There's a reason the port fields on firewall rules are red. :-)

Turned out I didn't have to open any ports or anything, just enabled IPSec and everything started working… Though without any rules, am I opening any security holes in my firewall? Also will this screw up my OpenVPN setup? Thanks!

@Cry: I'd suggest you make your allow rules specific - only allow the traffic from the host or hosts you want to allow traffic from. Then if there is no allow rule listed the default deny rule will apply. I just want to be sure I get this right.. Source: LAN net Port: * Block Destination: 192.168.1.2 Port: 80,443,8080 Pass And whatever other rules I have underneath to pass, or is it not necessary to created a block rule at all? Should my rule for the Censornet not state: if not Censornet block or will it work if those ports to destination 192.168.1.2 are the only internet ports I created the rules as above and tested them now, but it seems not to work when I employ it this way are my source and destination rules correct? I have for the iterim just checked the Firewall log file: block Feb 23 23:19:24 LAN 192.168.1.4:60977 192.168.1.1:80 TCP:S I am testing from 192.168.1.4 my pfsense main box is 192.168.1.1  am I still creating the rules wrong then I take it. Is it possible for you to give me an example of how the rules should look please? Ok got it working: Delete default Allow All Rule on LAN Create Allow Rule Source Censornet Source Port any Destination any Destination Port 80,443,8080 Working! Please let me know if this is incorrect.

I have your very setup working at my house. Here are my rules. under LAN: PASS:      * LAN net * ! WIRELESS net * * none under WIRELESS (Opt1) PASS       * WIRELESS net * ! LAN net * * none @ketiljo: Hi I'm fairly new to pfsense. Currently using version 1.2.3. For now I have only two NICs, WAN and LAN. On the LAN side, I have my PCs and a server for HTTP and FTP etc, plus a WL AP. I will put in another NIC so that I have one for my LAN and one for the AP. The AP is sharing internet for my tenants. Now, I don't want my tenants to have access to my LAN, hence the need of an extra NIC. I will set my LAN1 to 192.168.1.xxx and the tenants AP on LAN2 to 192.168.2.xxx. The pfsense box will do DHCP for both LANs. How can I set the FW rules to only allow access to WAN from LAN2? I don't need access to LAN2 from LAN1, so I guess both LANs can be set to only access WAN. I still need to NAT ports to the LAN1 server. I also want to limit the bandwith to LAN2. Is this possible with v 1.2.3 or do I have to upgrade to 2.0? n any case, how do I set this up? Thanks, Ketil

thanks for the info, i'll give it a shot.

The problem is not in the firewall, either one of them. It's that your web server doesn't know how to properly send the traffic back where it came from. It may not have any way to distinguish that. I'm not sure Windows has any method to pull that off properly.

@cmb: Though I agree with CryHavok, I don't think that's going to accomplish anything, the chances of that slowing down a bot infested PC to the point that a user would notice are pretty slim. THX a lot. At least it will be a new quest for my "friends"… If i cant stop them i need to feed them with some new surprises. :) Btw: Is there a working IDMS module for pfSense?

For a port forward, you want the source to be "any" (unless you want to restrict who can connect to the port) and the destination is the internal IP (192.168.1.219 in your case). The WAN IP doesn't belong anywhere in the firewall rule for a port forward.

To kill active connections you have to go to the States table and use the "X" button to remove all states involving that IP address.  Your firewall rules will only block future connections, not active ones.

No! Don't send him over there! I don't want to have to decipher his forum posts. :)

Under Interfaces > Wireless (whichever it is named opt1 normally), make sure that the "block private networks" isn't checked. But if I understand what you're saying, when you remove the allow rules for port 80/443 on the wifi interface, then they are able to access the LAN? What if you modify the rule on the wifi interface from Destination: Lan Net, to the actual IP range like 192.168.200.1/24? I understand by choosing Lan NET, this should do this, but it can't hurt to try? @jhboricua: Hi CMB, Here's what the typical deny entry looks like from yesterday. Act Time If Source Destination Proto X Feb 10 13:45:09 Wireless 192.168.201.122:3645 192.168.200.10:53 UDP Because of the above, users were unable to browse the internet or internal resources that depended on DNS resolution. I had to take out the rules on the wireless interface last night because I couldn't keep this issue affecting the wireless users at my client's site any longer. They were replace by the standard allow all rule until I can hash out what is the issue.  I still need to lock down the internet traffic originating from the wireless users to only http and https while allowing any traffic to the internal LAN, just like the rules on my opening post. I'm not sure if the rules are wrong because to me they look ok.

What do you mean you've bridged your opt1 with your lan? Wouldn't you wan't to keep them separate? Otherwise you could just plug the netgear into the switch that's connected to your lan interface, save yourself the trouble of dealing with the firewall rules. I'm not sure they'd even be effective if the two devices are bridged. Anywho, you'll still need to open the said ports on your WAN interface, and create a NAT for the ports to forward to the VOIP adapter. I believe there is a package available for VOIP protocols as well. (TFTP) I wouldn't understand opening the ports up to the other network unless your calls are internal to other phones on the network? (I'm assuming you mean your external calls are delayed.) Summary: Open ports on WAN | NAT: Port Forward to VOIP adapater IP. No additional rules needed (still assuming it's external calls with the delay) If you haven't already, make the VOIP Adapter LAN IP static via your DHCP in case of a power loss.

If you want to block both in and out you need one rule on the wan specifying the source as the alias and also a block rule on the Lan tab with the destination set to the alias. there are plenty of online CIDR calculators to work out the correct notation for your network range.

It appears that this issue is already being discussed. http://forum.pfsense.org/index.php/topic,31324.0.html