Those packets are "return traffic" - it isn't matching the rule because it isn't making a new connection. It's part of an existing connection. You either have asymmetric routing, causing pfSense to only see half the conversation (and not the start of it), or that is traffic that comes through after a connection's state has been dropped. If that network is reachable via a router on your LAN net, go under System > Advanced and check the box to bypass firewall rules for traffic on the same interface.

Use static ips with servers and use like .2-.127 create dhcp for the clients from .128-.253 then create manual outbound nat rule that only server ip's can go through that one gateway and another rule for the clients, that those use that another gateway. That should do it

Well, because youtube is part of google, so they have lot of ip's NetRange:       74.125.0.0 - 74.125.255.255 CIDR:           74.125.0.0/16 OriginAS:       NetName:        GOOGLE NetHandle:      NET-74-125-0-0-1 Parent:         NET-74-0-0-0-0 NetType:        Direct Allocation RegDate:        2007-03-13 Updated:        2007-05-22 Ref:            http://whois.arin.net/rest/net/NET-74-125-0-0-1 OrgName:        Google Inc. OrgId:          GOGL Address:        1600 Amphitheatre Parkway City:           Mountain View StateProv:      CA PostalCode:     94043 Country:        US RegDate:        2000-03-30 Updated:        2009-08-07 Ref:            http://whois.arin.net/rest/org/GOGL OrgTechHandle: ZG39-ARIN OrgTechName:   Google Inc OrgTechPhone:  +1-650-253-0000 OrgTechEmail:   OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN You could create a rule that its form * * * 74.125.0.0/16 * "your another gateway" * * in that "your another gateway" you can select that under Advanced features->Gateway That should do that, but only con is that everything what you send to google is going to use only one gateway(so much the redudancy) or you can use only this address: 74.125.224.192 for the youtube.com EDIT: OH forgot, if you're going to make also other streaming sites, and you like to have low number of rules doing the same job. you may create alias (ex.streamsites) and under that you can add all the ip's you like to handle via one gateway rule.

Install/Enable the IGMP proxy. Set the upstream to the interface on which your server resides. However as long as all your devices are connected directly to the pfSense it doesn't really matter which interface is configured as upstream, since all servers on downstream interfaces are propagated as well.

You are right. A real RTFM moment for me.

Sounds like you have them dual homed, probably with the default route pointing somewhere other than the firewall, which is going to cause routing complications for that host (it'll reply out the wrong way). Static route to the internal network or policy routing on that host will work around that.

A much more succinct version of what I was getting at, Jimp. I'm going to use that line next time a client asks me to block site <whatever>. They've got to change the culture rather than rely on a lazy technical solution.</whatever>

Changing to an alternate port does help cut down on log spam though, and if your logs are more relevant it's easier to spot a potential security issue or targeted breach when you don't have to sort through a bazillion automated attacks.

Excellent, thank you both very much.

Blocking based on MAC addresses is not supported in 1.2.3 and is trivial to bypass so you're not actually adding security.  You can, of course, create firewall rules to block IP addresses, that's the point.  If you absolutely must only allow access based on MAC address, consider using the captive portal feature.

Ow sorry i didn't called that. Bandwidth for sure, and the firewall ports.

oh, crap, didn't see that, ok, will try it again and watch the logs and report back. Thanks, I'll be back!  :P

Everything you describe is the way things should work.

you can't use no state like that, or at all in this circumstance. As long as your source uses random source ports (which is generally always the case, you may need to fix something in your specific case) and a new one every time it opens a new connection, you won't have any issues with opening new connections to the same port.

read these http://doc.pfsense.org/index.php/Firewall_Rule_Basics http://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting