I ended up redoing the pfsense box. All's fine now.

Use OpenDNS as your DNS instead of your ISP's.  There you can block those domains through the control pannel.

http://www.opendns.com

Fixed! ;D  There was no rule on the outbound NAT. ::)

System -> Advanced has an option for disabling offload Csum.  Might be worth a shot to enable that option.

http://forum.pfsense.org/index.php/topic,7001.0.html

I think you need to find out what they're doing that allows them to do that.  Are you shaping by protocol, by IP, or have you just not got it configured correctly ;)

I'd raise this in the Traffic Shaping sub-forum.

A google search on " ddos protection +freebsd " turns up

http://www.webhostingtalk.com/showthread.php?t=647542

http://silverwraith.com/papers/freebsd-ddos.php

Maybe not the solution your sicking but anyways a good read imo.

The 1-1 NAT is pretty hard to screw up. A typical entry would be:
interface=WAN external IP=100.200.100.200/32 internal IP=192.168.1.200/32
The AON if you were using port-forwards would be like this:
interface=WAN source=192.168.1.200/32 * * * NAT address=100.200.100.200 * NO
(AON rule must be placed before the auto created LAN rule)

I continued to have problems with my CIDR notation matching the subnet provided by my ISP for my DSL connection… since this didn't appear to make any sense at all, and everything else was working on the firewall, I reconfigured the WAN for my new internet connection (not the old DSL circuit), set my IP to the new IP/29 (as it should be), and put it into production.  All is working as it should be now.

As was suggested by others here, and on #pfsense on IRC, this must have been something flaky with my ISP and/or DSL connection.  Though I didn't get to the root cause, my DSL circuit is now off-line and everything is working as it should be on the new internet connection.  Thanks to everyone for the assistance!

I dunno if this was the way to solve this, but i did tried creating a firewall rule in the WAN interface blocking all type of ICMP traffic to it. Well now PING for IP and DDNS name do not reply at all (=good).

If thare are other correct solution please feel free let me know, thanks.

@GruensFroeschli:

Your entry is wrong.

Look at the screenshots i attached.

Also make sure your clients use pfSense as primary DNS

@GruensFroeschli

Thank you soooooo much. I have been trying to figured out why i didn't see my own web server ;)

I can try :)
You say that server with ip 192.168.3.97 get block in firewall when trying to send to ip 147.249.x.x
and the problem it's only with ip 147.249.x.x
As you don't have a host directly connected to pfSense with the ip 192.168.3.97 something must publish that ip to pfSense.

FYI we found another solution to our SIP problem.

Just enable NAT keep alive on the client device

I think what darkopo meant is the

What is default in Firewall: Rules: Edit Advanced Options ?

Probably just noone is interrested in using google for you to find the man pages of pf ;)

http://google.com
keywords: "man pf"

@sai:

the only strange thing in your setup is the 192.168.1.1 as dns in general settings. even that should not let in the icmp…

this is really weird.

you said that there were some NAT rule. can we see those?

I added 192.168.1.1 as an extra DNS server, since I want to use the repeater even on the firewall.

Nat Port Forward Rules:

The 1:1 and Outbound rules are empty (Automatic outbound nat is enabled)

EDIT:

Heres an interesting bit of log info:
And clicking on the green arrow at the left shows no rule triggered it. The text after the "The rule that triggered this action is:" is missing. Theres several logs like that. The wan rule for that ip forward is not set to log, and there is no lan rule corresponding for anything resembling that packet.

For now I just entered fake IP addresses for these addresses in the DNS forwarder configuration, but this of course means that clients can still connect using IP address.

I find by myself !

I have make an Alias of my WAN network (WANnet) and put this rule on the DMZ :

Proto    Source        Port    Destination    Port    Gateway
  *        WANnet        *          ! LAN net        *            *

Did you forward the port?
Only creating a firewall rule is not enough.

You also might be interrested in enabling upnp.