Try with ftp helper enabled and disabled at interfaces>lan.

I'm not sure if you really know what you want to setup here or how you have to set it up. I guess you want to have seperation between the vlans (firewall them against each other). For this you have to create a vlan trunk to the pfSense. The switchport on the cisco, that links to the pfSense has to tag traffic (IEEE 802.1Q, not the cisco vlan protocol) and has to have all the other vlans enabled (vlan1, vlan2, vlan3, vlan4). At the pfSense you have to create all the vlans as well and assign each vlan as interface. The additional ports on the cisco should be portbased (untagged or "native" like cisco calls it iirc) vlanmembers of only the vlan they belong to (so either vlan1 or vlan2 or vlan3…). I have that exact setup at the office with 7 vlans. This way all the segments will be routed and firewalled by the pfSense.

@cmb: Still haven't had any issues with mine, not sure what to tell you. The 1.2.1 release will be based on FreeBSD 6.3 which has an improved Atheros HAL, you might have better luck at that point. Others who have tried it have noticed a number of problems are no longer issues. There isn't an embedded image available or I'd give you a link. If you want an iso for a full install let me know, there is one of those available. I reloaded the firmware on the touch a few times and it somehow magically fixed things.  At this point I think its an Apple issue that may have been resolved in the 1.1.4 update. Greetings from the middle of everything in KY, Louisville.   ;D  I see you have a Logan Telephone email address, one company I work for has a location serviced by Logan Telephone in Radcliff, guess you aren't too far away. Though the project and its contributors span the globe, Louisville is the world headquarters of pfSense. Scott and I, the founders, are both here. Radcliff is about two hours away.  I'm about 30 miles to the west of Bowling Green over near Morgantown.

@ShadowLab: …teaser timeframe for 1.3?  ;D When it's done  ;D .. alphas/betas might appear sooner of course and you will be welcome to test once they are out. However we plan to not have such a long gap to 1.3 like between the 1.0.1 and 1.2 Release. We are not hunting for deadlines though.

:D

Havok, although VPN is a good idea, but i prefer to tunnel thru ssh…  ;) anyway, i got it... i just have to uncheck the NAT reflection on the Advanced tab... provided with the right NAT rules and port forwarding, i finally had it working... thanx for all your reply and suggestions :) allison

aha, okej, thnx anyway, i fixt it by restarting the whole system.

is your wlan interface bridged to lan and lan has no link?

thanks, it helped. it was my mistake.

external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues  ::)

Unfortunately, I have issues running squid in transparent mode (have a post in the packages forum about it) so for now that is not working for me :(

Active mode should work if the ftphelper is enabled at interfaces>lan (if your client is behind lan). However as ftp is such a dump protocol I wouldn't expect active mode to work in a lot of locations anyway. Read up on wikipedia like gruensfroeschli suggested if you want to know why this protocol has so much issues with nat and firewalls.

@fs1: Is there a way I can allow only certain email domains inbound before I forward email to the mail server? Thanks no, you can only block on ip address using pfsense

Thanks again, it works perfectly!!! You guys are geniuses!

My game server is running fine, replacing pfsense with a basic router that have 4 LAN ports readily solves the problem. But if under pfsense, problem exists. But i still want to use pfsense because i want to filter some WAN IP's trying to connect to my server without my authorization. Such features is not present in many commercial routers available. Any other suggestions please, to resolve my problem? Do you know of any routers that can block specific public IP adresses from connecting to a game server. Thank you very much.

that worked great!  Thanks for the help.

Well the message basically just tells you that traffic which should not be there has been blocked :) Nothing serious. Just ignore it ^^" But having multiple subnets on the same physical layer is just really bad practice and only leads to problems.

You're right, not emailed. Just being able to log the port scans somewhere in order view them when time permits. Web interface would be great although not necessary.