@GruensFroeschli: Any is Any –> The internet. WAN-net is the subnet immediately in front of the WAN. Hi GF, Thanks for the feedback! I think I get it, just I did not like the "any" and I assume WAN net was the Internet.  :-[ In summary the 1st rule in my case is correct where I want to have ful access to the Internet from a Wireless point somewhere in my Home Office - right? Steen

Please keep this in a single thread

Most likely you're being port scanned and you have your firewall rules are much more open than they are by default and should be.

add a rule to allow CommonPorts, then add another rule for everything else with the limiters.

Thanks for the tip. I must have missed this chapter ! What other good networking book do you recommend ?

OK, where can I found this rule in web-gui-configurator pass out route-to (pppoe0 my.public.gateway) inet from my.public.ip to ! my.public.ip flags S/SA keep state allow-opts label "let out anything from firewall host itself" ???

I think not while using the limited broadcast address. Can your devices be made to use a directed subnet broadcast? The only other option I know of would be to bridge the two LANs. If you're passing broadcasts between them, then you've effectively bridge them anyway.

I knew it had to be something trivial somewhere! When adding the firewall rule I too religiously copied the rule for the LAN interface down to selecting "LAN subnet" for the Source Type. If I'd looked further down the drop down list I would have seen "OPT1 subnet" and selected that. All working as expected now. BTW, I found that Automatic NAT also does the job so there is no need to set NAT to Manual. Thanks for the responses. While the actual problem wasn't identified, following the suggestions gave me enough to track down the actual problem.

Via normal wlan or vpn(pptp) or something else? I've android phone and tablet and both of those works well via wireless and i've used pptp vpn with phone without problem

Can you check if your states are getting reset? Look at Diagnostics > States, check the count before and after. What features do you have in use in the router? Some people have reported this issue before, but so far nobody has been able to reproduce it reliably. Also, are you on 1.2.3 or 2.0? If you're on 1.2.3, try 2.0. If you're already on 2.0, ensure you are on the most current snapshot available (should be from the 12th)

Make an alias that contains all your local networks Then, on the hotspot interface rules: Block from Hotspot to Local_Nets Pass from Hotspot to *, gateway WAN3 You could just do: Pass from Hotspot to !Local_Nets, gateway WAN3 However I would recommend against that from a readability standpoint. Unless you have thousands of rules and are looking to simplify the ruleset, the readability/understandability of the two separate block/pass rules is much higher.

@jimp: You could make an alias, and use the no-ip.com hostname in there, but depending on how their site is setup, their hostname may resolve to several IPs and change around at any time, so it may work fine, or sporadically. If you really want to filter that, you would need to setup an http proxy (squid) and something (like squidguard) to enforce access by the URL being contacted. Though that could interfere with the dyndns process. Guess there is not a 100% solution. Thanks for taking the time to answer my question.

Are you sure that is coming in through the firewall? If you are seeing ARP, then it's coming in at layer 2 somehow - either a switch or a bridge.

Do not rely on state timeout. As I advised in e-mail use Static port in NAT->outbound, this way you will be sure SIP packets that leave your WAN interface always have source port 5060 and even if the state expires remote end 'knows' that it has to communicate with you using port 506 and you have inbound NAT->port forward + rules for this port. So, should work.

Any ideas?

http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F