Yes, I think you got it right now :)

Rules are always appliad inbound per interface. So if you want to drop traffic from wan to lan the rules have to go to the wan tab. If you want to drop traffic from LAN to WAN rules go to the LAN tab. There are no "out" rules in pfSense, they are all "in" or in other words think of an "allow anything out rule" on every interface by default. Applying your own pf configuration is not supported as the webconfigurator will generate and overwrite everything on bootup or changes through thee webgui again.

Can you detail the changes I require? Sorry, i'm still learning lots of this platform! Thanks!

@hoba:

Existing connections won't be blocked unteil they time out or are reset. This has always been that way since the very first alpha release of pfSense. If you want to make sure existing connections are dropped reset states at diagnostics>states, reset states tab. A block rule only blocks creating new states but doesn't drop existing ones.

Interesting.  Thank you for clarifying.  I will test this.

enable the ftp helper at interfaces>lan create a rule at firewall>rules, lan: pass any protocol, any source to destination 127.0.0.1, gateway default save, apply diagnostices>states, reset states

ftp will work now.

right, you can use it for rdp, vnc, pop3, whatever…

Not really though you might be able to get some kind of filtering by using the dhcpserver with static leases and the static ARP option but on a bridge….not sure. Not really a solution for your requirements...

That was it, knew it would be simple. Thank you very much.

You're right on all accounts. There are limitations I am dealing with regarding certain areas of my network that prohibit me from full blown RADIUS authentication on all switch ports, which I would love. This was my attempt at a stop-gap solution.

I'll consider adding another NIC, that's not outside the realm of possibility.
And for the record, I am able to set up DHCP lease subnets separate from my reservations, all in Windows Server 2k3. I use PFsense DHCP on other networks.

Thanks for the speedy reply. You rock.

Your best bet is probably, like mentioned above, to assign a different port and do port-based dnat (port forwarding) to your internal servers based on their ports.

Example:

Map 3389 to your Internal server (192.168.0.5)
      3390 to another machine (192.168.0.6)
    3391 to another machine … etc..

Then, using MSTSC, you can specify an alternate port by using the WAN_IP:port syntax (64.34.153.10:3390)

But it would be considered a better practice to open these ports through a VPN (PPTP works well) or at the very least, limit access to a given source IP address.

Guillaume Bélanger
http://www.exosource.com

The frickin pptp proxy listens on the loopback adress (127.0.0.1) so all traffic running to tcp port 1723 is redirected to it. However this package is not stable yet so you shouldn't use it atm.

and you can take a look also at this thread

http://forum.pfsense.org/index.php/topic,7096.0.html
Greetings
Heiko

thanks

Cool
Maybe i just got used to have to create all AoN rules myself since i use OpenVPN on almost every pfSense i have in action :)

There should be no issues with enabling the ftp helper on the LAN interface- the LAN isn't using a Proxy-ARP. Try checking the box to enable ftp helper on the LAN and re-test an outgoing ftp connection.

Hello
you are correct these are sends .

thanks, looks like problem is on my end.

It is a transparent bridge. Or in poor words it is a piece of copper to the network.

Only your switch is forwarding wrong traffic or the provider is doing something else or ….

Is there a chinese forum yet?

whois 163.com
Netease.com, Inc.
8FL, Netease Building,  No 16, KeYun Rd
ZhongShan Av. GuangZhou IT Harbor
Guangzhou, Guangdong 510665
CN

You're missing the aliases.

Create one that contains all your undesirted subnets and make an "allow all BUT alias" rule for your OPT1 IF.

No, you need cron items in your config. Please download and test it with rc5, i cannot duplicate this problem