@lp_code: Hi pls help attached is my network and subnet plan,pfsense as gateway 192.168.3.1/24 How to make  vlan2-7 reach/access vlan8(belong to all servers) How to make all vlan to get access to internet thru pfsense kindly help,am new to network what to be done on all 3 cisco switch and pfsense pls much appreciation J Well… I suppose your Cisco switches are "L3 aware" (capable of ip routing). So, the quickest, the easiest and the cleanest way to do it is: to create a new vlan - let's call it internet vlan - with a new ip range. to configure an ip address of this VLAN on you pfSense LAN interface to configure an ip address of this VLAN on one of your 3560 - let's say the 3560 in building A to add a static default route (ip route 0.0.0.0 0.0.0.0 <pfsense_ip_address></pfsense_ip_address>) on the same 3560 to use your main 3560 as inter-vlan router by configuring it as default gateway of all your VLAN's. Of course this design is not valid if your 3560 are not L3 capable… But I've some questions: Why don't you protect your mail server behind the pfSense? Why do you need so much VLANs?

no, in the screenshot you can see [image: Schermata-9.png] [image: Schermata-9.png_thumb]

Glad you got it figured out. Next time, please let us know that this is for testing/learning purposes.

thank you for the reply, found the thread. http://forum.pfsense.org/index.php/topic,30182.0.html

That entry is for their firewall products, not their switch. If you review their SwOS guide you'll see there is no port level filtering on the switches. You're looking to something much higher end, more like Cisco's IOS, though their lower end switches may support it too.

To disable NAT, you should go to: Firewall - NAT - Outbound and then "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" with no rules. This disables NAT. I am not sure, if Multi-WAN works without firewall rules, because in the firewall rules you enter which gateway should be used. But you can create rules on every interface "Pass * * * * GW:Multi-WAN" Then you have to enter static routes on your routers or enable a routing protocol like RIP or OSPF. –- edit --- I am typing to slow ;)

Firewall, NAT, Outbound. (Inbound and outbound have separate rules) By default, NAT is on. If you have public IPs on your LAN, you'll want to change to manual and check the No NAT checkbox on the rule. There is a good howto around on setting up a transparent firewall, if that's what you're doing.

Thank you, adding a "pass out" rule manually then removing it successfully accomplished what I was trying to do.

Looks like that did it. Back to 0% usage. Thanks for your help.

If you want to block access to web sites I would strongly recommend you use Squid and SquidGuard, instead of attempting to use firewall rules. Web sites may resolve to many different IP addresses and you didn't say: Whether the client is using a proxy server What the IP addresses are in the alias

First of all thanks to brcisna, Cry Havok, cmb, any help when you are about to get a axe to fix the glitch is great. I finally managed to work, I started from scratch with a reset to factory defaults. Use the same configuration for WAN and LAN, did not add VIP (yet). And of course all traffic was being block again. Then added a simple rules for incoming HTTP into a custom port 8088. Still not working, then delete the rules and did an port forward and only then the thing worked. It's strange, as before I added rules, and port forward was added too, but (and maybe I'm too sleep drunk as is 4:30am and I'm up since yesterday), but it seems that you need to add a port forward and let pfSense to create the rule in the firewall, I don't see what is the difference, but hey, if works it works. I'll go from here and after all the port forward/rules are working, I will start playing with VIP and 1-1 mapping (what was my initial objective in moving to pfSense anyway). Thanks K

I have something similar setup for my wifi interface. Devices connected to wifi can only access the internet and not any internal subnets. First I set an alias, I called it LOCAL as 192.168.0.0/16. That covers all the IPs I'm using internally, you may have something different. Then I set a firewall rule on the wifi interface: Allow-tcp/udp-source: wifi subnet-destination:!LOCAL Then another: Allow-tcp/udp-source: wifi subnet-destination:Wifi Interface-port 53 This allows local DNS forwarding. By default everything else is blocked. This doesn't stop other interfaces accessing devices on wifi though. Steve

We keep saying RC1 will drop any day now… So hopefully soon. :-)

If you don't want to allow all, the exact ports you need will depend on what operating systems and file/print sharing protocols you're using.  SMB/CIFS requires different ports to NFS or others. Similarly if you're using IPP for printing that requires different ports than if you're using LPD or CIFS/SMB.

i have done    *  Edit /boot/loader.conf.local     * Change kern.ipc.nmbclusters="0" to kern.ipc.nmbclusters="32768"     * Reboot the pfSense router then the difference problem solved then the heavy usage is due to the microsoft update i cancelled all and now its working fine