Go to Advanced and uncheck the box 'Disable NAT reflection' This is kind of a hack, but D-Link, Linksys, etc. use ugly hacks to do this. If you are hosting a web site/mail server, you really should use the internal DNS instead of the external DNS. IMO, If you are running public servers, you can handle running a DNS server.

yes it will  :D http://forum.pfsense.org/index.php/topic,6516.0.html

Nailed it. NATting on the WAN interface is enabled by default.  Switch NAT off (and remember to apply the changes because I did try switching NAT of earlier, but hadn't realised I hadn't applied it) God, I've spent ages trying to figure out why that was!

Thanks for that- very helpful While i got you here, quick question - is there any way to we can get Nagios to monitor pfSense? I've looked around but the SNMP stuff seems mostly performance & stats related Thanks

I'd like to add that upgrading to 1.2 RC-3 has fixed all the log viewer issues I was previously having.  Six boxes fixed and counting…... :)

hi all! thanks to this post i also managed to get things working, but something i am still wondering about: i am loosing 2 of my official ip's on the pfsense machine. does this have to be this way or am i just having a configuration black out, but when i use private ip's on the machine nothing is going thru. best regards CC

Ah, nice to know.

yes, this always worked; I never tryied ssh the wan because it was behind an adsl modem; now I'm using a frame relay circuit and do not have anything between me and internet.

@cmb: You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out. What do you mean by "totally ignored"? What are you trying to do that doesn't work? The VIP was only temporary in an attempt to make it work. Forget I ever mentioned it. Quite simply, I have no access whatsoever from the WAN to those IP addresses on the (Filtered Bridge) OPT1 interface that are not the primary IP address on the host's Ethernet interface. Rules to the primary IP work perfectly; no rules to additional IPs (pass or deny, port or any) have any effect whatsoever, nor is there any corresponding entry in the log. It's as if the IP addresses were totally invisible to pfS.

/tmp/rules.debug

Embedded is designed for installing onto solid state memory (compact flash etc).  There used to be a good primer, but it seems to be gone :(

As long as you're using new server class hardware you'll be fine at those numbers.

I dont think so. pfSense loads the xml at startup and after that runs from RAM. it only access the "slow" storage when you change something in the configuration. (I think you would need REALLY REALLY many aliases to slow pfSense down)

Thanks for the quick help.  :)

This should work on a stock setup. It sounds like you may be hosting ftp servers, which will add to the complexity. Try the standard ftp troubleshooting steps and see if that helps: http://devwiki.pfsense.org/FTPTroubleShooting

It works with OpenDNS. thanks cdsu.

Nothing is working, not even ping LAN -> DMZ. WAN -> DMZ is working. So i should upgrade you think? I'm unsure which package to use from ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates :-) This one using the WEB Gui Upgrade function? pfSense-Full-And-Embedded-Update-1.2-BETA-2.tgz? Never upgraded before… icanton

That's really good to know.  I'm almost positive I was a victim of that very scenario.  Thanks for the tip.

Great.  Looks like I got the rules correct.  Thank you!

Thanks for the replies.  I did some digging and I do see that the config.xml file has the alias lists.  I see that the address section is pretty straight forward, but do I need to put information in the corresponding <detail>section? Since this information would be right in the config.xml file, I'm a bit concerned about putting in too many aliases for fear this will slow down bootup and general operation of my pfSense box.  The list I might want to import may have hundreds or thousands of IPs.  Would such a large alias list negatively impact the performance of pfSense?</detail>