LAN and WAN cannot be the same subnet. Check the section of the book that describes means of using additional public IPs, it describes the options in detail.

Not at this time, only ports.

@xtropx: **1) I am under the impression that firewall rules apply inbound on an interface. They do, you have the source and destination backwards though. Traffic hitting the LAN rules will only be sourced from the LAN subnet. Read the firewall chapter in the book for detailed explanation. http://pfsense.org/book The basics are covered here. http://doc.pfsense.org/index.php/Firewall_Rule_Basics**

i can see my problem now. Both my Wans from the same ISP, ofcourse they use the same subnet.  :( I will never try it again, and set my modems as PPPoE and my WANs' gateways :-X Thank you Jimp….

No. Does this happen for all clients and all web browsers?

anyone have any ideas ???

THANK YOU! That worked a trick.

I was just logging in to post that it was a firewall on the other end of the chain that was blocking since our IP changed, so everything is good and this was a non-issue. Thanks for replying though! Ben

Jakobud, I think you need to create a Manual Outbound NAT (AON) rule for the trixbox to work properly. Just set it to AON and create a rule for the IP address of your trixbox and set port to static "YES" and it should work. At least it has worked fine for me several times.

If you can explain more specifically what's happening that would be helpful, no idea what to suggest from that.

pfSense uses pf and ipfw, pf for firewalling and most tasks, and ipfw for captive portal, limiters, and maybe a couple other things. You can run "pfctl -vvsr" and "pfctl -vvsn" to see the rule list and nat list, respectively. The extra v's on there will show hit counts since the last filter reload.

jimp thank you for the instruction,  you correctly interpreted my mis-understanding of how the firewall works, I will implement your suggestion and post results wsams " most problems with a computer can be traced to the loose nut between the chair and the keyboard"

1: Interfaces –> assign --> bridges. 2: Create a bridge and add all interfaces you want as member. 3: Interfaces --> assign 4: Assign the bridge you just created. The bridge is treated like a normal interface. Configure IP's on this interface (5:) Assign the interfaces which are member of the bridge. Set their IPs as "none". (6:) Create firewall rules on the member-interfaces of the bridge to allow traffic. If you only have 2 interfaces it might be a problem to configure it like this. In this case you could, as an alternative, give an IP to the LAN interface don't assign the bridge and set the IP of the WAN to none.

You're saying then that people outside your network cannot reach web sites on your network? Please read the pfSense documentation, particularly the section on port forwarding. Buying the pfSense book would probably be of considerable benefit to you too. As for firewall rules, NAT settings etc - everything is accessible through the web GUI.

@pekmop1024: Is it possible with standard pfSense 2 tools? UPD: I have working iptables rules for this case, anyone could tell me, how to convert it for pfSense? iptables -I FORWARD 1 -m udp -p udp -m string --hex-string "|7FFFFFFFAB|" --algo kmp --from 40 --to 44 -m statistic --mode random --probability 0.90 -j REJECT --reject-with icmp-port-unreachable iptables -I FORWARD 2 -m udp -p udp -m string --hex-string "|7fffffff0003|" --algo kmp --from 36 --to 41 -m statistic --mode random --probability 0.90 -j REJECT --reject-with icmp-port-unreachable iptables -I FORWARD 3 -m udp -p udp -m string --hex-string "|0000000000380000|" --algo kmp --from 36 --to 43 -m statistic --mode random --probability 0.90 -j REJECT --reject-with icmp-port-unreachable Hi As far as know no ,but you got Layer7 functionality that doing the same job under Firewall: Traffic Shaper: Layer7 >you create new group of P2P and assign to it bitorrent , e-donkey  Next you assign this group under you're local LAN allow outbound  rule under Advanced features there Layer7 you choose the pre-configured layer7 group created previously and you are done. other than that there is excellent package SNORT over there you got whole section rule for P2P or what ever type of protocol you can think of  for blocking. Regards

Maybe you need to supply the firewall rules. I think the default LAN rule is Allow LAN NET to * And that should do it. Otherwise you make a firewall rule in the LAN tab: Allow LAN NET to DMZ NET That should do it.

The easiest way I have found to solve this problem is to use Active Directory Sites and Services. Everything works fine then.