I think I figured it out… The problem was with Norton ... (don't ask... installed as a test a couple years ago, never uninstalled) It was seeing the ARP requests from pfsense when I would change access points and marking them as ARP poisoning. So then I think it would block all access to 192.168.1.1 which would obviously block my access to the internet... but not to other computers on my network... So, if you have a mac and norton, you have to turn off Vulnerability Protection, and really just uninstall norton all together.

It appear to be a firefox problem (the browser I use) it doesn't close the connections right. I downloaded from ie and the bandwidth graph drops after I cancel the download directly. So, does any one see this problem before ??

Probably Connections per Second. If you create an allow rule for a specific port and go to "Advanced Options" you can specify a connections per second limit. Just make sure that this allow rule is above your default allow rule.

The UDP is used for uTP transport protocol.  It can greatly increase your torrent speeds (mostly for public trackers without seedboxes like private trackers).  i.e.  each torrent uses the TCP port to initiate connections and communicate with the peers.  Data is transported over uTP which is connectionless and multiple streams can be made without being limited by the single port limitation. However, they can be a PITA when it comes to traffic shaping since there is no real way to hard set the UDP port range used. You can, however, set the bandwidth hard limits to apply to uTP as well (by default, uTP is not subjected to the same limits as the regular TCP connections).

It would have to be explicitly setup in DNS to respond to "wpad.<your domain="" name="">" (or some variations, check the wikipedia doc). It's not something that can be done accidentally.</your>

@subfire91: Basically what i want to do is to have any access to internet but service specific access to other LANs I had the same thought. I have yet to actually make my pfsense setup live (i'm pre-configuring so the transition is as quick as possible), but I had a similar issue coming from Sonicwall Logic to pfSense logic. ~~What i'm going to try, as I have multiple internal interfaces, is to do a 'default deny' where the rule is: Deny: Protocol - Any; Source: (interface); Source Port: Any; Destination: !WAN If my logic is right, that should deny any traffic not meant for the WAN, and then as said, add individual rules above that one for the specific stuff. As said I don't have the system implemented yet, but I may need to add an 'all access' rule below that one, so the processing goes: 1. Allow specifics 2. Deny non-WAN 3. Allow All Rule 3 is important as I believe pfSense simply does nothing without a rule present, and since the Deny rule precedes the Allow, only WAN traffic should be allowed via rule 3.~~ Bah, scratch all that. Gruens I think has it right, as I forgot the 'WAN' in the dropdowns is for the actual WAN IP, not as a 'zone' kind of deal like on Sonicwalls.

Update. I just realized that all webpages loads fine within the DMZ and WAN. The only place where the web pages dont load completely are on the LAN.  I am going to re examine all machines on the local network to see if there are any machines that might be causing  this problem However do you have any other suggestions ?

@TomBodet: Ok, I think I finally pulled my head out. The rule isn't allow DMZ server access to the WAN address, it's allow the server access to any interfaces that is NOT a LAN address. Right? WTF is "WAN address" for then? It is meant to allow access to the pfsense box itself from the WAN.  Lets say you want to access the pfsense box via SSH from the internet, then you will set an allow rule for: Source IP: Any Source Port: Any Dest. IP: WAN Address Dest. Port: 22 Without this, the firewall will drop the SSH connection inbound to the pfsense box from the WAN connection. Alternatively, if you need to block clients on the LAN from connecting to the pfsense box via SSH except say, a known IP (say: 192.168.1.250) for your administrative machine, then you will set a Block rule as such: Source IP: NOT 192.168.1.250 Source Port: Any Dest. IP: LAN Address Dest. Port: 22

There is some info in the doc wiki, but really what ports are "good" or what traffic is "bad" depends on the network and the type of traffic you're using. It's far too subjective to generalize with much accuracy. You can lookup what ports those are, but if those are part of a legitimate connection, it's probably just a variation of this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

@sumant1974: How to connect to pfsense box from Internet? I have an pfsense box acting as my border firewall. I want to access it from my home running internet through ssh port. And also ping to the pfsense wan ip to monitor that it is on. Please post if u can help me out. sumant Thanks all I have got the way to do it Sumant

Thx Since it was timecritical, we made changes to a client application and did not have add firewall rules.

Thanks, I did it!

With Questions 1 and 2, the problem was that you created a rule after a firewall state was already created allowing the traffic.  The rule only affects all new firewall states and doesn't affect existing ones.  Rather than rebooting next time go into the state table (under diagnostics) and either kill all the firewall states, or kill the ones that are offending.  Killing only the offending states is the least intrusive. With regards to Question 3, look at the country block list package.

Yes, what is needed is a rule that matches the traffic before any other rules and has the desired gateway selected.

;D thanks i am here for the same kind a problem .Got a solution through this . Thanks Team K~