Nesting of aliases is supposed to work, not sure if some logic is missing or what. Open a ticket on http://redmine.pfsense.org with your testing and what you found, include the full output of the pfctl commands you ran, and also attach copies of rules.debug.

You may attract more help posting in the appropriate vpn section of this forum, since that appears to be the discriminating factor.

The version of the underlying version of FreeBSD ;)

You need a pass rule on pf1 LAN to allow hosts to reach OPT2/ their gateway, no?

Are you using DNS forwarding? If so, LAN clients will need access to port 53 of the LAN address.

it works when i allow all the listed ports there, not just one. Thanx guys.

Possibly both. For sure you have to enable it in pfsense. The game may or may not attempt to use it automatically. If not, you may have to jump into the game preferences and turn it on. A game that is as nasty about open ports as you described almost certainly will support upnp, unless it's so old that the developers of the time had not yet heard of firewalls ;)

The most common scenario where you would tag an ethernet frame is for vlans, and it's not pfsense that does the tagging, but the switch or the host NIC itself.

Using that page works somewhat but the data does not stay visible for long. Someone would have to be sending tons of traffic to show there continually. Using one of the longer term graphing packages would be more effective, or using something like iftop which collects stats over a bit more time rather than starting fresh every couple seconds.

@jimp: No, but in 2.0 you can make an alias that includes other aliases (nesting), and then use that in your rule. So: Alias A: 1.1.1.1, 1.2.2.2 Alias B: 1.3.3.4, 1.4.4.4 Alias C: Alias A, Alias B And then your rule would use Alias C. Thanks I can live with that  :)

Probably not, but you can confirm what happens with packet captures. Did you change outbound NAT at all?

You can download a config backup, edit out the second <service>…</service> tag for that and then restore the backup. Check for a duplicate <menu>entry also.</menu>

Works well! My kids hate it…    [image: grin.gif]

hi @ all, Not sure why the firewall is allowing HTTPS through. –> hmmm, ssl login to gmx f.e. or ebay Also, I cannot block ICMP. I have tried to "block all" and "block icmp" and nothing can block ICMP. –> you cant block, i can ;) Block ICMP LAN net * * * *   Block LAN Ping

aaaahhhhh is verisign from pfsense firewall ??????? http://www.verisign.com/static/005296.pdf –-------- RESULT is not a risk!!! its for security :D http://www.soft-ware.net/tipps/tipp27/Verbindung-zu-crlverisigncom-sicher.asp dont panic! CLOSED

That's common to see on Cable networks. It's just DHCP traffic from your provider. That will always be logged unless you (a) disable the "block private networks" rule under Interfaces > WAN, and (b) add a rule at the top of your WAN firewall rules that blocks UDP from any port 67 to 255.255.255.255 port 68

Thanks for the heads up, I'll stuck to URL Tables then. Cheers

ok sorry! it was a server problem … I CAN DOWNLOAD and now iam happy! THANKS CLOSED

The rules take a priority from the TOP to the bottom, so Block * WAN * will refuse any allows that appear after it to fix this, move your block statement to the very bottom of your list, and all will be fixed. Change your rules to look like this. TCP/UDP * * * 6666 *   OpenVPN  TCP/UDP * * * 3333 *   NAT Squid Port Forward  TCP/UDP * * * 110 *   Allow WAN POP  TCP/UDP * * * 995 *   Allow WAN POP SSL  TCP/UDP * * * 143     *   Allow WAN IMAP  TCP/UDP * * * 993  *   Allow WAN IMAP SSL  TCP/UDP * * * 25  *   Allow WAN SMTP  TCP/UDP * * * 465  *   Allow WAN SMTP SSL  TCP/UDP * * * 587 *   Allow WAN SMTP TLS  TCP/UDP * * * 21 *   Allow WAN FTP  UDP      * * * 123  *   Allow WAN NTP  ICMP    * * * * *   Allow Ping  TCP      * * * 4804 *   Allow BunkerTV Radio  TCP/UDP 192.168.10.25 * * * *   Allow Only Lafoffice01        * * * * * *   Block WAN ALL