If you are on 1.2.3, see here: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 If you are on 2.0, just add a block rule to the top of the OpenVPN tab under Firewall > Rules.

Hey thanks for that!!!!! I used reverse DNS and it came up blank:S  I didn't think to just run a whois–thanks again!

Hi, thanks for your reply. Here is what I tried so far: Firewall Rule -> LAN interface, from LAN subnet , to any, Gateway=WAN Firewall Rule -> LAN interface, from any, to any, Gateway=WAN Firewall Rule -> VPN interface, from LAN subnet, to any, Gateway=WAN Firewall Rule -> VPN interface, from any, to any, Gateway=WAN Then I made a Routing Group as you suggested. Routing Group -> created Group with WAN=Tier1, VPN=Never (I also tried Tier2) Then I tried the same rules as above but with Gateway=RoutingGroup I also tried a rule on VPN interface blocking all traffic from LAN subnet, but it still went through. I think I am either misunderstanding how to use these rules or they don't have any effect… The only thing I managed in the meantime was that no traffic at all went through. I hope you or someone else can give a few more tips. Thanks in advance.

Good point. In either case, the issue is that pfsense isn't answering the requests for those IPs, because they're bound to a different interface. They're not "listening" on WAN. So either direct traffic locally that is for those IPs, to pfsense… or else configure pfsense to listen to something and forward that traffic (as in my example).

You need to visit the Traffic Shaper, and create a Layer7 container. Here you create the block or queueing rules, and then you can apply this container to a firewall rule.

I believe using 1-1 NAT mappings on the external one should accomplish this. Map each of the external IPs to a virtual IP (of your choosing) on the segment between the two firewalls (the inner firewall would be listening on these virtual IPs). Then create firewalls rules on the outer one that passes all traffic directed to/from those IPs. Since your lines are of different sizes, you'll need to put the shaper on the external firewall to make much sense.

Threads are autolocked if there is no reply for a year. I unlocked the linked thread.

I went to System –> Advanced -->Firewall/NAT tab. Near the bottom it says TFTP Proxy. I highlighted WAN & LAN and clicked save. This allows the phones to connect to the TFTP server and pull down new firmware.

I don't really understand what you want but: To allow access from a single IP, set in the source of a firewall rule: "IP_you_want_to_allow/32"

@Cino: by default everything is blocked coming into you WAN interface. If you only want US, CA, AUS, NZ ranges, use Country Block. It has an option to Select every list, then you uncheck US, CA, AUS, NZ… They will block all the country ranges before the rules you add. You are looking at a lot of Aliases and inbound rules the other way if you want want to have lets say a web server behind the fw. Thank you all for guidance. This can be closed issue.

Was struggling with my issue for a couple of days, but really today, it turned out to be a problem of router restart. I could not imagine, that there could be a situation with FreeBSD to act like Microsoft products :) If something does not work, try to restart computer :). Anyway, restarted router, which was online for 1.5 years, and everything stepped in their places - rules started to work. To be honest, could not find any info relating to such issues, nor can comment it deeper. For now, issue is considered as solved.

Do you have a WAN-rule allowing ESP? If not, try this. Maybe you need AH too. Give it a try. Action pass, Interface WAN, Protocol ESP any to any. Maybe you need a UDP-rule too, allowing Port 4500, 500. At the other side maybe you are allowed to change the cisco-client to TCP and try connecting with this.

No. pf will keep per-rule stats (you can see them with pfctl -vvsr from Diagnostics >Command) but any time the filter is reloaded the counts on the rules are lost, they are not kept over time.

Hello. There are several examples all over the forums. Also look at the documentation wiki to find articles like Port Forward Troubleshooting Search around a little more. The information you are looking for is everywhere.

m4rcu5, I ended up writing a VERY simple and rough solution in python that used regular expression to find the parts I wanted and submit them into a MySQL database. If you are interested I will send you the code. UPDATE: Here is the code #!/usr/bin/python import re,urllib2,MySQLdb,datetime,os from urllib import urlopen from xml.dom.minidom import parse, parseString from xml.etree import ElementTree as ET #API key for ipinfodb.com apikey = "GET YOUR OWN KEY" #import the file input = open('/home/user/pfsenseparser/grepped.log', 'r') #error log error_output = open('/home/user/pfsenseparser/error.log', 'a') #output files output = open('final.txt', 'a') # this allows for the IP to Lat/Long conversion url = "http://api.ipinfodb.com/v2/ip_query.php?key="+apikey+"&ip=" #MySQL Connect db = MySQLdb.connect("localhost","pfsenseparser","user","password") cursor = db.cursor() #what time is it? now = datetime.datetime.now() error_output.write('<------Started at: ' + now.strftime("%Y-%m-%d %H:%M") + '--->\n') #number of new entries num_new_data = 0 num_exist_data = 0 #testing variable no SQL or file write if set to 0 testing = 1 for line in input: #www.txt2re.com ################################################# re1='((?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Sept|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?))' # Month 1 re2='.*?' # Non-greedy match on filler re3='((?:(?:[0-2]?\\d{1})|(?:[3][0,1]{1})))(?![\\d])' # Day 1 re4='.*?' # Non-greedy match on filler re5='((?:(?:[0-1][0-9])|(?:[2][0-3])|(?:[0-9])):(?:[0-5][0-9])(?::[0-5][0-9])?(?:\\s?(?:am|AM|pm|PM))?)' # HourMinuteSec 1 re6='.*?' # Non-greedy match on filler re7='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])' # Uninteresting: ipaddress re8='.*?' # Non-greedy match on filler re9='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])' # IPv4 IP Address 1 re10='.*?' # Non-greedy match on filler re11='(\\d+)' # Integer Number 1 re12='.*?' # Non-greedy match on filler re13='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])' # IPv4 IP Address 2 re14='.*?' # Non-greedy match on filler re15='(\\d+)' # Integer Number 2 rg = re.compile(re1+re2+re3+re4+re5+re6+re7+re8+re9+re10+re11+re12+re13+re14+re15,re.IGNORECASE|re.DOTALL) m = rg.search(line) if m:        month1=m.group(1)        day1=m.group(2)        time1=m.group(3)        ipaddress1=m.group(4)        int1=m.group(5)        ipaddress2=m.group(6)        int2=m.group(7)        #print "("+month1+")"+"("+day1+")"+"("+time1+")"+"("+ipaddress1+")"+"("+int1+")"+"("+ipaddress2+")"+"("+int2+")"+"\n" ############################## #ipaddress1 is the one we want #lets see if it is in the database before we ask ipinfodb sqlipcheck = "SELECT * FROM pfsenseparser WHERE Ip_Address = ('%s')" % (ipaddress1) cursor.execute(sqlipcheck) data = cursor.fetchall() ipcheck = "" for row in data: daycheck = row[2] timecheck = row[3] ipcheck = row[4] if ipcheck != ipaddress1: #This is a new IP Address error_output.write(ipaddress1+' = New Data\n') url2 = ipaddress1+"&timezone=false"        url3 = url+url2        urlobj = urllib2.urlopen(url3)        data = urlobj.read()          urlobj.close()        dom = ET.XML(data) city = dom.findtext("City") country = dom.findtext("CountryName") region = dom.findtext("RegionName") region = region.replace("'", "")        lat = dom.findtext("Latitude")        long = dom.findtext("Longitude") if testing == 1: cursor.execute("INSERT INTO pfsenseparser (Month,Day,Time,Ip_Address, Port_Num,Lat,Longitude,City,Country_Name,Region,Num_Connect,Type) VALUES (%s, %s, %s,%s, %s, %s, %s, %s, %s, %s, 1, \"firewall\")", (month1,day1,time1,ipaddress1,int2,lat,long,city,country,region)) db.commit()        output.write(month1+","+day1+","+time1+","+ipaddress1+","+int1+","+lat+","+long+","+ipaddress2+","+int2+" "+"\n")                #output2.write(month1+","+day1+","+int1+c1+int2+","+ipaddress1+","+int1+","+lat+","+long+","+ipaddress2+","+int2+" "+"\n") num_new_data = num_new_data+1 elif timecheck != time1 and daycheck != day1 and reservedip == -1: #This is an existing IP Address but not a duplicate sql2 = "SELECT Num_Connect FROM pfsenseparser WHERE Ip_Address = ('%s')" % (ipaddress1) cursor.execute(sql2) data = cursor.fetchall() for row in data: num = row[0] num_new = int(num)+1 sql5 = "UPDATE pfsenseparser SET Num_Connect = ('%d') WHERE Ip_Address = ('%s')" % (num_new,ipaddress1) if testing == 1: cursor.execute(sql5) db.commit() num_exist_data = num_exist_data+1 now2 = datetime.datetime.now() if testing == 1: #send me a text os.system('echo \'parser.sh just ran with ' + str(num_new_data) + ' new entries and ' + str(num_exist_data) + ' existing entries\' | mailx youremailhere ') #write to error.log #insert timestamp and new entries into database if num_new_data != 0: cursor.execute("INSERT INTO pf_meta (Last_Run,New_Data) VALUES (NOW(),'Y')") else: cursor.execute("INSERT INTO pf_meta (Last_Run,New_Data) VALUES (NOW(),'N')") error_output.write('Ended at: ' + now2.strftime("%Y-%m-%d %H:%M") + ' with ' + str(num_new_data) + ' new entries and ' + str(num_exist_data) + ' existing entries\n') else: os.system('echo \'Just Testing\' | mailx youremailhere ') db.close() Like I said this is very rough. I have a mysql database setup with the correct tables. My end goal was to view the data in a web browser and in google maps. This is why I used the ipinfodb.com lat long lookup. If I find time I will post a more comprehensive how to on my blog. Link to follow… Link to more info: http://blog.poultonfam.com/brad/2011/04/18/custom-pfsense-firewall-log-analyzer/

great! thats what i need! thanks