Folks I've created a new topic in the 2.0 section, as this may be a possible bug related to 2.0. http://forum.pfsense.org/index.php/topic,26479.0.html Thanks

yes, if you stop the ping and restart it, you will see that it now will not work. just reset the states (drops ALL connections) when you want to force a rule change.

It's a wild guess but I think the public IP's are probably bypassed because you have configured pfSense to have an IP within that same IP subnet. This way traffic never get's routed to pfSense because all IP's are within the same broadcast domain. In order to get your firewall to inspect the traffic you have to place the firewall between the ISP's uplink and your configured public IP's. You do this with either: Routing: Obtain an extra (small) IP subnet from your ISP, configure that on your pfSense and let the ISP configure the default gateway in that same subnet. Configure the original IP range on the LAN interface of pfSense and make sure the default gateway of the VM's points to the pfSense LAN IP. Then ask your ISP to route the original subnet to the WAN IP configured on your pfSense. Bridging: Only assign an IP from your current IP range on WAN interface, bridge it with your LAN interface and make sure all your VM's are attached via the LAN interface (not the WAN interface). The bridge will force the traffic to flow through the firewall so you're able to block/pass traffic. The first option is the most common one and pretty easy to understand, but it requires quite some changes in your environment and your ISP's. The second option requires less changes, but can be somewhat confusing at first with how things work and won't work together with CARP.

@platinumnj: Have you been able to get external access to your pfsense box to work via BETA verison. I haven't been able to as of yet… :( It works fine, if your rules or VPN are configured correctly. Given the age of this thread, you should start a new one for your issue if you are not able to solve it with the information already provided here.

so can corp access the Internet as well? your rules look to be correct. what do the interface settings look like?

@jimp: You cannot filter based on MAC address in that way. You could setup captive portal and restrict the LAN with a username/password login, or you could use static ARP in the DHCP settings so that only certain PCs can get out. Anyone can spoof a MAC address though, so it's not exactly an effective means of security unless you also have switches that can restrict a specific MAC to a specific port. good advice. I will look into the ARP option.

wow thanks a lot sir jimmy

Yes ofcourse sorry. This is a network scheme of the network: http://img517.imageshack.us/img517/3914/networkexample.jpg In the switch is everything default, Windows is windows 7 Linux laptop contains linux mint 8 and on second disk windows 7 (where internet and firewall connection works) this is installed on second drive, nearly there network: 192.168.2.0 ip adres def. gateway: 192.168.2.1 Server ip: 192.168.2.2 DHCP range: 192.168.2.10 - 192.168.2.245 Firewall pfsense rules: block all traffic allow port 80 allow port 53 allow port 443 allow icmp allow port 137 and 138 firewall is reachable can be connected by a special port xx93 and has a ssl certificate. If you need anymore info ask, because i'm really lost here :P

define an outbound NAT rule at the TOP of the list that matches traffic from your mail server's IP address, and uses the IP you want for translation.

for the destination on your DMZ interface rule, tick the 'not' box and select LAN subnet.

Hi jimp, thanks for your answer. i have not set up that POP3-Connector - but i think i will have a talk to my collegue, to set the interval higher than 1 minute. (3 minutes or so). the problem: at the microsoft pop3-connector i can not set up that the e-mail mailboxes were checked once by another - it will always do the check on all mailboxes the same time. i have set up now some values at the "Default LAN->Any"-Rule: Simultaneous client connection limit: 4096 Maximum state entries per host: 1024 Maximum new connections / per second: 512/1 State Timeout in seconds: 180 Global Settings: Firewall Mode: conservative Max. State Table Size: 20000 I still get the POP3-Errors. I set up the POP3-Connector to 2 minute interval - in a few weeks i will set up a direct SMTP MX record to our exchange server. I also had this errors in the windows event log while we had the ZyWall 10 - but as i said, i set up the maximum connections per client to 1024 - and the errors didn't came back again - till i installed pfsense last week. i was looking for a secure firewall and gateway - whoch pfsense is. but these errors, i'm sure, are triggered by pfsense… thanks + regards fabian

I'm wondering… As this is a multi-WAN install so I have rules (pass all traffic from LAN subnet to everywhere on TCP ports 443 and 110 over the WAN-WAN2 gateway) in the firewall to ensure that outgoing https and pop3 traffic goes out through my WAN2 connection. Would the firewall display the message from the subject if the traffic was already planning on going out over WAN2 or does this rule only redirect traffic planning on going out one of the other WAN connections and doesn't bother with traffic already going out over WAN2?

Lasted Web GUI SquidGUARD log: 27.06.2010 19:52:20 : squid_reconfigure: Add new redirector options to Squid config. 28.06.2010 02:52:32 : sg_reconfigure_user_db: Begin with '/var/db/squidGuard' 28.06.2010 02:52:32 : sg_reconfigure_user_db: Nothing. User destinations list empty. 28.06.2010 02:52:32 : sg_create_config: add rewrites: success safesearch; 28.06.2010 02:52:32 : sg_create_config: add Default 28.06.2010 02:52:32 : sg_redirector_base_url: Select redirector base url (http://192.168.2.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u) 28.06.2010 02:52:32 : sg_reconfigure: save squidGuard config to '/usr/local/etc/squidGuard/squidGuard.conf'. 28.06.2010 02:52:32 : squid_reconfigure: Remove old redirector options from Squid config. 28.06.2010 02:52:32 : squid_reconfigure: Add new redirector options to Squid config. **Same of "Log type" in Log > Configurator log This is the only Log with non configuration style entries The "Not to allow IP addresses in URL" in Proxy Filter is working perfectly, i tested IP numbers in browser and it block it:** Request denied by pfSense proxy: 403 Forbidden Reason: Client address: 192.168.2.245 Client group: default Target group: in-addr **The access.log in /var/squid/log dont reveled any useful information, just browser navigation downloaded content (jpgs, gifs, urls… not skype related) I didint saw any skype IP server numbers, but the skype can login  :-\ Where i am wrong? Where i need to go?**

and my rule block any to any is first of all !!! I tried to disable ftp helper,create specific rule to open  destination port only to specific client, but is impossible to read list of folder ftp server ! So is possible enable ftp helper only to an alias (ip list of client that can use ftp) ? :(

I've seen that happen after a time zone change. It's because after a TZ change a process has to restart to pick up the new TZ, and you can't exactly stop and restart the firewall process easily. :)

Yes, split DNS, I should have mentioned that.