Thanks again Efonne. I've now got everything working the way I planed it. I don't think a have a use for scheduling yet, but I see how it could come in handy. Thanks for the help again and bye

The squidGuard package appears to offer this functionality, although I've never used it. I like squid though.

Hi, the dummy static route is, so it seems, the only working solution for that problem. Now there is a static supernet route that covers every subnet. Its not the best but a working solution. The thing is, I think I will stay at static routes on my pfSense because neither RIP nor OpenOSPFd are getting along with PPPoE resets :( Edit: The dummy static route has another major downside with it. It generates a routing loop whenever one of the supernet advertised subnets is down, because the next hop router has the pfSense as default gateway, which is correct because it is the internet gateway. The packets are bouncing from the pfSense to the next hop router and back again until the TTL is 0. If OSPF would be running, the network would have been eliminated out of the routing table and the request would get a "network is unreachable" or something similar. Or am I wrong? To OSFPd the second: The process is stuck after every PPPoE "redial" no matter it is caused by periodic pppoe resets or manual reconnect. After being stuck it start a new ospfd instance. When you remove the OpenOSPFd package, the other started processes are not killed and running until you kill them manually.

sweet!

You need both a port forward and a firewall rule. This troubleshooting page might be of use: http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting As well as the Port Forwarding tutorial here: http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

The point is, if you've searched and found a number of threads where people are told that it can't be done then maybe it's because it can't be done. Yes, using a static DHCP or static ARP and then blocking those IP ranges are your only options on pfSense.  One option is to create a virtual IP and DHCP range just for those you want to block.

@subfire91: how can you measure the size of syn attacks in mbit/s?? Interface line rates on your border router minus the historical value of normal traffic at that time of day on that interface.

Problem solved. I needed to select "Bypass firewall rules for traffic on the same interface" under "System->Advanced". BBB [image: Capture.PNG] [image: Capture.PNG_thumb]

@compucoder: Hi everyone, I have a puzzling dilemma and can't figure it out. We have a developer who is using a remote client WSDL file and that file is written so it works on the client subnet. It basically has 10.0.0.0 addresses it uses for hitting their servers. What I am trying to do is if the firewall sees a outbound connection from the developer trying to hit a 10.0.0.x IP address to forward it to the clients public IP address. I guess I am trying to do the opposite of port forwarding. I think I want a redirect rule but don't know how to do this in PFSense. So something like this: LAN->10.0.0.x Redirect or forward so it looks like this LAN->69.x.x.x (client public IP) Thanks for any help. Not quite the answer your looking for, but your developer should be able to just change the address in the WSDL or in his connection code to point to the proper IP.  Much easier than trying to do weirdness with pfSense. I've done it before with Java, don't see why it'd be different with other languages.

There is a way in vanilla pfSense, although it might not be implemented on the GUI. @http://www.experts-exchange.com/OS/Linux/Administration/Q_23504337.html: Out of squid.conf: #  TAG: request_body_max_size  (KB) #      This specifies the maximum size for an HTTP request body. #      In other words, the maximum size of a PUT/POST request. #      A user who attempts to send a request with a body larger #      than this limit receives an "Invalid Request" error message. #      If you set this parameter to a zero (the default), there will #      be no limit imposed. #Default: request_body_max_size 0 KB This will limit file uploads for ALL users going over this proxy as this currently can't be ACL driven. I played a bit and found a solution that should work (at least in my limited testing, it worked): You need to add the following lines to your squid.conf: –------------------- external_acl_type request_body %{Content-Length} /var/tmp/request.sh acl request_max_1 external request_body 1000000 acl request_max_3 external request_body 3000000 /var/tmp/request.sh is the external helper program needed (see code snippet below) and may be placed at any location you want (probably /usr/lib/squid/, this is (on my system) the directory where all the other helper apps reside). 1000000 would mean 1MB is allowed and 300000 would mean 3MB are allowed (change according to your needs) Now you need to apply access rules based on this acls in your squid.conf, f.e.x: acl powerusers src 192.168.1.0/24 acl students src 192.168.2.0/24 http_access allow powerusers request_max_3 http_access allow students request_max_1 I hope this works for you, it does for me. #!/bin/sh while read size limit; do   if [ "${size}" -gt "${limit}" ]; then     echo ERR   else     echo OK   fi done –--------------------

hahhaha…thanx mate... love your support

Nm, it was an access control issue with the PBX.  My LAN subnet was not listed in access controls. Thx anyway

To block these sites, I forced all DHCP clients to use my AD Server as the DNS resolver with OpenDNS as my forwarding Internet DNS server.  On the FW, I just set port 53 or DNS to only use OpenDNS as only DNS - all other DNS resolvers are blocked (this is on OUTBOUND or LAN).  In AD, I create DNS zones such as logmein.com, temaviewer.com, and all the DNS I want to prevent to go out internally, and I resolve them to the IP address of google.com - everytime they try to resolve these sites, they redirect to google.com.  If they try to use GoogleDNS or other, it doesn't work either.  It was easier to put these DNS hosts in AD than in pfSense - hopefully there is a better option in pf's future.

You can use the squidguards time rules in conjunction with squid, but the firewall rules method is a lot easier for simple times.

One more thing, I had "synproxy state" checked under my rules and didn't realize it would affect the services / ports in this way.  But basically, whenever I had "synproxy state" checked instead of "keep state", it would skip the rule and go to default deny, and block it.  I thought synproxy worked for all TCP connections?  Who knows… guess it was always nice to see the output of pfctl whenever I loaded a new pf.conf for debugging purposes.  Is synproxy state not for HTTPS / SSH?  Enlighten me.  ;D

Fixed!! when set pfSense in bridge mode it uses Spanning Tree (STP) to control the bridge (like a switch). this maybe conflicts with my switch and its vlan's (where STP is default enabled for each port). however, i just disable STP on the switch port where the WAN is connected and then i can ping to/from bridged DMZ. this problem would never occured when i used 3 switches, one for each segment, instead of VLAN's on same switch.

so, since your WAN gateway IP address and your DMZ gateway IP address are the same, I'm pretty sure you need to bridge your WAN and DMZ interfaces. you'll need to configure your network interfaces in ESXi to permit promiscuous mode in order for the bridging to work. I have a similar setup and had similar results until i figured out the issues with bridging and promiscuous mode. hope this helps.