@GruensFroeschli:

I think you missunderstood me.
The Client dont go over the bridge to reach the DNS-server.
Since they dont go over the bridge to resolve a name i suspect the problem lies with your DNS.

No indeed, I misunderstood you… forums are nice to solve that :)

Before I had the bridge in there DNS resolving was no issue at all, my servers can resolve on my DNS servers, but when I remove that IP on the LAN side... they can't anymore.

Strange is also that when I remove the WAN and LAN IP both, there is not traffic possible at all anymore, so this is confusting too.

Before I put the transparent bridge between the vlans on the switch, I tested this whole enviroment with a crosscable instead of the Pfense box, what actually worked well.

So I'm looking at the Pfsense part that might not be the best solution because there can be something in between.

@sullrich:

Have you tried enabling static port for these interfaces?

It took me some time to thank-you, because I had to arrange some time to set up a new test box (I am afraid to do the tests on a production box and to use not well documented features (disable Automatic outbound NAT rule generation … and so on).

But I am sorry, but think it still does not work! Done this way.

I wonder why a firewall with so rich and powerful features like: “CARP/VIPS”, “VPN”, “Bridging”, “Virtual IP’s”, “OLSR”, “RIP”, “UpnP”, and so on, fails doing a so simple thing that is, to know which network cards as plugged in(networks interfaces), Its (range of) Ip’s, and route accordingly the traffic between them…???

Here is, how do I set-up and solved this (my) problem.

I put another box, to let pass, back, the traffic, which I wanted to pass from one LAN to another, and on this new box I opened the ports/services needed – This way worked for me.

Here is my NEW network diagram:

Internet
                                |
                                |   
                          10.1.0.1            10.1.0.2
                          pfsense_box_1  pfsense_box_2
                                |  |              /      | 
                                |  |            /      |         
                                |  |            /        |         
                                |  |          /        |         
  192.168.2.1/24 |  |/192.168.1.1/24
          |  ___________________ /          |
          | |                                          |
          LAN2                                      LAN
      | |_____                      |
      |      |              |                    more_Clients
Clients  service_1  service_2

I will go now to repeat the tests again, NOW with RC4, so see if this issue is solved in RC4, I if I have some time I will post here the results later.

But thank you for this great software –I was looking for a firewall, went through a couple of available ones smothwall, m0n0wall, ipcop, etc, but settled for this one. I’m running it on an Pentium III/450 Mhz box and have been very pleased with it!!, with some bugs and exceptions.

Checked your logs?, turn on logging and se what´s blocking it

/f

UPDATE: I moved the server to the LAN and was able to get out from the server to the Net. Then I changed my 1:1 NAT settings from DMZ addresses to LAN addresses for my server, and I could no longer get out. So it seems the issue is the 1:1 NAT settings. In m0n0wall I used proxy ARP to solve this issue, but I don't see that panel in pfSense. What should I do?

UPDATE: Ah, I got it. Proxy ARP is under Virtual IPs in pfSense. All working now.

If you're talking about the Clearwire the provides wireless internet, that is your problem. You have high latency and high packet loss. You also have a fair usage system built into it that slows your connection down when you download too much. Bi-directional traffic will slow you way down also with an asynchronous link. Add to that a poorly behaved p2p application and you have a stand still traffic jam. You can increase the session states, and set the rules to aggressive, but I doubt it will completely fix it. You'll need to do some reading in the traffic shaping section.

Maybe I'm mistaken, but can it be because you forgot to turn off the DHCP from the access point ?

Some version that was available at the time, I was upgrading quite frequently.

In any case, this was a very serious impairment that I would not risk causing again. If it was only my home network, I would enable it without doubt, but it's bad for business! :))

Even if your downloading script would be working correctly I also would have to rely on the site where you are downloading it from to update new IP assignments, etc.

But thank you for great software – some 2 years ago I was looking for a firewall, went through a couple of available ones ipcop, etc, but settled for this one, it was version 0.9 something. I’m running it on an older Biostar iDEQ small box and have been very pleased with it!!, with one exception. ;)

Well, I have it the other way round.
pfSense in front and a Linksys WRT54GL with DD-WRT acting as AP and doing some stuff in a DMZ.
This way I can allow guests access to the INet and not touching …  ;-)

pfSense talks directly to the DSL modem and acts as PPPoE client. This way I have all the benefits from having pfSense's WAN public.

FWIW.

I can't really say I've had any problems with transparent proxy, but then again I'm pretty new to this firewall too.

If you are looking to block access to questionable web sites, you might want to try the SquidGuard package.  It allows you to white/black list any site you want.  The package is not quite production ready when it comes to end-user experience, but it works.

That's what I thought - thanks for the verification. My gateway is at .65 so it's on the same subnet as the WAN interface. I can't use a 1:1 NAT (like I am now) because I have a mail server running in one of the DMZ's and I've had mail rejected because RDNS fails since the header says the originating IP is 192.168.xxx.xxx.

@GruensFroeschli:

I've added a NAT rule in pfSense to port forward ports 80 and 443 to the internal IP address of the Apache PC but this hasn't changed anything.

I thought you did that.
If not: yes you need it.

Sorry yes, I had done that I was just inquiring whether it was necessary.

Ok I seem to have it working now anyway, I did a reset of the state table and I can now access the apache landing page on http and https. Glad it was that easy in the end, thought it was going to be like the headache I went through setting up the multi-wan load balancer, lol.

Nice idea.

Since modern malware does way more than just connect to a single server by its IP it is kind of useless.
There are server farms out there (bot nets) that get addressed by round robin methods from DNS. They just don't care if you block an IP, they are pretty failsafe. Unfortunately!

Include this in your reading about bot nets: http://www.heise-security.co.uk/

I've tried to verify rule also making a connection to the ip and I 've the same result.

Any suggestion ?

Regards

I think the expression
"Choose which interface this route applies to."
means on which interface the traffic will be sent to the specified gateway.
So you select here the interface on which the subnet in which your router to the other subnet is.
In your case that would be Opt1.

please use this thread as a reference
http://forum.pfsense.org/index.php/topic,7096.0.html