Just for reference in 1.3 for this setup i would recommend. createing a bridge with the needed members. Assign the bridge interface as lan. Give the lan(bridge) interface an ip. Configure dhcp server for the lan interface. Go to Advanced Settings and change the knobs controlling the bridge filtering to: pfil_member = 0 pfil_bridge = 1 So you do all the filtering on the bridge interface itself rather than the members. After this you can disable the members so you do not see their tabs on the Firewall->Rules page. Ermal

Ok I got everything working.  I had to add a static route in pfsense to the 192.168.2.0/24 network.  I also added some rules on the DMZ tab for the 192.168.2.0/24 network to access it. Thanks for your help GruensFroeschli.

I was having this same problem and that fixed it for me as well. Now, I can connect to my WAN IP from within the LAN. Unfortunately, I'm getting a weird problem now where my SSH connection to my linux box (within the LAN) is closed after about 30 seconds when I connect to the WAN IP instead of the LAN IP. Just to be clear, I have pfSense setup as my home router. No complex setup or anything, just a WAN and a LAN. I have a linux box connected via ethernet and a laptop connected via wireless through an airport extreme router (in bridge mode). Everything seems to be working great except for this. I can SSH into my linux box using it's LAN IP and I stay connected just fine. If I SSH into my linux box using the WAN IP it closes the connection after about 30 seconds of inactivity. I have port forwarding and firewall rules setup to allow port 22 traffic into my linux box. Any ideas?

http://forum.pfsense.org/index.php/topic,9301.0.html

I don't have an answer but have near the same problem. I can use a Winders XP box setup for ICS running Blackice Defender and connect to encrypted ftps no problem but pfsense will NOT allow me to connect to two of the three I usually visit?  Here is the Filezilla log from one of those. Status: Connecting to ... … Status: Connected with ..., negotiating SSL connection... Response: 220 Serv-U FTP Server v6.2 for WinSock ready... Command: AUTH SSL Response: 234 AUTH command OK. Initializing SSL connection. Error: Timeout detected! Error: Unable to connect! Seems that pfsense is blocking the return command port or something like that as secure ftps use two ports.  One for data and the other for commands. ftp helper is enabled on mine so that doesn't help? So is there any work around for this problem?

@typo3usa.com: We then setup the WAN to allow TCP:  20,21,22,25,53,80,110,125,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,55555,55553 UDP: 20,21,53,113,123,873,953,6277,33434:33523 Both TCP and UDP for port 53 are allowed - however clients internally are unable to resolve dns requests. (all but one) What DNS servers are assigned to the clients? The ports open on the WAN tab are for incoming traffic on the WAN interface only. Users requesting DNS resolution use your "allow all" rule on the LAN tab.

Solved it myself. Edited config.xml using vi and added the lines mentioned above. Then restarted firewall using /etc/rc.reload_all. After some 10 seconds web interface could be remotely accessed over the IPsec tunnel. Straight on. Regards, Bert

So your loadbalancing pool should only contains wan2-6 and the default lan rule uses the loadbalancing pool as it's gateway.

What do you have NAT rules for? - Whatever is there was created automatically from the instructions found in the PDF that tells how to change over to transparent bridge. Also why do you have a rule to allow the "lan subnet to anywhere"? I believe it was created automatically when I followed the T.B changeover PDF. Do you have an IP on the LAN interface? The instructions said to assign a different (than wan) IP to the lan side (I used 66.163.204.253) and then after the change it would just ignore the ip. So yes and then no. Also the rules you have on the WAN are…. strange. Ok. they work for everything except the webgui to wan. You should set as destination only the server on which a service is running. There are multiple servers all with various services running on them. For example the mail server has a webserver for webmail , an FTP server, and a DNS server along with the mail. There are 3 web servers all with FTP, one with DNS and mysql, and one with GIS apps. There is a MSSQL DB server that has websites on it and FTP. Since each machine does a little of everything, I leave the rules open instead of pointing to a specific machine. There are various other machines sitting behind this box. I inherited it and can't change anything yet. Maybe someday they will let me clean it up. So what do you think is causing the webgui problem?

I have same problems. when I turn off FTP Proxy, then it start working, but after some restart the problems is back. Also if i have configured POP3 with public address, I can't send any email with attachments.

Followed your link to dslreports and from there got linked to this post which has a very clear set of instructions similar to yours.  Much thanks for this, saved the day getting pfSense back up where my children live. http://www.dslreports.com/forum/r20006536-Make-your-actiontec-a-bridge-with-VOD-working-with-REV-D

Hi, That's good to hear, and could you describe what you did with a lil bit more for later visitors? Also helps me alot  ;D ;D ;D @kennylovrin: …by configuring the ftp server with virtual hosts... cheers,

Hi kapara…Well, as far as I know we are not utilizing DHCP. I do know that we have an active directory though. Unfortunately I did not set up the server originally and my knowledge and experience is at the "enough to get me in trouble" level. My goal for this week is to really get to know the server. I do know a little about squid so I will go in there to see if I can figure out a way to make this work. Thanks for the help kapara. Mike

Just wanted to thank everyone for thier help. The change to transparent bridge filter fixed the 550 problem. The web gui doesn't work on the wan side anymore but I posted that question in a different message. I appreciate your help. Thanks Bob

The monitor ip you select doesn't necessarily have anything to do with your isp.  The reason i would use dns servers is that they often are ping able and reliable. As every ISP has a dns server you could do a search for ISP and there dns server in your area. this is a list for denmark (do a ping test before using them).

I used the following rule to block foreign DNS server: (192.168.1.1 is my DNS' ip) Protocol: TCP/UDP Source:   * Port: * Dest:!192.168.1.1   Port: 53 (DNS) Gateway:* Description: block foreign DNS Protocol: * Source: LAN net Source:*   Port:* Dest:*   Port:* Description: Default LAN -> any If any client queries to foreign host (for DNS at port :53)) that differs from 192.168.1.1, we block it! That's ok for me:)