I just remembered, I also have another network on OPT3 (192.168.6.0/24) I could not access the web gui via 192.168.6.1 (OPT3 IP). Do I need to open up rules to the web gui on that interface also?

Just for fun I downloaded the latest live iso and used it with another machine and entered the rule, it did not work either.  :'(

Proto    source    port    destination    port    gateway    Schedule    Description *        *          *        *                *        *                              DMZ So setting the above for an interface ('Choose on which interface packets must come in to match this rule.') will mean that interface is no longer firewalled. Thanks :) PS. It's also worth mentioning, in case anyone uses this, that it would be important to stop the above interface 'talking' to the LAN like this: Proto    source    port    destination    port    gateway    Schedule    Description *        DMZ net  *        ! LAN net      *        *                              Permit DMZ to any BUT LAN

this work perfectly thank a lot of !

It's in 1.3 already.

When creating posts, use a subject line that has something to do with what you are posting.  "LITTLE TRICK" has absolutely nothing to do with your post(s).

Configure split-tunneling on the Cisco side.  That'll take care of your issue.

The dmz itself doesn't need any rules at all (unless you need to access something from that webserver itself). Just use portforwards and firewallrules at WAN to make the server reachable on port 80 http. The reverse direction is handled by the state that is created by the incomming connection at WAN then.

The management vlan that I assigned the management to has 5 ports in it and I set the ip address to the same subnet.  I am going to try it again tonight. I may have just made a typo.  At least I have the configuration backup this time so I don't have to re input everything again. At the moment I am running 15 vlans with pfsense on a Alix wrap box with everyone in their own subnet. It is a cheap alternative for a small assisted living center that has thirteen apartments. I believe I got this done for total of $350 US dollars. Not counting labor.  Second thought Does the management vlan need to be the same as the one the upload port is in. Again thanks for everyones help. The next time I do this it will be a lot easier. CaT

hehe yea i will tune it later :)

I would chain the swicthes together. This will take some load from the firewall and a switch should usually have a lower delay in passing packets as well. Troughput on the pfSense between the 2 gigabit links also depends on busspeed and cpu power as all packets have to be processed. Uplinking the switches to each other is much better unless you need some firewalling between the 2 switches. And yes, you usually need rules on all interfaces if you keep it as it is. Otherwise a transparent firewall would not be possible. There is a setting at system>advanced though that you need to turn on to do so.

Ermal is working on improving PPTP atm but it still takes some further work. PPTP through has a limitation where you can't connect with multiple clients to the same server at wan simultaneously and PPTP through won't work at all if the PPTP server at the pfSense that you are going through is enabled. Besides that PPTP works without issues usually.

I have it figured out now. I set my DMZ to bridge with the WAN and then made sure that bridge filtering was enabled. Then I set the rules for WAN -> DMZ and DMZ -> WAN accordingly and now everything is working 100%. Next tough thing is going to be migrating the web data to the new servers on the new ips.  But I guess that would be right for another forum?.? Anyone here have any experience with migrating shopping carts from one server to another during a DNS migration?

RC3 is rather old. You should upgrade (reinstall on embedded) to 1.2 Release! But I don't get your aliases use. They are NOT supposed to spoof LAN subnets where you don't have them physically. They are only a shortcut for stuff that's already there! If you need additional subnets and run out of interfaces go for VLANs on a VLAN capable switch!

It's a good solution you said. I'll try that. thank you

Are you sure your NAT and the according firewallrule is correct? You need a firewallrule on top of your NAT or it won't work (though it will be autocreated unless you untick the box when creating the portforward). Just in case you added the portforward from 5900 to 5900 when you created it and changed it to that other port later by editing it the autocreated firewallrule won't be changed automatically. You will have to change that as well manually. The rule that triggers your blog is the invisible default block all rule present at each interface as everything that is not explicitly allowed will be blocked.

Never mind, I just created a LAN rule to block the traffic and not log it. It doesn't need to pass the firewall anyway. Thanks!

I have tested and your advice is correct. It is working now. TNX Sasa

@hoba: The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic). Thanks. I can't believe I fat fingered that. I re-created the rules and re-tested and I apparently created them right this time because VPN traffic is working and the GRC scan is showing everything like it should. Whew, I was worried for a bit. Thanks everyone!