As an update after some more searching it seems like a similar, if not the same, issue was raised in February 2009 with the following discussion but does not seem resolved? http://forum.pfsense.org/index.php?topic=14382.0 I will keep on searching…

@beaven67: I knew the 1k=1 state baseline but Has anyone got pfsense running around 500,000 session in a production environment? Yes, many. I've personally gotten a 2.0 amd64 install up to around 15-16 million states.

It does matter its sorted.

We use it extensively. That's a generic Windows error, unlikely to be related to your firewall.

Dump your rules and start over.  Assuming your FTP server's IP is 172.16.10.100, change the default port to something non standard like 7431, create the following NAT Port Forward: Interface - WAN External address - any Protocol - TCP External Port Range (from) - 7431 External Port Range (to) - leave blank NAT IP - 172.16.10.100 Local Port - 7431 Description - FTP Server Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule" You now need to enable PASV mode on your FTP server, enter the External (Public) IP for your network and configure a PASV port range… e.g. 30000-30200 (need at least 1 port for every connected FTP user). Create another NAT port forward for that PASV port range to your FTP server: Interface - WAN External address - any Protocol - TCP External Port Range (from) - 30000 External Port Range (to) - 30200 NAT IP - 172.16.10.100 Local Port - 30000 Description - FTP Passive Ports Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule" Save, Apply, Done.

Not without manually hacking the filter.inc file to do what you want.

@lp_code: Hi pls help attached is my network and subnet plan,pfsense as gateway 192.168.3.1/24 How to make  vlan2-7 reach/access vlan8(belong to all servers) How to make all vlan to get access to internet thru pfsense kindly help,am new to network what to be done on all 3 cisco switch and pfsense pls much appreciation J Well… I suppose your Cisco switches are "L3 aware" (capable of ip routing). So, the quickest, the easiest and the cleanest way to do it is: to create a new vlan - let's call it internet vlan - with a new ip range. to configure an ip address of this VLAN on you pfSense LAN interface to configure an ip address of this VLAN on one of your 3560 - let's say the 3560 in building A to add a static default route (ip route 0.0.0.0 0.0.0.0 <pfsense_ip_address></pfsense_ip_address>) on the same 3560 to use your main 3560 as inter-vlan router by configuring it as default gateway of all your VLAN's. Of course this design is not valid if your 3560 are not L3 capable… But I've some questions: Why don't you protect your mail server behind the pfSense? Why do you need so much VLANs?

no, in the screenshot you can see [image: Schermata-9.png] [image: Schermata-9.png_thumb]

Glad you got it figured out. Next time, please let us know that this is for testing/learning purposes.

thank you for the reply, found the thread. http://forum.pfsense.org/index.php/topic,30182.0.html

That entry is for their firewall products, not their switch. If you review their SwOS guide you'll see there is no port level filtering on the switches. You're looking to something much higher end, more like Cisco's IOS, though their lower end switches may support it too.

To disable NAT, you should go to: Firewall - NAT - Outbound and then "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" with no rules. This disables NAT. I am not sure, if Multi-WAN works without firewall rules, because in the firewall rules you enter which gateway should be used. But you can create rules on every interface "Pass * * * * GW:Multi-WAN" Then you have to enter static routes on your routers or enable a routing protocol like RIP or OSPF. –- edit --- I am typing to slow ;)

Firewall, NAT, Outbound. (Inbound and outbound have separate rules) By default, NAT is on. If you have public IPs on your LAN, you'll want to change to manual and check the No NAT checkbox on the rule. There is a good howto around on setting up a transparent firewall, if that's what you're doing.

Thank you, adding a "pass out" rule manually then removing it successfully accomplished what I was trying to do.