If you want to block access to web sites I would strongly recommend you use Squid and SquidGuard, instead of attempting to use firewall rules. Web sites may resolve to many different IP addresses and you didn't say: Whether the client is using a proxy server What the IP addresses are in the alias

First of all thanks to brcisna, Cry Havok, cmb, any help when you are about to get a axe to fix the glitch is great. I finally managed to work, I started from scratch with a reset to factory defaults. Use the same configuration for WAN and LAN, did not add VIP (yet). And of course all traffic was being block again. Then added a simple rules for incoming HTTP into a custom port 8088. Still not working, then delete the rules and did an port forward and only then the thing worked. It's strange, as before I added rules, and port forward was added too, but (and maybe I'm too sleep drunk as is 4:30am and I'm up since yesterday), but it seems that you need to add a port forward and let pfSense to create the rule in the firewall, I don't see what is the difference, but hey, if works it works. I'll go from here and after all the port forward/rules are working, I will start playing with VIP and 1-1 mapping (what was my initial objective in moving to pfSense anyway). Thanks K

I have something similar setup for my wifi interface. Devices connected to wifi can only access the internet and not any internal subnets. First I set an alias, I called it LOCAL as 192.168.0.0/16. That covers all the IPs I'm using internally, you may have something different. Then I set a firewall rule on the wifi interface: Allow-tcp/udp-source: wifi subnet-destination:!LOCAL Then another: Allow-tcp/udp-source: wifi subnet-destination:Wifi Interface-port 53 This allows local DNS forwarding. By default everything else is blocked. This doesn't stop other interfaces accessing devices on wifi though. Steve

We keep saying RC1 will drop any day now… So hopefully soon. :-)

If you don't want to allow all, the exact ports you need will depend on what operating systems and file/print sharing protocols you're using.  SMB/CIFS requires different ports to NFS or others. Similarly if you're using IPP for printing that requires different ports than if you're using LPD or CIFS/SMB.

i have done    *  Edit /boot/loader.conf.local     * Change kern.ipc.nmbclusters="0" to kern.ipc.nmbclusters="32768"     * Reboot the pfSense router then the difference problem solved then the heavy usage is due to the microsoft update i cancelled all and now its working fine

I'll prepare diagram and post it to the forum, if that may help, but in FW-A, there is no NAT. Only manual routes to subnets (allready NATed) on FW-B. For now, here is textual representation of a process: For example let's assume, that 10.10.10.0/24 are routable addresses (real internet addresses) and 192.168.0.x/24 non-routable (e.g. local). FW-A configuration involves 2 NICs: WAN: 192.168.0.5/24 (I know, that this is non routable, but I switch internet subnets on another machine before here, and do not do NAT on this, just pure routing. And there everything works. LAN: 10.10.10.1/24 FW-B configuration involves several nics, from where one is WAN, the others - OPT for each individual VLAN, and NAT is involved here: WAN: 10.10.10.2/24 LAN1: 192.168.1.1/24 - whole network here> LAN2: 192.168.2.1/24 - whole network here> According to my understanding, if a packet comes in in FW-A looking for IP from FW-A LAN subnet, then it stays there, if WAN rules are OK. Because this packet anyway appears on WAN, rather LAN. And routing is done via simple transfering of data to relevant NIC port, as FW knows the subnet there. In case packet should go to another subnet (via static routing), than for not to allow this packet go out again to FW-A WAN gateway, I direct them to FW-B WAN IP address, which is specified in static routes of pfSense. From here comes the process: 1. Packet arrives at FW-A WAN 192.168.0.5/24 looking for Reverse proxy for IMAP in DMZ for ex on IP 10.10.10.10/24 2. Due to specific WAN rule, this packet is allowed to go to this proxy, and connection is made 3. This proxy proxies this packet to IMAP server (according to DNS) in FW-B controlled subnet in specific VLAN, for ex 192.168.1.10/24 4. In this case packet from IMAP proxy arrives on LAN port of FW-A, as it comes out from LAN subnet 10.10.10.0/24. It comes in FW and understand, that there are no interfaces for subnet 192.168.1.0/24, and looks for record in static routes. 5. Static routes record says, that, if on FW-A LAN port packet asks for 192.168.1.0/24 subnet, route it to 10.10.10.2/24, which is on the same LAN port network, but actualy is WAN of a FW-B. 6. Afterwards FW-B takes care for NAT and routes exact packet to specific server. The problem arrise in fact, that in this case responses on FW-A LAN port are OK, but why are they blocked, if FW-A LAN rules say - allow any to any? The second, when I experimented with NAT and rules, if I forward to 10.10.10.2/24, then nothing works, I have to make FW rules for exactly natted subnet, in  my case 192.168.1.10/24. Why it is so? Hope this makes a little bit clearer the situation. Working on diagram. [EDIT]: NAT is done on FW-B WAN port (Port Forward tab), stating, that if WAN port external IP (from 10.10.10.0/24, or specificly VIP on FW-B WAN port) with external ports are such and such, nat them to IP 192.168.1.0/24 with port numbers such and such. If I define FW rules for 10.10.10.0/24 IP address, nothing works at all. I have to define WAN rules for 192.168.1.0/24 LAN, despite fact, that it is not on WAN network port.

The problem with squid its the lack of support for load balance, but in other way its a package that can not be installed in any system for the need of resources. And there is no manually way to put a rule that read and alias of host and do the redirect? Captive portal might works but its hard to set up all white macs in pass trough.

Ok, so I've just got in and checked the logs. Its full of those weird entries that seem to originate from my WAN address to the Internet. Image attached with my IP blocked out. A raw log output of some of these entries reads as follows, (again, starred out my IP): pf: ...114.58775 > 209.85.229.188.5228: Flags [FP.], cksum 0x2550 (correct), seq 0:74, ack 1, win 32044, options [nop,nop,TS val 1648272 ecr 486655357], length 74 pf: ...114.60183 > 17.172.237.93.5223: Flags [FP.], cksum 0xb104 (correct), seq 0:37, ack 1, win 32965, options [nop,nop,TS val 21515052 ecr 1739744880], length 37 On this occasion, these seem to be the main 2 addresses the WAN is trying to connect to. That would be a Google address and an Apple address. The only thing this (Apple) attempt is going to be (at least from the inside of my LAN) is 1 iPhone). That still doesn't explain pfsense showing the WAN interface sending traffic however. The block rule that fires for these 2 blocks and all others that are attempting to leave via the WAN with the WAN address as the sending address is: @2 block drop out log all label "Default deny rule" Does this help in any way to narrow down the problem? Thanks again. [image: log.png] [image: log.png_thumb]

Hi! Thank you for your answer! I understand what you are saying. I must admit, that this was the fastest way to grant internet access for both wifi users and my neighbour. But you totally convinced me. I will re-arrange my network first. Unfortunately I'll have to keep my primary router for VOIP which makes everything a little bit more complicated… :-( Today I bought "pfSense - The Definitive Guide" and started reading. Hopefully it will clear things up a bit... Again thanks a lot for your comment! Regards, Tom

i have enabeled NAT reflection… works now ok... Thank you guys! ;D

You can group hosts and networks, and even moreso in 2.0 A host in a networks alias just has a /32 subnet mask. You can have port aliases as well. In 2.0 you can even nest aliases within other aliases, use hostnames, pull an alias' content from a URL…

Problem solved: http://forum.pfsense.org/index.php/topic,14607.msg77308.html

ok, i found the solution by myself. groupware has pop3 (110) and pop3/s (995) enabled, pfsense nats both of the ports to groupware server. on my PC I installed avast with virus mail protection.. avast intercepts my pop client request and automatically translates request to groupware 995 port.. so, both of them (telnet to 110 and pop mail client) have success via 995. blocking also 995 solved the question. Obviously telnet to 110 fails if you disable antivir mail check.. tnx anyway, bye, luca.

I'm sure its something simple i'm missing. I even changed the gateway within the firewall rule itself and was still getting deny logs.  Arg!!!!

firestrife23, Curious, What made you think ALL ports were being port forwarded to SSH port recently.? Did you manually add a port number(proxy port #) in the Squid config after installing Squid initially( in the WEBui)? I would guess that was in fact your prob as you stated this prob didn't happen until you installed Squid and lightsquid. Just trying to help things make sense,rather wondering why a reboot fixed your port forwarding, or so it seemed, problem. Barry