http://forum.pfsense.org/index.php/topic,9301.0.html

I don't have an answer but have near the same problem. I can use a Winders XP box setup for ICS running Blackice Defender and connect to encrypted ftps no problem but pfsense will NOT allow me to connect to two of the three I usually visit?  Here is the Filezilla log from one of those. Status: Connecting to ... … Status: Connected with ..., negotiating SSL connection... Response: 220 Serv-U FTP Server v6.2 for WinSock ready... Command: AUTH SSL Response: 234 AUTH command OK. Initializing SSL connection. Error: Timeout detected! Error: Unable to connect! Seems that pfsense is blocking the return command port or something like that as secure ftps use two ports.  One for data and the other for commands. ftp helper is enabled on mine so that doesn't help? So is there any work around for this problem?

@typo3usa.com: We then setup the WAN to allow TCP:  20,21,22,25,53,80,110,125,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,55555,55553 UDP: 20,21,53,113,123,873,953,6277,33434:33523 Both TCP and UDP for port 53 are allowed - however clients internally are unable to resolve dns requests. (all but one) What DNS servers are assigned to the clients? The ports open on the WAN tab are for incoming traffic on the WAN interface only. Users requesting DNS resolution use your "allow all" rule on the LAN tab.

Solved it myself. Edited config.xml using vi and added the lines mentioned above. Then restarted firewall using /etc/rc.reload_all. After some 10 seconds web interface could be remotely accessed over the IPsec tunnel. Straight on. Regards, Bert

So your loadbalancing pool should only contains wan2-6 and the default lan rule uses the loadbalancing pool as it's gateway.

What do you have NAT rules for? - Whatever is there was created automatically from the instructions found in the PDF that tells how to change over to transparent bridge. Also why do you have a rule to allow the "lan subnet to anywhere"? I believe it was created automatically when I followed the T.B changeover PDF. Do you have an IP on the LAN interface? The instructions said to assign a different (than wan) IP to the lan side (I used 66.163.204.253) and then after the change it would just ignore the ip. So yes and then no. Also the rules you have on the WAN are…. strange. Ok. they work for everything except the webgui to wan. You should set as destination only the server on which a service is running. There are multiple servers all with various services running on them. For example the mail server has a webserver for webmail , an FTP server, and a DNS server along with the mail. There are 3 web servers all with FTP, one with DNS and mysql, and one with GIS apps. There is a MSSQL DB server that has websites on it and FTP. Since each machine does a little of everything, I leave the rules open instead of pointing to a specific machine. There are various other machines sitting behind this box. I inherited it and can't change anything yet. Maybe someday they will let me clean it up. So what do you think is causing the webgui problem?

I have same problems. when I turn off FTP Proxy, then it start working, but after some restart the problems is back. Also if i have configured POP3 with public address, I can't send any email with attachments.

Followed your link to dslreports and from there got linked to this post which has a very clear set of instructions similar to yours.  Much thanks for this, saved the day getting pfSense back up where my children live. http://www.dslreports.com/forum/r20006536-Make-your-actiontec-a-bridge-with-VOD-working-with-REV-D

Hi, That's good to hear, and could you describe what you did with a lil bit more for later visitors? Also helps me alot  ;D ;D ;D @kennylovrin: …by configuring the ftp server with virtual hosts... cheers,

Hi kapara…Well, as far as I know we are not utilizing DHCP. I do know that we have an active directory though. Unfortunately I did not set up the server originally and my knowledge and experience is at the "enough to get me in trouble" level. My goal for this week is to really get to know the server. I do know a little about squid so I will go in there to see if I can figure out a way to make this work. Thanks for the help kapara. Mike

Just wanted to thank everyone for thier help. The change to transparent bridge filter fixed the 550 problem. The web gui doesn't work on the wan side anymore but I posted that question in a different message. I appreciate your help. Thanks Bob

The monitor ip you select doesn't necessarily have anything to do with your isp.  The reason i would use dns servers is that they often are ping able and reliable. As every ISP has a dns server you could do a search for ISP and there dns server in your area. this is a list for denmark (do a ping test before using them).

I used the following rule to block foreign DNS server: (192.168.1.1 is my DNS' ip) Protocol: TCP/UDP Source:   * Port: * Dest:!192.168.1.1   Port: 53 (DNS) Gateway:* Description: block foreign DNS Protocol: * Source: LAN net Source:*   Port:* Dest:*   Port:* Description: Default LAN -> any If any client queries to foreign host (for DNS at port :53)) that differs from 192.168.1.1, we block it! That's ok for me:)

Hi, How about ports for IRC , say 6667? OTOH, if you decided to open ports for *IM and, you may not consider to deploy upnp so that *IMs would not get fully functional, normail chats(typing) are okay but voice/video and/or file transfers will suffer. That's my only .02$ worth. :) cheers,

If you've only got a rule to pass all traffic then effectively the firewall is disabled.  This means that any problems are (as I've already said) probably NAT related. You may want to try enabling UPnP and see if that helps.  You may also need to read up on the networking requirements of the games in question.

Ok that was too easy! guess I learned something.. It's working perfectly fine now, thank you.