@GruensFroeschli: I've added a NAT rule in pfSense to port forward ports 80 and 443 to the internal IP address of the Apache PC but this hasn't changed anything. I thought you did that. If not: yes you need it. Sorry yes, I had done that I was just inquiring whether it was necessary. Ok I seem to have it working now anyway, I did a reset of the state table and I can now access the apache landing page on http and https. Glad it was that easy in the end, thought it was going to be like the headache I went through setting up the multi-wan load balancer, lol.

Nice idea. Since modern malware does way more than just connect to a single server by its IP it is kind of useless. There are server farms out there (bot nets) that get addressed by round robin methods from DNS. They just don't care if you block an IP, they are pretty failsafe. Unfortunately! Include this in your reading about bot nets: http://www.heise-security.co.uk/

I've tried to verify rule also making a connection to the ip and I 've the same result. Any suggestion ? Regards

I think the expression "Choose which interface this route applies to." means on which interface the traffic will be sent to the specified gateway. So you select here the interface on which the subnet in which your router to the other subnet is. In your case that would be Opt1.

please use this thread as a reference http://forum.pfsense.org/index.php/topic,7096.0.html

IMHO, yes pfSense can block it. I suppose you're trying to block bittorrent traffic coming from your LAN subnet, right? Can you post what are your firewall rules? Try using the rules implied in this example –> http://doc.pfsense.org/index.php/Example_basic_configuration , works for me. HTH

@pinky: netfilter service seems to be stopped crashed ?!?! so restarted it nothing, …. reboot the firewall and all is working again till, .... it happens again... Wrong OS, pfSense runs under Unix, not Linux.

Caused by the FTP proxy redirect.  Do the test from a different host that is not behind a pfSense firewall (if you are testing pfSense's exterior WAN). This has been discussed at length on the public lists.

Create an alias containing all your subnets. Write an allow rule for all but this alias and you're done.

@bairdmj: I am trying to create a simple rule.  The rule will deny all LAN users access to one specific internet host (TCP/*).  To do this I have created a firewall rule on the LAN interface: Proto  Source  Port  Destination  Port  Gateway  Schedule  Description  TCP * * BLOCKED.IP.HERE * *   BLOCK OUTGOING TEST The rule has been moved to the very top.  Beneath this rule, I do have one that allows LAN NET to access *, but since this rule is on top, it should work right? This rule does not seem to be working.. all LAN users are able to access the blocked destination.  Does anyone have any ideas as to why this is not working?  Am I missing a step? Thanks Have you verified that destination traffic are the expected iow the ip you have in the block?. Check your logs(obviusly turn it on if you dont) Otherwise you can try and block a site you know have only one ipadress and se if that works. /f

Then I'll say it again - you can't.  What you're effectively talking about is referred to as a "Man In The Middle attack".

@sullrich: There is no reason you cannot control a squid server going to the internet now.  Simply control the flow on the incoming interface of pfSense. I meant a squid server running on the pfSense box itself…

@GruensFroeschli: get a list of all IP's of servers which are related to the website you want to block (i suppose myspace has more than one server.) make an alias with all the IP's you want blocked. create a schedules firewall rule set as destination the alias. Firewall rules don't affect Squid running on the firewall.

I was not aware of your environment. I also work for a wireless ISP a small one at the moment but in February will be adding 2000 Access Points. Right now the wifi network is stuck with NAT because we don't have enough real ip addresses hopefully that will change in the near future. I think to be like a large ISP we will need to dump NAT completely. Then use PFSense as a transparent firewall. PFSense transparent firewall is described here: http://pfsense.trendchiller.com/transparent_firewall.pdf According to the above document FTP still might be an issue and Captive portal will not work with a transparent firewall. Will have to setup a test network and see if I that can be fixed.

Judge for you self :) http://devwiki.pfsense.org/FTPTroubleShooting http://forum.pfsense.org/index.php/topic,7096.0.html

Only you can say ;)  I'd allow 123/UDP to the pfSense host from both LAN and DMZ and make the pfSense host the timeserver. Yes Probably not If you port forward to those services Restrict by destination (say by only allowing LAN clients to access email services on the DMZ, not the entire Internet) Depends on how you implement the VPN.  There is no way to filter OpenVPN right now, but IPSec can be filtered.

Ok Kill this topic….. I see that this is SUCH A SMALL ISSUE that it should not get much thought! .!,                    .!,                                                     ~ 6 ~              ~ 6 ~                                                          .                  ' i     .- ^-.      ' i                                                                         .l,                l l    /  .-.  \    l l                                                                            'l                  .l_l  .l  (- )  l  .l_l.                                MERRY CHRISTMAS                                  /  \      )(l-'__l__)_(______                            TO ALL!                               /,  o\  )______________________o(                                                          /*  ~\ [][][[[][ `-.                                                  /    o  .' [][][][)]]] -)                                                    /_, ~ '  *_\_]                                          [_[(  (                           /.    *  *  _]                                      [\                         /  -'                         / *                                                      / *    . ~~'  o \            l  ll_ll_ll_ll  l        [___]                                                        /_,.~~'    *  \            l_ll_ll_ll_ll_l          [[]                       / ~..  o          \ ::::::::::::::::::::::::::::::::::::::::::::::\                     / *    '~..  *    \ :::::::::::::::::::::::::::::::::::::::::::::::\                                        /_      o  ``.,,\ =========_/============'                                          /  *      *    ..~  '\                  l .-–.                                                                    /*    o  _..'*  o\                      ( (_)  )                   -.__.~''  *  ___.-'                        ----'                                                                ":-------:"