Hi GruensFroesch,

Thank you for your answer and sorry for the delay, i do some tests and i think i found a good way to converting my kerio rules … i can remove the * and have a choice: only local or only internet (or both), the same way of sending to direclty to the lan or internet interface.

If you see a bug let me know, i'm new user for pfsense  ;D

Actually, i do a rule for ping, it's the same way for http, ftp, etc, ....

The last 3 rules do the jobs ...

Thank you for answer.

Max_firewall

fire1.JPG
fire1.JPG_thumb

Interesting. You could that.
If you're using IIS, you would first NAT all web traffic for those 3 sites to a single instance of IIS, configured with multiple websites. You'd need to set the host header values of those websites to respond the URL requests. Then, modify your hosts file (c:\windows\system32\drivers\etc\hosts) to point traffic for those URLs to the appropriate web servers inside your LAN.

Following along? I think that should work. If more than 1 of these sites are secure though, you may run into complications.

Excelent :)

It worked
Thanks a lot!!

I hate having the DB in my LAN, but unfortunately the mobo on my test box doesn't have space for anymore nics so I can't create another zone.

Ok, it sounds like I have the rule setup correctly then so I'm not sure why the fin_wait_2 states are taking so long to timeout.

For testing purposes I just hit the page again a single time and closed the browser as soon as it loaded (less than one second).  I filtered the pfsense state table for '1433' and it took over a minute for all the records to be purged (kept refreshing it throughout in case it was latency in the gui being updated).

After the browser was closed I noticed several new connections being established from webserver to db on 1433, but I'm not sure what that was about yet.

I just saw your comment about set state to 'none', so I will try that as well.  I had considered it when I saw the option, but figured it might actually increase the number of states for pages that make multiple database hits.

Depends on your ruleset (which you don't mention).

However, the forwarded ports I would expect to be open, assuming you've forwarded them to an active service.

Thanks guys.
I'll follow the steps you described.
Is better prevent…

Best regards,
Teixeira

oh , thx for reply

This thread just saved my butt. I'm dropping some search engine glue for any other poor souls:

FTP server doesn't work
FTP server won't work
Publish FTP server
NAT FTP server

#1 You should be running 1.2-RC1 if you are not.
#2 up your state table in System -> Advanced

Thanks
I'm using a copy of defaut rule and i restrict only for my x.x.x.x ip

@GruensFroeschli:

how did you disable the firewall? as you write it it sounds a bit like: "no rules = no firewall"

you can diable the firewall completly under "advanced" with "Disable the firewalls filter altogether."

do you see in the logs that the access is blocked?

Sorry for not being clearer.  I disabled the firewall from under "advanced".  In the logs or through pftop (if I remember correctly; I will try again shortly), I could not see any mention of a blocked request.

1514 is the max frame size of Ethernet (excluding jumbo frames, which aren't used on the Internet), which is likely what your WAN is. You shouldn't ever see > 1514 on the Internet.

I'd just ignore it.

Sorry Scott,

You're right. Vladimir is member of our team who is also desperately trying to find solution for this problem.

I guess he had to read all my posts before posting his.

Can each of your servers at LAN and OPT1 ping the gateway IPs? How is your OPT1 configured?

It looks like config file got corrupt.  I ended up rebuilding server and fixed the conf manually.
RC

You might want to look into using a squid proxy.  You are using a flame-thrower when you should be using a screw-driver.