Is there anybody?  :'(

Block simply discards the packet and returns no response to the source. It will cause a connection timeout on the client. Reject sends a TCP RST to the source, which will generate a 'connection refused' message and immediately close the connection on the client. It's generally better to use block rules on the WAN side; it will make scans take longer and removes a couple of DoS opportunities. Reject does make sense in some cases though, especially on the LAN side, where you want a quick failure, for example to block outgoing SMTP that doesn't go through your relay.

http://forum.pfsense.org/index.php/topic,16724.0.html or http://forum.pfsense.org/index.php/topic,2048.0.html

What do you want to do? How many vlan's do you want to use? How many interfaces has your pfSense box?

I could be off topic here, but you may want to check under "NAT" if you are using NAT on a single WAN interface, then you would have to set up NAT for both your LAN and OPT1 interface to have both connect to the internet. If you don't set up NAT for each interface, then you won't have OPT1 connect to the internet even with a firewall rule (which you should also set up).

Hey I did verify successfully that the access rules to LAN were created with the Captive Portal, so I will go digging around in there to see if there are any settings that I could find that would allow this to happen. I will post my configs when I have a chance if I cannot find a solution. Thanks.

That is interesting topic. First of all we have to be sure that  settings from GUI go correctly to pf rules. I'll try to reproduce it.

The link, I'll give you latter, but the tutorial is in Indonesian language, so I don't think that you want to see it…  ;D Yes, I am using some application that need UDP, but I've made the rule for it. But what about the other UDP port? It's danger if we pass all UDP port (any)?

In short: no. The idea of a LAN is that each machine can communicate directly with any other on the local network, without contacting a router. pfSense can't even see that local traffic (because you have a switch), let alone control it. There are some messy workarounds to this, but it's not worth the effort or confusion. The solution is that you need to create a separate LAN for each PC. To do this reasonably, you need to either have a separate interface for each PC, or use a VLAN-capable switch to accomplish the segregation. Then all traffic must flow through pfSense to reach the other LANs and you will have full control. You should, however, be able to control access to the pfSense WebUI or any other service running on pfSense, however you need to disable the 'anti lockout' rule in Advanced Settings.

well i guess i do quick dirty trick with load and balance trunck that has 0 Kbps speed that will cut the web access for the port but no explanation screen :(

thx, i am using pf 2 analyze my traffic… I have fight width my isp. My p2p drop suddenly this from 400 to below 50KB/s. Ul is fine. I changed everything except adsl modem and splitter but i do not believe that is problem because everything except p2p works ok. Some plugins for Vuze mention to many tcp rst. What I see definitly that I have many tcp connections on time wait and little true connections on my side.

under firewall rules for the wireless users add a rule of allow all, create new rule change protocol to any and that should do it if not change source to wireless subnet. for the email server you may have to add a static route to it.

No load balancing. VoIP goes out on wan and all other traffic out to wan2.

a lot of thanks thanks for relation.

Sorry just trying :). But just out of curiosity why does some routers able to do it like sonicwall?

Thanks its working! i am able to ping the wan interface and i can also access the webgui, except for the ssh!

@blak111: Do you have the "Maximum download size" option set under Proxy Server > Traffic Management? No it is set to 0, I have also uninstalled Squid and reinstalled it. Also uninstalled snort (Now I cannot get it up because it will time out after 35 mb) I tried a different site like filehippo and I was able to download a large file around 75 mb. I realize that it is timing out while downloading snort update. Somewhere I read that snort gives you 15 min to download or else it will time out. Can I increase this value so that my snort update don't timeout. Thanks

Another question is if I have squid proxy running are these rules bypassed?