Thanks!  So far the best luck I've had is treating each VLAN interface as a physical interface and setting it up as if I was the WAN and LAN for the transparent instructions.

Metu & Lost… Yes - working on it... I have simple rules but am learning the other parts of Vlan etc. Lost has posted on another topic explaining Vlan and tagging ... 802.1q. I think I can use a separate port/vlan for the guest wireless if I want to... I just have to figure out how to leverage vlan for better isolation. H.

66/0 is the rule number and group number. You can view the rule number by looking at pfctl -vvsr pf is the name of the process doing the logging, I don't recall what the number in the 14 place meant, might be some kind of timing value. The log messages are vastly different in 2.0 than 1.2.3. The parsing code breaks down the things you really need to see pretty well. The details of the log message are probably in the pf docs somewhere.

WAN: Your front end looks ok off the LAN 50.48.201.96 subnet ID 50.48.201.97 - 50.48.201.102 You could address anything on the Wan from the 98 to 102… Broadcast is 103... LAN: Lan ip - Private addressing is ok. But your diagram is showing public ip address for server? OPT1 Opt1 - Public Addressing - this will take some work. Your setup could be done with a traditional DMZ model and private Lan if I am following you... There are setups in the pfSense 1 book that you can follow or check this thread here and use DNS forwarding... http://forum.pfsense.org/index.php?topic=27547.0

@Metu69salemi: It would be, but why it should? Metu… I was thinking if a bridge is used it will allow access across the ports opt1 and lan... Big_brat - Metu is right - This should be a rule any-any to allow access I think... Also, I am wondering if you have the check box that blocks private addressing on the LAN I would try unchecking this...

Yes it is, and from within the office i can get to it, just cant when connected via PPTP from my home. I also found out lastnight that i can't access it when i connect to another server via Teamviewer from home.. same problem.. all other devices with Webgui on the 192.168.10.0 subnet i can access.. just not this one in particular..

Issue fixed. Nothing related to pfSense after all. WAN was hard coded in the software and did not like being moved. Good to know that pfSense does not mind encrypted traffic over port 80. :) Thanks GruensFroeschli  for your time and suggestions.

Hi, I do not have any experience in such a big environment but in the pfsense online docs there is a scenario explaint with four or five DSL lines and an internet cafe or gaming cafe !? not sure at all. It explains how to do loadbalancing. Further in the forum I read about LAN partys and using pfsense. perhaps you will get there some more information.

@jimp: That would never work. An alias is only relevant for one specific type. If you used that alias as a source, you'd be trying to use both a hostname and a port for a source IP, which is invalid. Ok thank you very much.  I figured I might be wrong headed about this.  It makes sense now.  Thanks again. :D

The problem you have come from a mistake in the destination in your rules: you have to use any instead of "WAN Address". Here are my advices: create an alias containing all your internal networks (wired LAN & private WiFi in your case). create an alias containing all the ports you will allow for the public WiFi (HTTP, HTTPS & DNS). create the following rules: public WiFi to alias "internal networks" block any ports public WiFi to firewall interface block any ports public WiFi to any permit ports in alias "public allowed trafic" Remark: you have to allow DNS trafic in order to have name resolution for the public WiFi.

Firewall rule on WAN: protocol: TCP source: any source port: any destination IP: WAN-Address destination Port: 80 This should work, if your webGUI is on port 80 and there are no other WAN rules ahead of the rule I posted above. If it does not work, please post a screenshot of your WAN rules in Firewall. If on interface WAN "Block bogon rules" is checked, you cannot connect on WAN side with this kind of source IP addresses. PS: To access the webGUI using the way you like isn't the best and secure way to do so. Try to configure a VPN access.

@900mhzdude: sense we are on the Topic how do I get this option on my other 2 WAN's in pfsense 1.2.3? you can't, 2.0 only.

@900mhzdude: Also is it possible to Block Download by File Name Like… Block Source File Name Cpnprt2.cid Dest LAN subnet ??? only if you proxy all HTTP traffic, which isn't something you want to do as an ISP. @900mhzdude: How do you Do Limiting states per-host? Works fine, see the advanced options on each rule. Detailed in http://pfsense.org/book

Thank you very much GruensFroeschli I will remember this in the future when creating rules. Many Thanks

I did this, changed my rule to Queue and made it Quick, but it doesn't work. If I make it action Pass and Quick it will work but then LAN rules won't validate.

That shouldn't be happening, some others have said that it happens to them, but nobody has been able to narrow down the exact circumstances in which that happens. It doesn't happen on any of the 2.0 boxes or VMs that I have. I'm not sure any of the other devs have been able to reproduce it either.

Ow okay, I did it my self. Well, log shows this: May 26 15:30:19 admin: 29 addresses deleted. May 26 15:30:19 admin: Bogons file downloaded: 5 addresses added. May 26 15:30:12 admin: rc.update_bogons.sh is beginning the update cycle. May 26 15:30:12 admin: rc.update_bogons.sh is starting up. File now contains: 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 And it seems to have worked, no longer blocked, thanks :) Guessing it hasn't been updated in a while then, any idea why?

Blocking port 25 and the submission port would really be effective for this. You can send SMTP on any port but it would be worthless since nobody else would be listening for that traffic. If you really want to do that, on 2.0 you could setup a layer7 container to match smtp traffic and direct everything through it. Be aware, however, that layer7 inspection is quite CPU intensive and it will slow down all traffic processing that has to go through it.