Thanks for the reply. I had a hard time defining my question but you answered it. I came up with the question because I had read somewhere that when you add one extra LAN (OPT1) you need to check destination "not LAN subnet" for incoming traffic. The person who wrote that article may have been mistaken. I think they were under the impression that packets might accidentally flow into the other subnets. I suspected that PfSense routed traffic appropriately to the right internal IP/port but wanted to be prepared for a routing problem in case the network went down. Now i can sleep properly.  :P

How do you have WAN/LAN setup exactly? (screenshots may help) In a transparent scenario, WAN should have an IP in the subnet you want. LAN should not have an IP in that subnet, and it should be set as a bridge to WAN.

Oh crap, I forgot to mention that I did try the DenyHosts package however it never seemed to work on my setup.  There were several instances of ssh login attempts while the package was running and it never did anything. But your suggestion of using a certificate is a good one.  I've thought about giving it a try, maybe I just need to take the plunge and do it.

In 2.0 you might be able to do this with Interface Groups, but in 1.2.3 you just have to duplicate rules. You could probably generalize them a little with proper use of aliases.

Two options: Use a TFTP server that follows normal networking rules, i.e. replies with the original source and dest ports flipped. Use 2.0 with the TFTP proxy.

You either need the ports, or the IP block, that the game will use. You can find the former with Google, most games will give you that info. The latter can be found via Google likely as well, or search ARIN for one of the provider's IPs, which should give you their full block (if it strictly goes to one IP block that will work).

http://forum.pfsense.org/index.php/topic,26671.0.html

Rules are always per interface. So the rules on the WAN interface are for traffic coming in on the WAN interface and rules on the LAN interface are for traffic coming in on the LAN interface. Always seen from a point of view of the firewall.

I don't think it is possible to be less helpful than 'nothing is working' :(

Two things: your rules should not be using "WAN address" as the destination, but '*', as otherwise you just block them from accessing the WAN IP itself, not outside hosts.  Also, you never said you wanted anyone outside the internal pfsense to be able to access the 192.168.1.0/24 hosts, so I didn't address that.  The solution there is to also stop doing NAT on the inside pfsense.

The destination on that rule is incorrect, the IPsec tab is for traffic inside of the tunnel. In that case, the 'destination' would be your LAN subnet, or just 'any'.

Ah i see. Well in this case i would create an alias containing all the IP's in don't want to allow. Then use this alias in the default allow rule as: Destination: !alias (allow everything except the alias)

Not without more info. You'll need to supply the output of "netstat -rn" from a shell or Diagnostics > Command, and the output of "ifconfig -a" might also be helpful.

Looks like someone is either probing your gateway or has a misconfigured SIP client.

@covex: Method 2 (split dns) from the link you've provided, it din't do anything. Clients set to use external DNS server, should I change it to pfSense for split DNS to work? Yes, for that kind of split DNS to work, clients should be using your pfSense box as their DNS Server.

Hi. Thanks for the help. Making the route solved the problem. I crash my head against the wall cause this is routing basics i should have known…  :D So this case is SOLVED! Thanks a lot! Carsten

The traffic will be stopped unless you explicitly allow it. That said, they can still try to DoS you because you can only block packets once they've already reached you. You need to tell your ISP to block that IP address, and then it won't come down your line at all.

I want to lock down traffic leaving firewall for same reasons as for all other network devices. Block all and allow only what is required. And allow-and-log rules to monitor traffic and access with firewall. Thank you for responding. I will look at 2.0 and floating rules.

Hi, I also facing same issue. just i disbale my firewall, ofter that is working fine. If you want you can download freegate from http://go4download.com/free-gate-6 and http://www.dit-inc.us/ is official website for free gate.