1: Create an alias containing all your vlans. 2: Create a single "allow" rule with  source: any  destionation: !youralias (NOT your alias) 3: Repeat 2. on each VLAN interface. Like this traffic to the internet will be allowed, but traffic to your vlans will be denied by the default block all rule.

If you can connect to your network via OpenVPN already why do you need WAN access to your firewall? Can't you do this through the tunnel then, using the local LAN IP and HTTP port? Anyway, that's your personel choice and you will have reasons for it. Your rules look fine and I can only guess what's holding you from a successfull connect. Might be that an unencrypted connection is not supported (blocked) by pfSense for security reasons. I would watch the logs (enable logging for that rule!) and try setting up the GUI for HTTPS, changing the rules accordingly.

You cannot filter by url. Only by IP. But if you resolve all the urls you want to block to IP's you can make an alias with contains all these IP's. Then just create a block-rule above your allow rule with as destination your alias.

Actually, you can already create an alias like 'www.ups.com' but it only gets updated with one corresponding IP once when the filters are loaded initially. IMHO further support is planned for 1.3 - but as usual with this kind of versions - don't hold me liable for it being actually implemented in release. Whenever that will be anyway…

Quick thought - I tried the traffic shaping bit at one time, then disabled it. Could there have been some left-over settings that can interfere? Maybe I'll just reinstall it and configure it again from the ground. It shouldn't take more than 30 min so I can just use the old 1721 router…

The solution is: http://forum.pfsense.org/index.php?action=search with the keyword: "dansguardian" (no, there is no danguardian package)

You can't centrally firewall machines within the same subnet! Interfaces within the same subnet communicate directly with each other. They only send traffic to the gateway when the destination address can't be routed directly to one of their local subnets. You would first need to logically isolate those machines so they cannot route to each other. Then, you would need to do central routing (and firewalling) for them. A hack, and it is a real dirty hack, would be to define every machine as its own subnet on the same physical segment and then define one interface on pfSense for each of the machines on the segment, then set up your rules. This is a really bad idea. It will probably break more than it fixes since the machines can't broadcast to each other any more and pfSense has to route every single packet. And even if you did that, since you'd be on the same physical segment, any user could get around it by just defining an IP in the segment they wanted to talk to. The short answer it it can't be done. -Ted-

http://forum.pfsense.org/index.php/topic,8464.msg47484.html#msg47484

if added  port 91 with any alias name in alias this mesage received…

activate miniupnp

Man iptables is UGLY i am glad BSD can make easy tools for people :). Yeah pf has teh same concept too but need to be exported to the gui.

Hello, I have now tried to bridge my WLAN to my LAN, and I get the same effect, i.e, I can ping from the bridged interface to devices on the LAN, but I can't ping from the LAN to devices on the WLAN. All other traffic appears to traverse normally. Would someone please comment on this thread? :o

:) :) :) :) I changed LAN settings on router (enabled dhcp server) and WAN settings on pfsense(to DHCP client) now it works! GREAT! Would like to know what the real problem was … maybe MTU or something on the route? Thank u all guys!

anyone?

Hello, Just create a rule for 8080 to be forwarded to your pfSense:80 on the "firewall", or am I missing the points? cheers,

Just for reference in 1.3 for this setup i would recommend. createing a bridge with the needed members. Assign the bridge interface as lan. Give the lan(bridge) interface an ip. Configure dhcp server for the lan interface. Go to Advanced Settings and change the knobs controlling the bridge filtering to: pfil_member = 0 pfil_bridge = 1 So you do all the filtering on the bridge interface itself rather than the members. After this you can disable the members so you do not see their tabs on the Firewall->Rules page. Ermal

Ok I got everything working.  I had to add a static route in pfsense to the 192.168.2.0/24 network.  I also added some rules on the DMZ tab for the 192.168.2.0/24 network to access it. Thanks for your help GruensFroeschli.

I was having this same problem and that fixed it for me as well. Now, I can connect to my WAN IP from within the LAN. Unfortunately, I'm getting a weird problem now where my SSH connection to my linux box (within the LAN) is closed after about 30 seconds when I connect to the WAN IP instead of the LAN IP. Just to be clear, I have pfSense setup as my home router. No complex setup or anything, just a WAN and a LAN. I have a linux box connected via ethernet and a laptop connected via wireless through an airport extreme router (in bridge mode). Everything seems to be working great except for this. I can SSH into my linux box using it's LAN IP and I stay connected just fine. If I SSH into my linux box using the WAN IP it closes the connection after about 30 seconds of inactivity. I have port forwarding and firewall rules setup to allow port 22 traffic into my linux box. Any ideas?