Yes, I had a block all to try and stop it working, but it still worked. How would I be circumventing controls by pfsense? There is no bridging of interfaces.  WS3 uses pfsense as the gateway so it can get to WS1 (and WAN for the test)  It is a static IP only. It would appear that once a connection was made, and further connections were allowed, even if the firewall was changed to prevent it. I have made some progress but still need clarification. Where do I put the rules to control the flow of data between opt1 and lan?

It's been solved. LAN host only allow ping locally. OPT2 can ping remotely. That is why I can only ping from LAN to OPT2, not from OPT2 to LAN. Solution: NAT => Outbound => Manual, add a new rule: Ineerface: LAN Source: OPT2 Destination: LAN NAT address: Interface address Then it's working. Thanks all of you for kind suggestions.

@Bern: Why? What's the point? netstat -nr or ipconfig /all at a client would show the presence of the router. Even if you had it proxy arp'ing, it'd still be easy enough to find using "arp -a". I'm sorry, maybe because my english is very bad. i need like this: C:\Documents and Settings\white>tracert www.yahoo.com Tracing route to www-real.wa1.b.yahoo.com [209.131.36.158] over a maximum of 30 hops: 1    1 ms    1 ms    1 ms  192.168.11.1   2    *    *    *                *                            <–-- like this (hide the router)   3        *    *    *                  *   4  242 ms  232 ms  252 ms  203.208.190.45   5    36 ms    39 ms    50 ms  ae0-100.sngtp-dr1.ix.singtel.com [203.208.183.19 4]   6    30 ms    29 ms    28 ms  xe-1-0-0-0.sngtp-cr1.ix.singtel.com [203.208.183 .61]   7  216 ms  218 ms  215 ms  so-3-0-0-0.plapx-cr2.ix.singtel.com [203.208.172 .54]   8  216 ms  220 ms  217 ms  ge-6-0-0-0.plapx-dr2.ix.singtel.com [203.208.183 .166]   9  467 ms  ^C at number 2, the router is hide when the client want to trace to internet. regards

Just noticed the static route filtering option, after checking it everything started working fine.

Thank you. Got it working.

Exactly. The above rule would do nothing apart from keeping it out of your logs. Every single host connected to your LAN segment is receiving these packet and your firewall can not filter them even theoretically.

What are the subnets for your LAN and OPT1? Do you have any other services like VPN?

And it seems that it's known to the Vayatta folks as well. It doesn't do it now, but for a while if you did a Google search for "pfSense", many of the ads were for Vayatta.

can you give us pfctl -sr | grep ftp

I have to agree with most of Bern's assessment, except that I think he gives PPTP too much credit security wise. PPTP encryption uses RC4 as well, which has some known weaknesses. It also exposes a lot of information in the unencrypted side channel which makes it even less secure. See this article for some more in-depth analysis of a couple other potential issues. With all of these potential attack vectors it might be worth using for the ease of use factor, but IMO the security concerns merit serious consideration. Personally I'd never use it for anything, and I'm not much of a security nazi. As far as IPsec is concerned, I agree that it can be a bit tricky to set up a working roadwarrior configuration with PKI, but the ShrewSoft VPN client is pretty straight forward and much easier to get working than MS's built-in client (which has never worked for me - I think it relies on L2TP). Once you get the server side configured properly and learn how to administer the PKI it's really not difficult to get going - but it's still not really something you can just hand to a lay person and expect them to be able to use. With NAT-T in 1.2.3 I'm now using IPsec exclusively whenever I don't need Layer 2 tunneling (where I use OpenVPN). OpenVPN is easier to package in a user-friendly way though if you don't have control of the client PCs as well.

@thonik: Rules are OK. Please post them.

this would be an excellent feature to have it automatically update and block a list of ip addresses

Your options, listed in increasing chance of success would be: Submit a feature request. (I think you would still use http://cvstrac.pfsense.org/tktnew ) Start a bounty. http://forum.pfsense.org/index.php/board,34.0.html 3)  D.I.Y. http://devwiki.pfsense.org/SubmittingPatches

The rules are generated dynamically, but a temporary copy is stored in /tmp/rules.debug You can edit this file, but it can and will be overwritten by the system, so it is not safe to make changes there.

I'm not sure this is possible. A work around is to set up split DNS: http://forum.pfsense.org/index.php/topic,9440.0.html

iamthed: Seths question reformulated is: If i have LAN and OPT1. Then bridge OPT1 with LAN. Do i need to duplicate the rules on the LAN on the OPT1 interface to have on the OPT1 interface the same outbound (to the internet) behaviour than on the LAN interface. This has nothing to do with QoS… This is not about allowing onedirection traffic. The answer is: Yes you need the same rules on the OPT1 interface as on the LAN. I think with clever alias usage the number of rules in place can be minimized and thus lower the administration effort.