative solved it all. And increased memory usage? Its still at 5% of the 4GB of RAM the machine is equipped with, just like it was before  :) Thanks!!

Matt, was that packet capture taken on the LAN or WAN interface of your pfsense? If it was taken on WAN, it might look like 443/tcp is being filtered upstream, since the TCP SYN is never responded to. I don't understand however why the destination address of the HTTP GET is 10.18.52.9 (Your pfsense), the destination address for that packet should be 155.136.80.213 (www.natwest.com). If you perform an nslookup on www.natwest.com from your PC, what address does that hostname resolve to? Do you by any chance override DNS in any way? Andreas