Without much more information nobody can help you. Please start with screenshots of your firewall rules (and any aliases) and details of the downloads (URLs etc) that aren't being blocked.

If you blocked those IPs, you wouldn't be able to get there if the rule was setup right. A block rule like that should be on the LAN, and at the top of the list.

I found that I had to put WAN and brigde this to the LAN connection. I have turned off DHCP server. I have enable DHCP Relay - and put in the dhcp server ip. No my computer, connected to the LAN port, gets an IP,DNS etc… but I cannot ping/dig cnn.com etc.. :-/ I'm connected to my network, but I cannot see outside world..

Just ran into this for the first time here as well with two physical boxes running v1.2.1 w/CARP and having separate switches for each private/public subnet.  Interestingly, the only difference between this network and any of quite a few others we've worked on with pfSense was the presence of a number of new Windows 7 machines which had bad keys and all suddenly started looking for KMM servers at the same time, (with lots of NBT broadcasts in the process).  Confoundingly, it's a multi-WAN and we had just added the second link (on a separate switch of course) and thought maybe we had configured something wrong in the LB by accident.  Fortunately we have an identically configured setup at another location and after doing a line-by-line comparison between all the configs determined it had to be a bug in pfSense.  A quick search came across this thread and we have implemented jjponce suggestion of restricting traffic between the two WAN interfaces to pfsync and nothing else.  (This was only performed on the public-facing NICs as they were the only interfaces exhibiting the problem, his reference to CARP interfaces may still apply under some circumstances). To clarify a bit further for anyone else seeing this, the traffic only appears on the public side and completely saturates the external NICs.  If you do a packet capture all the packets are NetBIOS addressed from/to 169.254.x.x (actual IP varies of course) and run up to the maximum bandwidth of the WAN link.   To reiterate that last, the bandwidth utilization we observed was the physical limits of the dedicated lines coming in, NOT the limits of the local hardware.  This implies that pfSense is routing the broadcast packets out and they are getting reflected back by upstream devices(?)  The multi-WAN in this case has lines coming from two different ISPs, both lines having bandwidth caps set by the ISPs, one at 35Mb and the other at 100Mb.  All local hardware is Gb but the traffic load was never more than what the lines were (externally) capped at. We'll post again if jjponce's solution does not help, otherwise consider it the answer for now.

To block gtalk and chat from gmail.com, I have setup DNS forwarding for talk.google.com, talk.x.google.com and chatenabled.mail.google.com and forwarded all the three domains to my local IP. This has disabled Gtalk from both web and messenger.

Thanks for fast answer. Helped me a lot.

A relatively slow box with cheap NICs isn't going to do much more than that. Atoms with Intel gig cards can hit about 500 Mb. 2.0 may be a bit faster, but you're trying to accomplish more than your hardware can do. Normally I would expect the CPU to be maxed out, but you may be hitting bus speed limits or other limits of your hardware.

Hi Managed to get it sorted, user error and new with pfsense = not work lol

The rules apply top down - if your top rule is a pass all rule then all the rules below are ignored. Create an alias for all the general PCs and then create a pass all rule for those as the source. Then create another set of rules to allow the ports you want servers to be allowed to use. With no default pass rule anything else will be blocked.

That's why I wrote this doc a long, long time ago: http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

Thank you jimp! I noticed my problem. I was test blocking my DNS ip 8.8.8.8. that for some reason did not work. I guess pfsense puts a hidden rule to allow access to the DNS server ip address even though you try blocking it in the rules. So that would be the problem i was having while testing firewall. Thanks for your help! PJ

Hi, Someone could give me some tips how unlock hamachi in the pfsense to stablish direct connection between the hosts? Thanks very much!

Finally, the new scheduling in pfSense 2.0 worked as expected.  I don't know why, it wasn't resetting states when schedule time was starting.  I saw an option in setting Settings / Advanced / Miscellaneous: "Schedule States" which was set as the default "clear the states of existing connections when expiry time has come".  The setting was right for my application but didn't seem to work when we did our tests.  We didn't change settings but installed the latest patch and it works.

Bingo, updating to the latest snapshot made it show up!  Thanks!

Looks like the phone issued a disconnect command, deassociating from the AP. Probably when the phone went into power save mode and turned off its wifi radio.

Thanks ohnel…. It worked fine.

@torontob: So, any way I can block specific domains rather than simply port 443 which will block all access as you suggested? Domains and not IPs as Domains can occasionally map out to different IPs. Please use the search feature, this question has been asked many times

Hello igor I am very sorry for my late reply. Somehow i didn't get a notification about your Post . And as I had other projects to finish I wasn't in the forum for some days now. Perhaps you have already solved your problems in the meantime. Because of these other projects I have purged the ospf/gre over ipsec setup. At the moment we have just one ipsec tunnel to each of our remote sites and we do manual failover in the case of an outate of one line. But I would be very happy to get this issue solved and to do ospf routing over VPN. As jimp has written the stateful packet inspection firewall of pfSense blocks the traffic because the TCP packets do not come back on the same interface as they were sent on. But i couldn't figure out what was wrong in the routing. Somehow I think that ipsec does not route traffic back to the gre interface. Do you/Did you have the same errors in the firewall log? Well, I try to set up a testing environment in the next days and hope to find an error. It would be very cool to get this working. If you wish i can send you my config then.