Hi everybody! I used ALIASES in assigning a group of LAN IP addresses: 1. List of LAN IP Addresses blocked in accessing the internet and 2. List of LAN IP Addresses with time restrictions in accessing the internet And used SCHEDULES in assigning time restrictions in some LAN IP Addresses as listed in no. 2. After which I used them in making FIREWALL RULES and placed them before the default rule. After that I reboot the system but it hanged during Configuring firewall….. Please help!

Yeah, only outgoing connections originating from 192.168.1.5 will be mapped to the VIP. You'll still need to add port forwards for incoming connections. Btw static port means exactly what the documentation states: "do not randomize source port on the outgoing connections", nothing else. The redirection is really done with the selection of the NAT address in the outbound rule and static port is just an extra option that is normally not needed. In your case it's better to turn it on since (active) ftp data connection originates from port 20 and you want it to originate from the same port on the VIP.

http://forum.pfsense.org/index.php/topic,19862.msg102193.html

thanks sir..  ;D

I've already mentioned other possible problems - search my previous reply for NetBIOS ;) Did you put rule (1) on the 192.168.2.x network interface?  Is it before any other rules?

I think I know what is happening, not sure how to fix it yet. There are 2 sets of trunks, 3 trunks with one provider and 1 trunk with a second provider.  If I disable either trunk set, the other set will register and work fine.  Its when both trunk sets are enabled that the single trunk set will drop.  It should be noted that when the trunk drops, tcpdump shows no outgoing traffic to the provider of that trunk on the wan interface; however the lan interface shows the traffic coming into the box. So at least I can replicate the issue by enabling/disabling the asterisk trunks without rebooting the pfsense box each time. I suspect that this vanished trunk registration traffic is being incorrectly routed to the other provider and thats why I don't see it.  I also have no idea why it would work initially for a bit when the trunks are all enabled and then it dies with no trace.

@dotdash: To just address the last question, if you need the server to have a static IP, you could create a DMZ bridged to WAN. Another solution is to make the firewall transparent. Search around, there is a lot of information on these options. Followed this guide: http://202.143.130.99/files/transparent_firewall.pdf Worked like a charm!  Thanks for pointing me in the right direction :)

Anyone have any ideas?

Glad it's working.  I've had a glitch or two where rebooting cleared up whatever stale state/entry was causing issues.

Sorry for the delayed response! Apparently, I had a rule allowing all the ports forwarded from my VM, this appears to have been added by default.  Does anybody know why?  The description is "Default allow all on WAN in VM." In any case, disabling the rule has fixed my issue.  Thanks!

Why dont use Captive portal??

Try searching the forum and read the answers to the other threads ;) In short, by itself it won't provide you with CALEA compliance but it also doesn't stop you achieving it.  You should talk to a lawyer about what you have to do, but it may be that simply providing a network tap is sufficient.

No one can help or know in issue??