Hello you are correct these are sends . thanks, looks like problem is on my end.

It is a transparent bridge. Or in poor words it is a piece of copper to the network. Only your switch is forwarding wrong traffic or the provider is doing something else or ….

Is there a chinese forum yet? whois 163.com Netease.com, Inc. 8FL, Netease Building,  No 16, KeYun Rd ZhongShan Av. GuangZhou IT Harbor Guangzhou, Guangdong 510665 CN

You're missing the aliases. Create one that contains all your undesirted subnets and make an "allow all BUT alias" rule for your OPT1 IF.

No, you need cron items in your config. Please download and test it with rc5, i cannot duplicate this problem

@GruensFroeschli: I think you missunderstood me. The Client dont go over the bridge to reach the DNS-server. Since they dont go over the bridge to resolve a name i suspect the problem lies with your DNS. No indeed, I misunderstood you… forums are nice to solve that :) Before I had the bridge in there DNS resolving was no issue at all, my servers can resolve on my DNS servers, but when I remove that IP on the LAN side... they can't anymore. Strange is also that when I remove the WAN and LAN IP both, there is not traffic possible at all anymore, so this is confusting too. Before I put the transparent bridge between the vlans on the switch, I tested this whole enviroment with a crosscable instead of the Pfense box, what actually worked well. So I'm looking at the Pfsense part that might not be the best solution because there can be something in between.

@sullrich: Have you tried enabling static port for these interfaces? It took me some time to thank-you, because I had to arrange some time to set up a new test box (I am afraid to do the tests on a production box and to use not well documented features (disable Automatic outbound NAT rule generation … and so on). But I am sorry, but think it still does not work! Done this way. I wonder why a firewall with so rich and powerful features like: “CARP/VIPS”, “VPN”, “Bridging”, “Virtual IP’s”, “OLSR”, “RIP”, “UpnP”, and so on, fails doing a so simple thing that is, to know which network cards as plugged in(networks interfaces), Its (range of) Ip’s, and route accordingly the traffic between them…??? Here is, how do I set-up and solved this (my) problem. I put another box, to let pass, back, the traffic, which I wanted to pass from one LAN to another, and on this new box I opened the ports/services needed – This way worked for me. Here is my NEW network diagram: Internet                                 |                                 |                              10.1.0.1            10.1.0.2                           pfsense_box_1  pfsense_box_2                                 |  |              /      |                                  |  |            /      |                                          |  |            /        |                                          |  |          /        |            192.168.2.1/24 |  |/192.168.1.1/24           |  ___________________ /          |           | |                                          |           LAN2                                      LAN       | |_____                      |       |      |              |                    more_Clients Clients  service_1  service_2 I will go now to repeat the tests again, NOW with RC4, so see if this issue is solved in RC4, I if I have some time I will post here the results later. But thank you for this great software –I was looking for a firewall, went through a couple of available ones smothwall, m0n0wall, ipcop, etc, but settled for this one. I’m running it on an Pentium III/450 Mhz box and have been very pleased with it!!, with some bugs and exceptions.

Checked your logs?, turn on logging and se what´s blocking it /f

UPDATE: I moved the server to the LAN and was able to get out from the server to the Net. Then I changed my 1:1 NAT settings from DMZ addresses to LAN addresses for my server, and I could no longer get out. So it seems the issue is the 1:1 NAT settings. In m0n0wall I used proxy ARP to solve this issue, but I don't see that panel in pfSense. What should I do? UPDATE: Ah, I got it. Proxy ARP is under Virtual IPs in pfSense. All working now.

If you're talking about the Clearwire the provides wireless internet, that is your problem. You have high latency and high packet loss. You also have a fair usage system built into it that slows your connection down when you download too much. Bi-directional traffic will slow you way down also with an asynchronous link. Add to that a poorly behaved p2p application and you have a stand still traffic jam. You can increase the session states, and set the rules to aggressive, but I doubt it will completely fix it. You'll need to do some reading in the traffic shaping section.

Maybe I'm mistaken, but can it be because you forgot to turn off the DHCP from the access point ?

Some version that was available at the time, I was upgrading quite frequently. In any case, this was a very serious impairment that I would not risk causing again. If it was only my home network, I would enable it without doubt, but it's bad for business! :)) Even if your downloading script would be working correctly I also would have to rely on the site where you are downloading it from to update new IP assignments, etc. But thank you for great software – some 2 years ago I was looking for a firewall, went through a couple of available ones ipcop, etc, but settled for this one, it was version 0.9 something. I’m running it on an older Biostar iDEQ small box and have been very pleased with it!!, with one exception. ;)

Well, I have it the other way round. pfSense in front and a Linksys WRT54GL with DD-WRT acting as AP and doing some stuff in a DMZ. This way I can allow guests access to the INet and not touching …  ;-) pfSense talks directly to the DSL modem and acts as PPPoE client. This way I have all the benefits from having pfSense's WAN public. FWIW.

I can't really say I've had any problems with transparent proxy, but then again I'm pretty new to this firewall too. If you are looking to block access to questionable web sites, you might want to try the SquidGuard package.  It allows you to white/black list any site you want.  The package is not quite production ready when it comes to end-user experience, but it works.

That's what I thought - thanks for the verification. My gateway is at .65 so it's on the same subnet as the WAN interface. I can't use a 1:1 NAT (like I am now) because I have a mail server running in one of the DMZ's and I've had mail rejected because RDNS fails since the header says the originating IP is 192.168.xxx.xxx.