Solved this by disabling Automatic outbound NAT and created my own outbound NAT rules. Solved my speed issues as well as the "The Path is too deep" error.

Erm. I just cant figoure this out. Trying with COD:MW2. Still says im on restricted nat. Maybe cuz of load balancer?

@danswartz: maybe i am misunderstanding you, but why don't you just disable logging due to the default deny rule? Because then I get essentially no logging.  My philosophy (which may be junk from a security perspective) is to gain a familiarity with unwanted inbound traffic.  Some of it is common enough (eg, automated MS DS attacks on port 445, SQL attacks, etc) that it clutters the logs.  Once I'm comfortable that this traffic is being blocked and is common enough to clutter the logs, I usually create specific denial rules and disable logging it. This allows me to get a "fresh" view of the log, minus traffic I know is already there but don't want to see, and makes it easier to spot new traffic or more sophisticated unwanted traffic. Really, it's probably a logfile reporting filter issue more so than a rule issue – ideally you'd still want this traffic logged, but I have yet to see a decent commercial log reporting system that can do this well. When I worked at one place I had the firewall syslogging to a FreeBSD box and some Perl scripts tied to some really rudimentary web pages that would do this kind of filtering for me (and more, like monthly log summaries that scanned denied traffic and would attempt netblock summarization to try to find patterns in the sources of unwanted traffic).  Unfortunately I don't really have the luxury of doing that anymore.

Yes. But it's generally better if you could set up split DNS. http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F –>2 explains that better.

Fixed. Awesome. Thanks!

Might help http://doc.m0n0.ch/handbook-single/#id11642774 or the pfSense book http://blog.pfsense.org/?p=509

If you run pfctl -vvs Tables in the Diagnostics…Command Prompt you will see pfSense is using tables.  Now having better functionality so you can add your own would be nice.  I too come from OBSD... Aliases is an option, but better table support is the "right" way to do it  ;)

http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

Hmm, okay. :)

You will also see log entries for traffic which is allowed in from UPnP if you turned that on, but as others said, it's probably the FTP helper.

ok, thank you! best wishes

Sorry, misread the OP.  I saw the comment about logs filling up by 'default deny' and replied to that :)

The way you describe it, it sounds like you know every client which has access over the pfSense. You could also enable the Captive Portal, put all known MAC addresses on the passthrough list, and all unknown MACs will be displayed the CP. Or even more clamped down: Create for each client you know a static mapping on the DHCP server page, and then enable static ARP. Meaning only the MACs you specified on this page will be able to talk with the pfSense. Other MACs wont even get an answer to a DHCP-request.

Hi Froeschli, I don't actually want to add Filter Rules, I'd be completely fine if it passed any of the traffic without blocking it (Like it does at the moment) I'm not sure how (if there's no option in 1.2.2) i can tell the Firewall to stop blocking my traffic. However, there's a (sort of) weird scenario that I have when SSHing to one of the Remote-VPN Servers. I can stay on them like 5-10 Seconds and then the connection closes, so the Firewall doesn't seem to block directly, but within a certain time window. Could it be that the connection aborts because on their way back they answer through the 2nd vpn gateway? Like this: My PC -> VPN Gate 1 (Firewall) -> (Internet) -> Remote VPN Gate 1 (Firewall) -> Server I want to talk to -> Remote VPN Gate 2 (VPN Server) -> -> VPN Gate 2 (VPN Server) -> My Pc Could that be a problem? Maybe because of identification issues? Like.. Sending a request to one vpn Server (FW) and getting an answer back from the other vpn server? Thanks for the Help Kind regards, Stefan

no, things works like this first PFS machine is conected to ISP router, and it is firewall/proxy/vpn etc… (only 2 nics) second one (6 nics) is connected to first one, and second one connects multiply networks into one, BUT, i dont want users to see each other so i need firewall that works. And port forward, i need it to forward ports from internet to internal radius etc... whic is connected to one of 6 interfaces on second PFS. i didnt try to use opt interface on second pfs as WAN interface, bit i think it would work. ?

Just trying to see if my rules are being refreshed by cron, but they don't seem to be refreshed. I've just upgraded to v1.2.3 release and the rules still don't seem to be refreshed.  My crontab reads: 0      *      *      *      *      root    /usr/bin/nice -n20 newsyslog 1,31    0-5    *      *      *      root    /usr/bin/nice -n20 adjkerntz -a 1      3      1      *      *      root    /usr/bin/nice -n20 /etc/rc.update_bogons.sh */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 1      1      *      *      *      root    /usr/bin/nice -n20 /etc/rc.dyndns.update */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c */5    *      *      *      *      root    /usr/local/bin/checkreload.sh */5    *      *      *      *      root    /etc/ping_hosts.sh */140  *      *      *      *      root    /usr/local/sbin/reset_slbd.sh 0,15,30,45      *      *      *      *      root    /etc/rc.filter_configure_sync 0      0      *      *      *      root    /usr/local/sbin/squid -k rotate */60    *      *      *      *      root    /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl today Any thoughts?

I have done some more test and have log looks like below. The traffic passed but connection always timeout. Dec 18 11:44:59 LAN 192.168.1.10:63705 192.168.2.5:53 UDP ping,vnc,ssh all traffic passed, but get timeout after a while. Before move to pfsense from m0n0wall, I also tried pfsense 1.2.1,1.2.2 release. Those release have the same issue. But 1.2.0 release works great, any knowen issue for later release? Using WebUI ping utility from DMZ interface to 192.168.2.5 also got 100% packet loss. Thanks,

plz post your rules! and you should the only bridge options for have 'opt1' set to (lan) and the 'type' set to static