http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F also move your webinterface to https and a non standard port.

This seems to have worked.. I'll report the results after we see our traffic rise to more than the 10K we were blocked at. Chris' reply to the mailing list: Edit /etc/inc/filter.inc, find these two lines:       $rules .= "\n";       $rules .= "set skip on pfsync0\n"; above those, add:       $rules .= "set limit src-nodes 23456\n"; or whatever number you want it to be. Save changes, edit and save a rule and apply changes to kick off a filter reload.

the admin is on https :8080 and it is only from inside the same subnet  from the outside it works ! and yes the squeezebox got the right settings ! :-( well well  i just have to live it then! Thanks Thomas

1. wait till 2.0 is stable or get the current beta 2.yes and no, create the main rule then add a rule based off of that one 3. yes its done to apply the new rules to current connections, not an issue for stuff like online banking/email only for video and some low latency connections.

cmb….it works..thanks for your reply.....

If you only have one public IP, you can't do that for most services. For web servers, you can try to use a reverse proxy. There are a couple packages, mod_proxy and haproxy that might be able to do this by name. For other services, they do not differentiate based on the hostname used, only the IP address. You'd have to use different port numbers for each domain. On the other hand, if you have multiple public IPs, just setup 1:1 NAT between the public IP for that hostname and the private IP you want it to match up with.

Ugh, that is terrible, IMO (sending all the traffic to the squidbox.)  A much cleaner solution is to enable the proxy mode for your client PC's web browsers.  See this http://nscsysop.hypermart.net/setproxy.html.  Since I run my own apache web server on the LAN, I went for option #5.

the connections that I need are - Wan - L2tp to ISP 1 Lan - home, need to be private OPT1 - Lab and at the moment B&B Wifi OPT2 - going to be connected to a routble /29 range with testing servers. OPT3 - going to be connected to ISP 2, probably PPPoE and load balanced with the wan. I'd like to separate the B&B Wifi from the lab and put cap's and limit's on it but I run out of interfaces.

OK, I'm going for it… I have attached a description of my network environment along with the pfsense parameters that I have set up so far.  I want to separate my LAN and OPT1 segments for performance and traffic shaping.  I assumed that subnetting would accomplish this as reflected by my pfsense parameter choices.  However, I DO want to pass data between the segments (subnets?); i.e., attach voicemail messages to email. Bottom line - are my pfsense parameters consistent with what I'm trying to accomplish? Thanks for your input. Regards, Thomas [image: ENVIRONMENT_0001.png_thumb] [image: ENVIRONMENT_0001.png]

hm, i made screens again, the rule is one of the most simple i can guess…. can u spot the wrong setting? the rule is btw -auto-created by dashboard and was -moved up in the rule order later manually by me. and http gets really blocked... ####EDIT#1##### i think it was an existing state. how could i kill those too? Yeeeeah, its dead and it was killed by a MYSQL möppel! ####EDIT#2##### @jimp: im trying now the next: adding subnets. since im from europe, only ripe ranges are interesting through u need low latency in gamng (which makes it possible for me to get subnet info easily) they have some REST API, u can test it here: http://lab.db.ripe.net/whois/search?source=ripe&query-string=83.141.4.230 a friend already helped out with a little PHP script that can translate an ip range from ripe style (like peer2guaridan "1.2.3.4 - 2.3.4.5") to cdir notation. (is attached for those who like...) Here u can test urself... http://www.dswp.de/IPRangeConvert.php?ip=83.141.4.230 (if no IP is passed, it will take ur ClientIP...) Now i would like to add this functionality to easyrule.php Do u have any sugestions for me? [image: remote_firewall3.png] [image: remote_firewall3.png_thumb] [image: remote_firewall4.png] [image: remote_firewall4.png_thumb] IPRangeConvert.php.txt

If you enabled the FTP proxy, it adds a rule that lets FTP out.

@jimp: There is no way to filter out those log entries automatically, since they are identical to normal blocked packets. It's just that whatever server you are connecting to is either sending them back from a different IP, or after the state has been removed. It isn't normal to see a ton of these, but it has more to do with the server you are connecting to than anything else. You can try to set the firewall optimization to "conservative" under the advanced options, but iirc that really only helps with UDP, not TCP states. The dynamic view is locked to 50 entries because if you go much larger than that, the JavaScript involved gets really slow. Thanks for the info. I really appreciate it.

i'm really looking forward and expecting a lot from pfsense 2 :) i hope it will be stable soon so that i can implement it in production. EDIT: is there any tutorial on how to use layer 7 filtering already?