1. The address of the OPT1 interface will be 192.168.1.x, where x is any value from 1 to 254. 0 and 255 are reserved in a /24 network. 2. If you use pfsense's DNS forwarder and DHCP server then the clients will obtain their gateway and DNS server automatically when requesting DHCP.

The following rules on the interface GUEST worked for me: Block GUEST -> DMZ Block GUEST -> LAN Pass Guest -> *

while keeping on topic in a way, is there a way to "auto" block DHCP addresses that are not statically assigned by the DHCP server? or conversly "auto" allow DHCP addresses that have been assigned? For example: LAN = DHCP Server statically assigns IP by MAC. All foreign MAC are assigned IP from the DHCP range and forced to go through the captive portal on the WAN. DMZ = servers/etc… I would like to have a rule on the source tab that allows all DHCP assigned IP's on the LAN side to pass through to the DMZ, everyone else (which would not be statically assigned an IP by MAC) would be denied to the DMZ. If this deserves a separate topic I can start one, but I figured it is in a way related to the OP.

Just to keep this updated, searching for reverse captive portal eventually got me to "Netscreen WebAuth"1 which is almost exactly what I am looking for. I have winter vacation from school until the end of January, so I will work on it over that time. [1] http://s0.m0n0.ch/wall/list/showmsg.php?id=183/81

Leave them on 'none' And now that they're interfaces, make sure they also have firewall rules on their interface tabs under Firewall > Rules. That's about all there is to it.

Your WAN and LAN are one the same network, which means it is impossible to route between them. Try this instead: eth0 = 192.168.10.9 / 24  - wan (gateway 192.168.10.5, dns 192.168.10.5) eth1 = 192.168.20.10 / 24 - lan opt0 = 192.168.30.11 / 24 - wan2 (gateway 192.168.30.4) What are your 2 gateways in this example? Is pfsense connected to a couple of routers? modems? modems in router mode?

I dont think so, at least i cant find such a function. But how will it help ? I have dynamic IP :> so i cant put it on the dns provider.

Nesting of aliases is supposed to work, not sure if some logic is missing or what. Open a ticket on http://redmine.pfsense.org with your testing and what you found, include the full output of the pfctl commands you ran, and also attach copies of rules.debug.

You may attract more help posting in the appropriate vpn section of this forum, since that appears to be the discriminating factor.

The version of the underlying version of FreeBSD ;)

You need a pass rule on pf1 LAN to allow hosts to reach OPT2/ their gateway, no?

Are you using DNS forwarding? If so, LAN clients will need access to port 53 of the LAN address.

it works when i allow all the listed ports there, not just one. Thanx guys.

Possibly both. For sure you have to enable it in pfsense. The game may or may not attempt to use it automatically. If not, you may have to jump into the game preferences and turn it on. A game that is as nasty about open ports as you described almost certainly will support upnp, unless it's so old that the developers of the time had not yet heard of firewalls ;)

The most common scenario where you would tag an ethernet frame is for vlans, and it's not pfsense that does the tagging, but the switch or the host NIC itself.

Using that page works somewhat but the data does not stay visible for long. Someone would have to be sending tons of traffic to show there continually. Using one of the longer term graphing packages would be more effective, or using something like iftop which collects stats over a bit more time rather than starting fresh every couple seconds.

@jimp: No, but in 2.0 you can make an alias that includes other aliases (nesting), and then use that in your rule. So: Alias A: 1.1.1.1, 1.2.2.2 Alias B: 1.3.3.4, 1.4.4.4 Alias C: Alias A, Alias B And then your rule would use Alias C. Thanks I can live with that  :)

Probably not, but you can confirm what happens with packet captures. Did you change outbound NAT at all?

You can download a config backup, edit out the second <service>…</service> tag for that and then restore the backup. Check for a duplicate <menu>entry also.</menu>