By default, pfSense blocks everything on WAN. Nobody should be able to scan anything unless you specifically allow it.

I suppose you are asking if you create a rule for NAT, automatically an access rule is added. The answer is yes, if tick to do so is seleceted (default yes)

Inbound email uses 25/TCP and assumes your ISP doesn't block that port.  You can use the diagnostics at MX Toolbox to check to see if your email server can be reached from the Internet. Also, try removing the gateway setting from your rules and re-testing.

Using OpenDNS is the easy way. http://doc.pfsense.org/index.php/Blocking_websites

but easier isn't better ! :-) In my case i cannot have an external syslog server. The logs stay on the firewall 1 year, and a backup is send by mail daily. It's regarding French law when we offer Wifi hotspot. And I have write a windows software for create users for freeradius/ captive portal too. Work great ! Best regards, MaRCoOf

Aha… i think that may be the cause... Might be onto something jimp! I will change the 'suspected' auto update source to update via another means and see how this goes. Thanks for the great advice!

@Mif: Was there ever a result to that issue? Yes, my wife's company changed their VPN Client software, while I was still trying to resolve it.  ;D You can check if it's the same issue, by running a packet trace.  As I mentioned, mine broke when the Client sent out a UDP packet bigger than the MTU size, of 1500, which resulted in a fragmented packet.  The server never responded to that packet. There was also, on the same thread, a report that the em driver was possibly corrupting fragmented UDP packets.  I was at the point, where my next trace, was to be with a different NIC, and hence different driver, to see if that conjecture was correct.  But alas, the VPN Client was changed before I could do that. Cheers.

Can you describe the scenario a bit more detailed?

I would like do this too. Is there some kind of API for f.i. enabling of disabling firewall rules?

Can't have any NAT going on. The boxes need to have the Ips bound to the local interfaces. The question is why do the 2 pfsense boxes interfere with each other?

Hi @ll after the NAT rules worked fine over two weeks it has stopped working again and I have the same problem as before. I can see traffic in the logs forwarded to the target host but I cannot connect on Port 22. In between I have made no changes to the system and I did not even restart it what I in fact did today when I noticed the problem again. I mean I have "solved" the problem by reinstalling the box a while ago but this cannot be a solution, no need to say that we do not have a M$ Box here… It is strange in my eyes that this Forum has a lot of posts regarding NAT... all with rather similar problems and no real solution. Further tips anyone ? Thx in advance Thafener

Hi again. The switch is a Layer 3 switch, and it configured so all vlans can passthrough pfsense, i think its easier for me to explain this way. The switch has an IP address on all my vlans 192.168.240.205 192.168.241.205 192.168.242.205 192.168.244.205 192.168.249.205 The switch has a 0.0.0.0 route to 192.168.249.50 (pfsense). This works on all computers, except this 1 problem. So in your example 192.168.240.55/24 has default gateway to 192.168.240.205. In the 192.168.240.205 L3 switch's routing table is a 0.0.0.0 (default) route to 192.168.249.50 (pfsense) All vlans has been added on the pfsense with gateway 192.168.249.205 (switch). I need some way to debug this problem. theres is no information in the firewall, and i cant really see anything in the proxy's log. Any ideers? Remember.. I have excelent connection to the server (ping and traceroute) but the software wont run.. Regards Michael

Not sure if this is a res of an old dead topic but I found this while looking through google trying to find out how to make sense of 2.0's traffic shaper, since the wizard doesn't work. In uTorrent you can set the outbound ports, if you go to the advanced settings.  I used that to set traffic shaping rules for my wife's torrents.

Bump

seems like a similar problm i am/was having http://forum.pfsense.org/index.php/topic,23661.0.html

@GruensFroeschli: I'm not sure i understand what you mean. Do you mean the login window to access the GUI of pfSense? I've reset the config and can't reproduce the error anymore :)

Have you tried removing this rule and creating one that allows all traffic to see if it works?  When I struggled with pfSense firewall rules, I usually found that when I started over and made more robust rules, I could track where my problems were.

Not something like that, but more exactly like that! Thanx! Now it works  :) I tried all sorts of combinations with 0.0.0.0 and 255.255.255.255 as source and destination and vise versa as well as the ports 67/68.  ::) Summary: To stop these "WAN 0.0.0.0:68 255.255.255.255:67 UDP" messages from filling up my log files, I had to: 1. Make a firewall block rule for WAN with the Private Network alias (as mentioned by onhel) 2. Go to Interfaces/WAN in the web gui and uncheck "Block private networks" and "Block bogon networks" (This differ from the screenshot above) 3. Create a top most rule on WAN: Block, UDP, source: any, sourceport: any, destination: any, destinationport: 67 @GruensFroeschli: Your rule should look something like this: block, UDP, source: any, sourceport: any, destination: any, destinationport: 67 Also make sure that your block rule is the top most rule.

I'm still new to pf/pfsense and have never done traffic redirection with pf so hopefully someone with more experience will chime in later.  I know with netfilter it is possible to redirect traffic coming from a specific IP, subnet or Ethernet controller to a desired host and listening port using DNAT hopefully pf supports this feature because I'm also interested in traffic redirection.  I would assume the apps running on top of pfsense would handle the traffic without an issue but this might be something to research and test since you're in essence analyzing and potentially changing the packet before it reaches the apps running on top of pfsense. May be a google search for pf traffic redirection will turn up something.  http://www.openbsd.org/faq/pf/nat.html