You don't need add  a default block rule on LAN, the LAN interface is "block everything" by default just like any other interface. What XIII says about "allow all" on LAN isn't quite correct, on the default configuration there is an "allow all" rule on LAN interface that allows all traffic but that rule isn't hidden and can be changed or deleted.

since theres a log of that it means that you have set up a rule to log all access to that ip, the log is showing that somebody from OUTSIDE the firewall is accessing that server (hence the if =WAN) comes back to: United States Charlottesville Embarq Corporation Resolve Host: va-67-233-66-236.dhcp.embarqhsd.net

I've been having pretty much the same damned issue. Its a shame seeing that something like this is not integrated tightly with PFsense as a firewall, that would make PFsense insanely awesome.

You may also want explicit block rules at the top of your list on LAN and your wireless (one on LAN to block access to wireless subnet and one on the wireless to block access to LAN subnet).

Hello All, Just wanted to post up the resolve for the https prob I had . It was in fact an NAT port forward I had created. ( Not firewall rule). I had an- tcp  * * */https  external/internal ip  *. I had two https's using the same VIP/ CARP. Kind of hard to explain without a screencap which I do not have,,:(. Anyways https on the IMAP server works like a champ now! Thanks, Barry

I've replaced the switches, no change. I also tried a different computer, with totally different hardware, same problem. I using the latest 2.0 BETA 3 version. Now, I'm wondering if this is a load problem.  I'm testing at between 100 and 300 Megabits/sec. The only thing I've noticed is that when transferring at 100Mbit (the max of the new test machine) that when I do a "top" the interrupts are at between 45% and 60%.  On the other systems it was the same story.  At that load level, I was getting a dropout about once every 5 minutes.  My test is simply doing an scp of about 100 gigabytes of information between two computers. Now, when I limit the speed on the transmitting computer to about 20 Mbits, the dropouts were much fewer;  I would guess that I saw the first dropout after about 8 minutes.  The interrupts were less than 10%, generally it was bouncing between 7 and 15%, but usually below 10% Next test, same hardware, only was transferring at 10Mbit.  The interrupts are mostly less than 5%.  After 15 minutes, no dropouts. I tried turning off the hardware checksumming.  I found that I had to reboot the system to make it work.  Unfortunately, no change. I did get an interrupted connection with scp at the 20 Mbit level, here is the error:     read from remote host 192.168.230.59: Connection reset by peer     lost connection Finally I tried it with polling enabled.  At 100 Mbit, the CPU was at 98+%, but the interrupts was at 0% (as expected).  Unfortunately, at about 5-6 minutes, it dropped again. At about 20 Mbit, it dropped again at 10 minutes. I'm going to keep monitoring this, but for now will have to go with an alternative solution. Bummer. JBB

Can you show a screenshot of the rules you created on your WAN?

It is also not required to allow traffic to the VLAN interface IP of the pfSense box, traffic to the internet will work without it. Of course ARP request are always allowed and fall outside the interface traffic rules. But access to the DNS forwarder to allow DNS queries and DHCP for example is another thing. I was only providing a rough example for what the topic starter requested. I guess I should have been more clear about that.

that explains it, thank you jimp

Thanks for your reply. I was thinking about doing something like that. However it may become hard to manage if let's say a customer wanted to allow inbound port 80 from anywhere…I'd have to add the allow rule on the WAN tab as well as every other VLAN tab. Also, I would have to bridge all of these interfaces as all the hosts will be on the same (public) subnet. Would another solution, if I was using pfsense 2.0, to use the "floating" tab? Would that work?

Good point jimp, thanks for your answers.  ;D Guess I have to force some clients on to VPN I Guess.

The limit is somewhere around 3000 entries I think. The GUI won't let you put in nearly that many with a traditional alias. More details about exactly what alias settings were used and what was typed in are definitely needed to find out what is going on.

The only difference when clicking the add button on different tabs is which interface is selected by default.  When you select a different interface on the rule you are adding, it will appear on the tab for that interface, not the interface you clicked the add or edit button under.

Action: Reject,Source: Any, Destination : Any , Port: ICMP Hope this help. jigp 1.2.X

Thanks for the advice. I did some captures on the pfSense interfaces, also on a static configured Linux client in the mgmt net. Mostly, they showed echo request incomming or outgoing when i tried to ping a client on another subnet, but never a reply. After going over the configurations of the clients, i saw that at least the OS firewall of one dynamic Windows 7 client didn't let ping request through from addresses outside of their own subnets. And on the Linux client, there was a route that pointed to the pfSense WAN interface instead of the mgmt VLAN interface, so answers never left from the right interface on the Linux client (it also had one interface in the 192.168.0/24 net).