How much of this info is safe to put here and how much is of use to potential hackers .. ?? There is no 'X' by the notifications … using pfctl I have identified that rule 73 reports this @73 pass out quick on re2 all flags S/SA keep state label "let out anything from firewall host itself"   [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 58951 ] pass out ?? - re2: ??  so where is block on lo0 (that I now know to be loopback) related to this ??????? The interface identified in the rule 're2' currently has NOTHING connected or defined,  plus the rule says pass - not block. Since lo0 is loopback the only machine that can be looping back is pfSense itself (127.0.0.1 is assume) and yet the IP address in the block is one on the local LAN. loopback = "{ lo0 }" lan = "{ re1 }" ng0 = "{ re0 ng0 }" wan = "{ re0 ng0 }" enc0 = "{ enc0 }" OPT1 = "{ re2 }" OPT2 = "{ em0 }" User Aliases I appreciate the pointers though because I identified one other issue too in that the system has decided (and don't ask me how) that one of my internal subnet IP's is on the WAN so it is refusing any packet from it even on the local LAN nic re1:, when I try to resolve the affected machines name the pfSense fails, ping fails because pfSense blocks itself (bit stupid). I found out why though - it is the manner in which pFSense is resolving names. pfSense seems unable to resolve using the private DNS server that I run, ther eis no way to tell pfSense that it should use LAN for DNS resolution. If I put my DNS server IP address in the system > general setup > dns servers box the internet access is broken, pFSense tries to use it to resolve only on the WAN re0:, if I leave the DNS boxes empty my internet connection is broken even with DNS forwarder disabled. My private dns server has root hints for openDNS but I don't WANT or need the pfSense to get involved with ANY kind of DNS resolution but the only way I can get internet working though is to put the public (openDNS addresses) in the boxes in pFSense. My private DNS is configured OK because if I turn off packet filtering (turn pFSense into a bridge) I can resolve anything perfectly fine so why can't I force pFSense stay out of DNS resolutions and keep my internet working.

Gruens, the unit isnt acting as an AP, ie there is no wireless lan interface on the machine, WLAN is provided by multiple aps spread across the site coming back to a switch which is on the lan side of the machine. Regards Nick

It seems as though after a reboot of the pfsense server everything is working correctly now. I am not receiving IP addresses on the OPT1 network and am able to pass traffic between the two networks. Thanks for all the great help…it's greatly appreciated.

Please ignore my ramblings. It was a state issue. –Nick.

Yeah the Dashboard was moving that. I'm not sure it will fix itself unless you do a firmware update and then reinstall the Dashboard package though, as you'll need a fresh copy of /usr/local/www/fbegin.inc.

Thank you turning accespoint into bridge helped.

Same thing here but thanks ill follow your tips jigp Davao City

First of all I do apologize for my bad English. And secondly, I mean "the clients which has dynamic ip, assigned by DHCP". And thirdly, we had a power failure yesterday, and our pfSense box has restarted, and guess what? The problem no more exists… It is strange that, I have already restarted all the services but not rebooted the machine. Because we have a very high traffic on our network, so rebooting was not an avalible option for me to do, and I never thought I need to do a reboot, cause I restarted the services couple of times... Anyway, thats my experience I would like to share with the community... And I believe that information grows by sharing, and I dont need to be motivated to share my experiences or knowledge with someone... If I do have ANY tiny bit of info about ANYthing, I throw it on the desk, just to lighten up an idea... Thanks for your advices anyway, I will be careful indeed with asking questions. Hope that this experience helps someone.

There are also some ISPs blocking inbound #25 (in addition to outbound#25 which is more common, as an "anti-malware/spam" measure). One way of checking that could be to have a FW not dropping packets but responding with closed ports (or temporarily have a larger port range all go to some active and functioning port, like #80 or something) and then doing a port scan from the outside, either via netcat from a *NIX shell or from some service like grc.com. If port 25 turns out "shielded" something is blocking the packets before they enter your IP. Cheers,

Regarding user feedback you can never be sure..so I have to be certain that this is the right approach, since I cannot reproduce the scenario (go to the client and use the network for an entire day, even if I could, that's not enough to really measure it, 1 day..)..

I have disable. Block private networks and Block bogon networks … but thats WAN not LAN....

Yeah, that's what i eventually did since i gave up heh

Dang - I thought I had the hang of this I have two rules only in both LAN1 and LAN2 LAN2 Rules Allow TCP  LAN2 net  *  LAN net  8080  * Deny *  LAN2 net  *  LAN net  *  * First to allow LAN2 to a web server on LAN on port 8080, the second to block all the rest and this works fine LAN1 Rules Allow TCP  LAN1 net  *  LAN net  8080  * Deny *  LAN1 net  *  LAN net  *  * Same rules as LAN2, but for LAN1 and this does not work.  LAN2 can see the web server on port 8080, LAN1 can not. Whay is it so?

Your software has to support upnp as well. If it does: Just enable it and you're good.

Maybe you should rephrase your question. I have absolutely no idea what you're talking about. Googleing "netcut" gives me this: NetCut is a Software that helps you admin your network by purely on ARP protocol . List IP-MAC Table in secs, turn off & On network on any computer on your LAN including any device like router , switcher. Also, NetCut can protected user from ARP SPOOF attack High intimate :Pure ARP protocol kernel.enhenced cut off funcation, that no one can escape from your cut off unless he have NetCut installed and with protected funcation enabled. Easy to use: One click to Protect user Computer Function!!! No one in the network can cut you off with ARP spoof technology anymore . Effective: one Click to Cut down any computer s network connection to the gateway. IYFT:Get all IP addresses of the computers in your LAN(Local Area Network) in Secs High applicability:Work in office LAN,school LAN,or even ISP LAN Have Fun with play the online computer make them online or off line remotely Safe: TRACE Free, No one will TRACE out what happen and last More Stable,swich-hub or hub or cable lan any Lan use Ethernet Yet i still have no idea how you imagaing to protect your network against ARP spoof attacks with the help of a FIREWALL. Are you sure you actually know what you want/need?

That option just starts a tcpdump on the pflog interface, so anything logged by pf will show up. As GruensFroeschli says, changing your pass rules such that they log (just check the log checkbox on the rule) will make entries show up in that output. It won't log each packet, but it will log each connection. If you want something a little more readable, install the dashboard package and then from a shell, do this: clog -f /var/log/filter.log | /usr/local/www/filterparser.php