@blak111: The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from. Ah yes , thats what I thought, 1:1 NAT does NOT allow the specifying of ... as the Source IP to the internal address of 192.168.1.11 for example. Since the source user does NOT have a Fixed IP address this wont work. OK I realize now that to have 2 IPs configured to have any incoming source  does not make sense because the FW will not know how to forward the traffic. Eagleeye

Any one?

@fastcon68: I have no issues, from behind pfsense.  I have made no special provisions.  I just have the bandwith tuning settings settings. Sorry for late post…but I also have vonage, with no special settings, I didn't even touch the bandwidth tuning.  It just works with no problems.  My setup is Cable modem ---> pfSense ---> Linksys Gigabit Switch -----> all devices, including vonage (no pc plugged to their pc port, just phone)

You shouldnt set the gateway to an interface of pfSense. Set the gateway to the next hop. The same for your new IPs. If the ISP gives you then he probably gave you the IP of the gateway (the next hop) too. The idea of a transparent firewall is, that you dont send traffic to it –> you dont use the firewall as gateway. Instead you send traffic directly to the ISP's router.

This are my Firewall:Rules TCP LAN net * 172.16.1.0/24 * OPT1 Falla     TCP LAN net * OPT1 net * OPT1     TCP LAN net 110 (POP3) * 110 (POP3) OPT1 Falla   mail pop3  TCP LAN net 25 (SMTP) * 25 (SMTP) OPT1 Falla   mail smtp LAN net * * * Balance   todo compartido

I had a chance to play with this some more over the weekend, which proved enlightening. So yes cmb, I suspect Packet Capture does see all frames, but I unfortuantely was only looking at ones (filtered) by specific IP addresses… otherwise there are just so many... :-) Silly me for thinking that if I do not define any NAT options or parameters that NAT would not be active and that all the addresses in my public (LAN) network would appear as public addresses on the WAN with access limited (filtered) by the firewall rules. Apparently not so. I discovered that many outgoing connections appear on the WAN as coming from the WAN interface address. I was seeing ftp packets going out from the public IP address from my LAN but not seeing anything coming back from the FTP server on the WAN because, I guess, it was coming back to the WAN interface address. At least that's what I think was happening. A similar thing may have been happening with HTTP as the web servers were being told the client was at the WAN interface address. But HTTP being the way it is, all the magic port assignments seemed to allow communications. Except for the (secured) web server that wouldn't let me talk to it because it did not recognise the request as coming from my proper public IP address. I wonder if any other similar failures have gone unnoticed... Oddly, as best I can tell without looking too deeply, not all protocols or ports are afflicted with NAT translations (eg. DNS, NTP). Or so it seems. Anyways, that is what I think was happening, so locating the solution became less difficult. The first was to force NAT into a full 1:1 for all addresses of the public LAN network. And suddenly everything behaved as expected. I also found I could configure NAT Outbound for "Advanced Outbound NAT (AON)", and once I removed the automatically generated mapping (which essentially turned NAT back on for the LAN network) my "firewall" now seems to behave like a simple router with access controlled by the firewall rules. Which is all I wanted in the first place ;-) Thankfully, with active mode FTP now working I can close up all those high ports needed for passive mode... I was astonished at how quickly and how often they were probed. And now sites expecting to "see" my public IP addresses are happy. All in all, I'm very pleased with pfSense. My praises to all involved in making it such a useful, flexible, and effective product!

Thanks its working. The problem was that WAN LAN selection. I didn't think about it :) Thanks again

ahh. sorry i did see that but i read that to mean it would only shape one interface, not that it doesn't work at all if you have multiple interfaces. thanks for the reply, at least i know

Ouch. OK I'll leave this as "has to be done like it's done" until we are at 1.3beta/rc. But thanks for the message.

After some experimenting on vmware i found out the problem. When using the 1.2 version of 26 feb there is no problem and everything works as expected. However when using the 1.2 version of 23 Apr with the bountyshaper, the firewall rules on opt1 have no effect.

Oh, I think what the original poster is saying is he doesn't want the name of the firewall to show up in the traceroute? That comes from the reverse DNS, on the System -> General page you have it set to pfsense.local so when you traceroute and it does a reverse DNS lookup that's what you get. You can change the name thee to have it show up as something else but there really isn't any point in that at all, you should be able to broadcast to the world what firewall you're using without any security risk. Especially when that's just on your internal network.

Thanks dotdash, I set up a virtual IP, then did a 1:1 from the WAN subnet to the LAN subnet, then passed ICMP from the WAN to the PC and by-golly, it worked. Thanks again!

If you install the Squid and SquidGuard package, you will be able to create ACLs for specific URL's.

You can try first with some port other that 80 (e.g. 443 or 25) and test if that rule works. It should work with the given settings and * as gateway though. Before you check the "disable anti-lockout rule" box, make sure you have a rule in place to access the webgui from a specific ip or the complete net (destination: lan address) or you will lock yourself out of the webgui completely.

Hi, Sorry for late reply - I don't get to my pfSense box too often to check rules. Yep - I'm a monkey - I had my subnets round wrong way - source and destination mixed up. Subnets are now isolated as per rules in my first post. :D Next time I'll double check my own notes and this forum. (I'll soon have pfSense box and servers locally, which will speed my development/breaking things up!=) Thanks for your help - these forums are prolly one of the most useful/friendly for this stuff and in general!!! Now I just have to work out how to allow my email server (on LAN) to dish out its SSL cert without bumping off every other SSL session I try to start in web browser (on OPT1) eg other web based email, online banking sessions etc. Must be how I set the certificate's domain? It stopped as soon as I killed the NAT and auto-created rule for email servers SSL port (443), but now I'm without email. =) I'd better ask this on another forum - I'm not sure I can fix this with pfSense. If anyone has any ideas how to fix this with pfSense - just tell me, and I'll start another thread. Thanks again! :D