Removing that extraneous monitor IP in the LB config seems to have fixed it.  Also bumped states up to 20k as my feeble attempt at a stress test managed to occupy just over 1000 states (approx. 20 simultaneous browser page loads).  Will post back again if any more weirdness happens…

Could you elaborate on your "FIX"

We simply having a hell of a time with FTP over here:

http://forum.pfsense.org/index.php?topic=7096.msg40246

@newfirewallman:

currently i am using virtual IP and setting the subnets on servers and using the virtual ip on the dmz nic for their gateway. Using VLAN's would create many more rules and management would it not?

Most likely not if you use aliases.

I only use the LAN-ports of the "AP" but…you got me thinking Gruens. I just changed in the AP configuration and got it up and running. Now i can reach the LAN from the WLAN.
  I but i can't reach the WLAN from the LAN though, but that's not important enough for me to continue messing with the AP for  :) And besides...my primary aim is to learn how to manage the pfsense box, not the AP  ;D

Thanks for the help everyone!

If this is multi-wan you need to ensure static routes are in place to send a dns server out to each isp.

From the time I first installed m0n0wall (and later on pfSense) I didn't have to look at 'firewall builder' anymore.
But IIRC there was an option to read a configuration from an existing box and output it in a different format. Don't know if pf is supported, though.
Take a look at:  http://www.fwbuilder.org/

@crave: If what you want is to see the currently active PF ruleset (as well as some other info) you could have a look at http(s)://<pfsense-ip>/status.php as described here: http://m0n0.ch/wall/security.php.</pfsense-ip>

Yep, did that. Changed the admin port to 443/HTTPS for security and added firewall rules on WAN and OPT1 allowing TCP 443 from any to any.

Wow, your ISP shouldn't route RFC1918 space anywhere. Apparently they use it inside their network, likely one of their routers you were hitting.

The block private networks only applies to the WAN interface, only for traffic initiated outside. If you want to keep RFC1918 packets from going out, put deny rules on your LAN as well.

WAN rules, and the block private networks feature only apply to traffic initiated from the Internet. This traffic was initiated from your LAN, and your LAN rules allowed it.

@sullrich:

Maybe a view of the tables contents allowing someone to delete an item would be a good idea..

This along with a way to block the IP entirely or just that IP's port. Neither of these is a big deal since I understand how it works now. Just icing on the cake.

Bingo!!  Thanks so much for the help.  I would of never figured that one out.  Hmm… It's my feeling that WebGUI Anti-Lockout should never automatically pass traffic on ports other than 80 and 443 (unless the firewall admin changes the listening port for the WebGUI service, which in that case WebGui Anti-Lockout should update itself to allow traffic into the new port).  The naming of this option to me is kind of deceptive.

Thanx a lot!

@Sylhouette:

did you check the box in system –> advanced -->  Static route filtering, you need to do so.

regards,
Johan

Yes it's checked.

Giacomo

@dotdash:

You should be able to use Aliases (Firewall, Aliases) to do this.

I'll check it out, many thanks.

Try running these two commands. They did the trick to get Vista talking to Windows 2003 server. Might work for pfSense.

netsh int tcp set global autotuninglevel=disabled netsh int tcp set global rss=disabled

Wel, i think i found the problem!

I have a Cisco client and i made a connection with it first. After that i tried my openvpn connection and it caused the problem mentioned, i was able to connec but not to log on the server and to get VNC connection.

Not sure what exactly but i will look in t it and trie to get back

Thank's

When you click the advanced button on the firewall-rule-editing page you can set maximum connections per second / states per client.

maybe you could play around with that.

Thank you, I will try this.  Now gotta look up what this NAT relection is all about…

Azureus works fine with UPnP. I use that combination all the time. Testing the port shows OK. You should try removing the port mappings and using UPnP. In Azureus check the Plugins menu -> Log Views -> UPnP. If you can't get it to work copy paste that log here, copy/paste the UPnP Status page mappings in pfSense, and provide me with the UPnP settings in pfSense.