Fortunately, reinstalls go very quickly so reinstall was the solution. Thanks again, JonD

i dunno why but i did an ip release on the wan and renewed it and now everything works

HEY THANKS FOR THE INFO! So my DMZ IP address is 10.0.0.1.  My VLAN 100 is subnet 10.0.1.x When I setup some Linux Servers on VLAN 100, can  I use 10.0.0.1 as the default gateway?  Can I also use 10.0.0.1 as the DNS server address? I wonder if you could help me with 1 more thing… I am used to setting up 1:1 NATs on a commercial firewall (cough sonicwall cough) ... I wonder how I do 1:1 NAT with pfSense... I gave it a whirl and it didn't work quite right? Basically I just need to forward a public IP straight to the DMZ private IP (on the VLANS you helped me setiup above).... I have a block of 8 public IPs coming in my WAN port so I think I need to setup what pfSense refers to as a "virtual IP" for each of my public IPs  (that is not the WAN IP address)? How is the best way to forward ALL traffic from a PUBLIC IP straight to the DMZ private IP? (each server is hardend with it's own built in firewall)... Thanks again for the help!

I think your only alternative is to remove the search domain entirely, which also means your users will have to enter the FQDN in their browser/client. And it means you have to make a small change to the pfSense code. I still think the best route is to actually maintain a zone file instead of using a catchall. Where wildcards are useful is sites like deviantart and sourceforge that use subdomains for user accounts. If you've got a relatively static set of hostnames it makes more sense to maintain a proper zone.

Rules are inbound on an interface.  That means that to stop a machine getting "out" you'll need to list it as the source IP address in the firewall rule.  If that still doesn't work you'll need to post a screenshot of your firewall rules, and details of the version of pfSense you're using.

check and make sure that your firewall or NAT do not use or link to your alias

Yes, all pfSense rules apply to inbound packets only.

Hi all , finally i've solved the issue . The problem was on Cisco Part on trunk interface : ! interface GigabitEthernet0/8 description Trunk switchport access vlan 2 switchport trunk allowed vlan 2,3 switchport mode trunk end old config : interface GigabitEthernet0/8 description Trunk switchport access vlan 2 switchport trunk native vlan 2 switchport trunk allowed vlan 2,3 switchport mode trunk Seams that i've declare the trunk native on vlan 2 . By the way the new version of IOS ( at least that one that it is installed on my Catalyst 2960 G with 8 ports ) the command : switchport trunk encapsulation dot1q it no more available .( Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(46)SE) . Best Regards,

True, but can pfsense with the built-in firewalling functionality redirect?

Thanks for your answer. It is good to know that someone has already requested the feature  :)

PF can't differentiate a blocked out of state packet that is probably part of what was a valid connection (once it's out of the state table, record of that connection is gone). So we have no option to not log that traffic. I suspect what firewalls that hide that do is just not log dropped TCP with FIN set, unless their state table leaves states there for a while after the connection was closed. It would be possible with PF to drop but not log incoming packets with FIN set, though that's not exposed in the pfSense GUI and I wouldn't recommend it. Occasionally out of state traffic getting blocked is indicative of a problem, though that's rarely the case. Philosophically, if your firewall is configured to log everything it blocks, it should do that. That's the primary reasoning for my "that's the wrong thing to do" comment in my last post.

Well, my network is working 100% now.  And I didn't do anything differently that I know of. I went through the exact same steps I did before, figuring I would at least have access to my firewall again to mess around with the rules, and when I was done I figured what the heck let me just try for external access and it worked.  Now, granted due to my design, pfsense doesnt support multiple DHCP scopes so I have to manually configure IPs and DNS entries for now but it works.  I'm guessing I had a typo somewhere that I couldnt find the first time that was preventing me from getting outbound last time. Thanks for all the help cmb.  Now, I just have to get drives for my desktop, install VMware ESX, and begin getting all my virtual machines setup for in my DMZ and local network.

This odd behavior did turn out to be a hardware issue.  I am not sure exactly but I am guessing the dual onboard NIC's.  I switched to another machine and things are working much better.  Now to figure out load balancing/failover. Thanks

No one had the same problem?  :-( No one can help me?

I would agree with focalguy, the rules you've showed look good as far as accessing the WAN and LAN from your OPT1wifi, but you will want to put some rules in the LAN section if you want to access OPT1wifi from your LAN. If that isn't your ultimate plan you could test that you can 'see' it from the pfSense by using ping under the Diagnostics tab, and ping the opt1 IP or AP connected to OPT1.

@cmb: Yes, that's normal. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F Great, thanks :)

rds_correia: sounds like the same, check "bypass firewall rules for traffic on same interface" as I said above.

Your welcome.  ;D Not really sure why the commas work.  As per the instructions on the Alias page, using the colon seems to be the proper way to setup your Port Ranges so I only use the colons and not the commas.

RDP - can you connect at all?  Have you ensured that the RDP port (3389) is forwarded/open? *The port is forwarded/open. I can connect by IP only and not by name. Domain - what type of domain?  Active Directory or NT?  Have you opened/forwarded all the required ports? *Active Directory is what I'm using. All the ports such as LDAP, MSDS, etc are open. Both - have you configured routing so that things can be reached? *Yep, we done that too. I can ping from my DC to my RDP box by IP but not the other way around?

Captive portal can also help in a Hotel/Airport/Hotspot environment as well