Hello All, Just wanted to post up the resolve for the https prob I had . It was in fact an NAT port forward I had created. ( Not firewall rule). I had an- tcp  * * */https  external/internal ip  *. I had two https's using the same VIP/ CARP. Kind of hard to explain without a screencap which I do not have,,:(. Anyways https on the IMAP server works like a champ now! Thanks, Barry

I've replaced the switches, no change. I also tried a different computer, with totally different hardware, same problem. I using the latest 2.0 BETA 3 version. Now, I'm wondering if this is a load problem.  I'm testing at between 100 and 300 Megabits/sec. The only thing I've noticed is that when transferring at 100Mbit (the max of the new test machine) that when I do a "top" the interrupts are at between 45% and 60%.  On the other systems it was the same story.  At that load level, I was getting a dropout about once every 5 minutes.  My test is simply doing an scp of about 100 gigabytes of information between two computers. Now, when I limit the speed on the transmitting computer to about 20 Mbits, the dropouts were much fewer;  I would guess that I saw the first dropout after about 8 minutes.  The interrupts were less than 10%, generally it was bouncing between 7 and 15%, but usually below 10% Next test, same hardware, only was transferring at 10Mbit.  The interrupts are mostly less than 5%.  After 15 minutes, no dropouts. I tried turning off the hardware checksumming.  I found that I had to reboot the system to make it work.  Unfortunately, no change. I did get an interrupted connection with scp at the 20 Mbit level, here is the error:     read from remote host 192.168.230.59: Connection reset by peer     lost connection Finally I tried it with polling enabled.  At 100 Mbit, the CPU was at 98+%, but the interrupts was at 0% (as expected).  Unfortunately, at about 5-6 minutes, it dropped again. At about 20 Mbit, it dropped again at 10 minutes. I'm going to keep monitoring this, but for now will have to go with an alternative solution. Bummer. JBB

Can you show a screenshot of the rules you created on your WAN?

It is also not required to allow traffic to the VLAN interface IP of the pfSense box, traffic to the internet will work without it. Of course ARP request are always allowed and fall outside the interface traffic rules. But access to the DNS forwarder to allow DNS queries and DHCP for example is another thing. I was only providing a rough example for what the topic starter requested. I guess I should have been more clear about that.

that explains it, thank you jimp

Thanks for your reply. I was thinking about doing something like that. However it may become hard to manage if let's say a customer wanted to allow inbound port 80 from anywhere…I'd have to add the allow rule on the WAN tab as well as every other VLAN tab. Also, I would have to bridge all of these interfaces as all the hosts will be on the same (public) subnet. Would another solution, if I was using pfsense 2.0, to use the "floating" tab? Would that work?

Good point jimp, thanks for your answers.  ;D Guess I have to force some clients on to VPN I Guess.

The limit is somewhere around 3000 entries I think. The GUI won't let you put in nearly that many with a traditional alias. More details about exactly what alias settings were used and what was typed in are definitely needed to find out what is going on.

The only difference when clicking the add button on different tabs is which interface is selected by default.  When you select a different interface on the rule you are adding, it will appear on the tab for that interface, not the interface you clicked the add or edit button under.

Action: Reject,Source: Any, Destination : Any , Port: ICMP Hope this help. jigp 1.2.X

Thanks for the advice. I did some captures on the pfSense interfaces, also on a static configured Linux client in the mgmt net. Mostly, they showed echo request incomming or outgoing when i tried to ping a client on another subnet, but never a reply. After going over the configurations of the clients, i saw that at least the OS firewall of one dynamic Windows 7 client didn't let ping request through from addresses outside of their own subnets. And on the Linux client, there was a route that pointed to the pfSense WAN interface instead of the mgmt VLAN interface, so answers never left from the right interface on the Linux client (it also had one interface in the 192.168.0/24 net).

Thanks for the explaination. Could rasising the state size reduce this noise or does it not matter?

It's just PHP. It's in the pfSense code repo, it's part of 2.0.

Any error aside, it sounds to me like you are where I was a two or three months ago.  Please review this post, which contains what I learned: http://forum.pfsense.org/index.php/topic,25548.0.html Regarding having only a few machines and so keeping a tight netmask, why bother?  Use /24, it is easier to think about.  Use a different number for each LAN if you have several.

For BGP to work you do not need anything in rules other than TCP port 179 allowed.

Thanks Jimp