Ah, nice to know.

yes, this always worked; I never tryied ssh the wan because it was behind an adsl modem; now I'm using a frame relay circuit and do not have anything between me and internet.

@cmb:

You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out.

What do you mean by "totally ignored"? What are you trying to do that doesn't work?

The VIP was only temporary in an attempt to make it work. Forget I ever mentioned it.

Quite simply, I have no access whatsoever from the WAN to those IP addresses on the (Filtered Bridge) OPT1 interface that are not the primary IP address on the host's Ethernet interface. Rules to the primary IP work perfectly; no rules to additional IPs (pass or deny, port or any) have any effect whatsoever, nor is there any corresponding entry in the log. It's as if the IP addresses were totally invisible to pfS.

/tmp/rules.debug

Embedded is designed for installing onto solid state memory (compact flash etc).  There used to be a good primer, but it seems to be gone :(

As long as you're using new server class hardware you'll be fine at those numbers.

I dont think so.
pfSense loads the xml at startup and after that runs from RAM. it only access the "slow" storage when you change something in the configuration.

(I think you would need REALLY REALLY many aliases to slow pfSense down)

Thanks for the quick help.  :)

This should work on a stock setup. It sounds like you may be hosting ftp servers, which will add to the complexity. Try the standard ftp troubleshooting steps and see if that helps: http://devwiki.pfsense.org/FTPTroubleShooting

It works with OpenDNS. thanks cdsu.

Nothing is working, not even ping LAN -> DMZ. WAN -> DMZ is working.

So i should upgrade you think? I'm unsure which package to use from ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates :-)
This one using the WEB Gui Upgrade function? pfSense-Full-And-Embedded-Update-1.2-BETA-2.tgz? Never upgraded before…

icanton

That's really good to know.  I'm almost positive I was a victim of that very scenario.  Thanks for the tip.

Great.  Looks like I got the rules correct.  Thank you!

Thanks for the replies.  I did some digging and I do see that the config.xml file has the alias lists.  I see that the address section is pretty straight forward, but do I need to put information in the corresponding <detail>section?

Since this information would be right in the config.xml file, I'm a bit concerned about putting in too many aliases for fear this will slow down bootup and general operation of my pfSense box.  The list I might want to import may have hundreds or thousands of IPs.  Would such a large alias list negatively impact the performance of pfSense?</detail>

Good to know. That's been one of the only areas of weakness, as far as I'm concerned.

you dont see the name of the alias in any list.
you just write the name of the alias directly into the field with red background.

(i'm using this without problem in 1.2RC2)

You could go with Squid, though I'm not sure if it supports a default block.  You also can't (that I know of) do a selective block on what a DNS name would resolve to.

But I am not using any SSH… I can't even get to my WWW server from LAN through WAN IP and formwarded port.. 80.. nor 85...

in 1.0.1 it worked fine :( :( :(

There is no default value on most of those. eg- there is no simultaneous client conection limit unless you set one. The pf default on state timeout is 10 sec and it appears pfSense does not change this. (pfctl shows interval=10s)