When creating posts, use a subject line that has something to do with what you are posting.  "LITTLE TRICK" has absolutely nothing to do with your post(s).

Configure split-tunneling on the Cisco side.  That'll take care of your issue.

The dmz itself doesn't need any rules at all (unless you need to access something from that webserver itself). Just use portforwards and firewallrules at WAN to make the server reachable on port 80 http. The reverse direction is handled by the state that is created by the incomming connection at WAN then.

The management vlan that I assigned the management to has 5 ports in it and I set the ip address to the same subnet.  I am going to try it again tonight. I may have just made a typo.  At least I have the configuration backup this time so I don't have to re input everything again.
At the moment I am running 15 vlans with pfsense on a Alix wrap box with everyone in their own subnet.
It is a cheap alternative for a small assisted living center that has thirteen apartments.
I believe I got this done for total of $350 US dollars. Not counting labor. 
Second thought Does the management vlan need to be the same as the one the upload port is in.
Again thanks for everyones help. The next time I do this it will be a lot easier.
CaT

hehe yea i will tune it later :)

I would chain the swicthes together. This will take some load from the firewall and a switch should usually have a lower delay in passing packets as well. Troughput on the pfSense between the 2 gigabit links also depends on busspeed and cpu power as all packets have to be processed. Uplinking the switches to each other is much better unless you need some firewalling between the 2 switches.

And yes, you usually need rules on all interfaces if you keep it as it is. Otherwise a transparent firewall would not be possible. There is a setting at system>advanced though that you need to turn on to do so.

Ermal is working on improving PPTP atm but it still takes some further work. PPTP through has a limitation where you can't connect with multiple clients to the same server at wan simultaneously and PPTP through won't work at all if the PPTP server at the pfSense that you are going through is enabled. Besides that PPTP works without issues usually.

I have it figured out now.

I set my DMZ to bridge with the WAN and then made sure that bridge filtering was enabled.

Then I set the rules for WAN -> DMZ and DMZ -> WAN accordingly and now everything is working 100%.

Next tough thing is going to be migrating the web data to the new servers on the new ips.  But I guess that would be right for another forum?.? Anyone here have any experience with migrating shopping carts from one server to another during a DNS migration?

RC3 is rather old. You should upgrade (reinstall on embedded) to 1.2 Release!

But I don't get your aliases use.
They are NOT supposed to spoof LAN subnets where you don't have them physically. They are only a shortcut for stuff that's already there!
If you need additional subnets and run out of interfaces go for VLANs on a VLAN capable switch!

It's a good solution you said.

I'll try that.

thank you

Are you sure your NAT and the according firewallrule is correct? You need a firewallrule on top of your NAT or it won't work (though it will be autocreated unless you untick the box when creating the portforward). Just in case you added the portforward from 5900 to 5900 when you created it and changed it to that other port later by editing it the autocreated firewallrule won't be changed automatically. You will have to change that as well manually. The rule that triggers your blog is the invisible default block all rule present at each interface as everything that is not explicitly allowed will be blocked.

Never mind, I just created a LAN rule to block the traffic and not log it. It doesn't need to pass the firewall anyway.

Thanks!

I have tested and your advice is correct. It is working now.

TNX

Sasa

@hoba:

The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).

Thanks. I can't believe I fat fingered that. I re-created the rules and re-tested and I apparently created them right this time because VPN traffic is working and the GRC scan is showing everything like it should.

Whew, I was worried for a bit.

Thanks everyone!

Try with ftp helper enabled and disabled at interfaces>lan.

I'm not sure if you really know what you want to setup here or how you have to set it up. I guess you want to have seperation between the vlans (firewall them against each other). For this you have to create a vlan trunk to the pfSense. The switchport on the cisco, that links to the pfSense has to tag traffic (IEEE 802.1Q, not the cisco vlan protocol) and has to have all the other vlans enabled (vlan1, vlan2, vlan3, vlan4). At the pfSense you have to create all the vlans as well and assign each vlan as interface. The additional ports on the cisco should be portbased (untagged or "native" like cisco calls it iirc) vlanmembers of only the vlan they belong to (so either vlan1 or vlan2 or vlan3…). I have that exact setup at the office with 7 vlans. This way all the segments will be routed and firewalled by the pfSense.

@cmb:

Still haven't had any issues with mine, not sure what to tell you. The 1.2.1 release will be based on FreeBSD 6.3 which has an improved Atheros HAL, you might have better luck at that point. Others who have tried it have noticed a number of problems are no longer issues. There isn't an embedded image available or I'd give you a link. If you want an iso for a full install let me know, there is one of those available.

I reloaded the firmware on the touch a few times and it somehow magically fixed things.  At this point I think its an Apple issue that may have been resolved in the 1.1.4 update.

Greetings from the middle of everything in KY, Louisville.   ;D  I see you have a Logan Telephone email address, one company I work for has a location serviced by Logan Telephone in Radcliff, guess you aren't too far away. Though the project and its contributors span the globe, Louisville is the world headquarters of pfSense. Scott and I, the founders, are both here.

Radcliff is about two hours away.  I'm about 30 miles to the west of Bowling Green over near Morgantown.

@ShadowLab:

…teaser timeframe for 1.3?  ;D

When it's done  ;D

.. alphas/betas might appear sooner of course and you will be welcome to test once they are out. However we plan to not have such a long gap to 1.3 like between the 1.0.1 and 1.2 Release. We are not hunting for deadlines though.

:D