Thanks, that did the trick!

Its not possible using the firewall, consider using ACLs with your web server, which can be done with IIS.  Alternatively, if you really feel that you need this level of overkill, you can solve this with a reverse proxy like Varnish.  No reason to do this though, ACLs with your web server are the solution.

Please state the version of pfsense you are using. It appears from your post that things worked as expected until you tried adding an IP to the xen box. If this is the case then I would first suspect a misconfiguration in the xen box.

No, it will not break existing connections when you edit a firewall rule. Editing a rule only affects new connections, not current connections. If you add a block rule (or remove a pass) you would have to clear the state(s) that would match the rule for it to take immediate effect.

I actually figured it out on my own, and its exactly what you have in the image. Thanks for the help, Im an idiot!

If your still unable to get in… Just for kicks, console in and use option 11...

You don't want to use the Quickbooks file direct over a VPN, it'll be WAY too slow, you could end up with data corruption issues and any number of other problems. I have a dedicated desktop VM for my company's Quickbooks and my bookkeeper has access via RDP. That's the only reasonable way performance-wise to do Quickbooks remotely.

Point 1 was the problem, that on the OpenVPN client computer exist two networks and network cards: a) Traditional LAN adapter (192.168.199.99) b) OpenVPN LAN adapter (10.10.10.5) But I was able to solve that with a client specific setting "Tunnel network" = 192.168.199.252/30. Now packets originating from this machine appear as 192.168.199.254, and that is okay for me. Point 2 is solved, too: I feared that the user at customers OpenVPN machine could be able to change his IP address to something else to get access to other networks, but if he does so, he'll never get answer- packets back from the server. Then I have everything!!! Thanks a lot to you dreamslacker, and everyone else who wanted to help on this topic, too. Hugo

My ISP has a so called "firewall" enabled by default on all clients. After my request they disabled it, and everything works fine now.

Yes ISP provided me a modem and I dont have a bridge modem. I got my setup working now by creating different subnets. Now  I can control filtering from Netgear and from pfsense box.

Edit the rule you want to log. Check the box to log. Save. That's it.

I was a little spaced out.  I reckon the ADSL firewall box has multiple VCs on the DSL and bridges one of them to the pfsense WAN.  So your options of actually trying to route using the DSL firewall are pretty much shot. If there any chance that you can get 4 usable interfaces on the pfsense box? If you can, then you need to setup 2 as WANs. 1 Public will NAT to the 2.0 subnet (3rd interface) The other 'WAN' would actually be connected to the DSL LAN and NAT to the 2nd private subnet (4th interface). You can then setup firewall rules on pfsense to allow communications as required between the 2 private subnets.  In this instance, you would simply DMZ the pfsense 2nd WAN address on the DSL firewall (simplest option if you don't quite understand the networking concepts) A pictorial representation: [image: pfsensenat.gif]

Doesn't exist there yet either.

looks like the problem was with ESXi, specifically needing to enable promiscuous mode for bridging to work. I'm still having some minor routing issues, but I think it's working as I wished now

@cmb: You have asymmetric routing so you need to check "Bypass firewall for traffic on the same interface" under System>Advanced. Sorry, should have mentioned that was already done.  Needed that the first day due to other routes in the network.

Reject == filtered Blocked == closed The note about TCP/UDP just means those are the only protocols that actually return anything for reject.

You add a rule that matches the traffic on WAN. If it's getting blocked, your rule isn't right. Post it.

Thanks. Good to know. Learning a new thing everyday.