You may also disable the ssh until you need it. Still would change the port though

Could it be that you enabled the Captive Portal? I just searched my network for about 4 hours for faults, without noticing that the CP was active…....

Depends on your environment, for hosting networks you usually want public IPs directly on the systems, though you may prefer using private IPs for various reasons. Either/or will work fine. If you use CARP that is a lot of addresses to enter.  Usually when I design colo networks using pfSense they use a /29 on the WAN side and have the provider route a second public IP block to one of the CARP IPs and use the public IPs directly assigned on the internal servers.

Yes it's a bad idea to block all ICMP types - there are legit and important uses for ICMP in a network. But with that said, the state tracking code will allow return ICMP traffic resulting from connections initiated inside your network, so you can pretty much block at will on your WAN and not break anything. There may be some cases where you'll want to not block everything, but in most environments that's fine to do with pfSense since it'll allow these legit ICMP types.

Yeah that should work fine.

ISTR that it warns you on the rules page - rules are processed top down.  This means that if you have rule #2 as "Block all" then no further rules will work.

Thanks GruensFroeschli. Apologies for not reading the stickies.

Don't mention ;) I, too, had some of that enlightenments ;D

You can forward as much as your number of public IPs allows. If you have one public IP, that's 65535 TCP ports, 65535 UDP ports, and add a handful more for other IP protocols - ICMP, GRE, etc.

Did you add port forwards? http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

If my pings were 500-900 i wouldnt look for a solution on the firewall but more within my network-setup…. You should first get a general understanding of how networks work. I suspect you're kind of using the wrong firewall.

Would this setting cause my internet terminal services clients to constantly need to reconnect?  Many of the sales people here just connect to our dns name for the terminal server when they are in the office or our for simplicity.  If they connect to the external name while in the office and leave the connection idle for about 45 seconds they have to wait while it says "reconnecting to host".  The memory usage on the status page shows 60% the states table is nowhere near full.  If I connect up to the local name which bypasses the firewall it does not have this reconnection problem.

This sounds exactly like the problem which haunted me almost a year ago. See here: http://forum.pfsense.org/index.php/topic,5909.0.html I was just looking through the forum if the problem is still there before trying to upgrade to 1.2. Since my solution at the time being was patching pfSense and the patches by now probably have to be rethought/rewritten an upgrade for me is not so easy possible. However, it's interesting to see that this problem still occurs not only in my setup and it does not seem to have a solution… (I suspect some kind of load-balancing code inside freebsd which "turns" the interfaces in brideged mode, but thats just guessing) BTW, pfSense is a great piece of work - after patching this problem away last year it runs and serves absolutely reliable. Great work guys. Best regards, Arno

@blak111: The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from. Ah yes , thats what I thought, 1:1 NAT does NOT allow the specifying of ... as the Source IP to the internal address of 192.168.1.11 for example. Since the source user does NOT have a Fixed IP address this wont work. OK I realize now that to have 2 IPs configured to have any incoming source  does not make sense because the FW will not know how to forward the traffic. Eagleeye

Any one?

@fastcon68: I have no issues, from behind pfsense.  I have made no special provisions.  I just have the bandwith tuning settings settings. Sorry for late post…but I also have vonage, with no special settings, I didn't even touch the bandwidth tuning.  It just works with no problems.  My setup is Cable modem ---> pfSense ---> Linksys Gigabit Switch -----> all devices, including vonage (no pc plugged to their pc port, just phone)