We do not have IPV6 support.

All modern firewalls, such as the one pfSense uses, are stateful.  This means you only have to allow the traffic in one direction. So, leave the default block rule on the WAN alone and create rules on the LAN side allowing outbound traffic (or leave the default pass-all rule alone).  The documentation for pf (the firewall software used in pfSense) can be found http://www.openbsd.org/faq/pf/.

do not post the same question many times - post an example of what you want to do to make things clearer

OK, some progress!  ;)  Since I am bridging LAN to WAN, I created an Advanced, NAT, Outbound Rule like this: [ LAN    192.168.3.0/24  *  *  *  *  *  NO] where 192.168.3.0.24 is my OPT1 Subnet.  I can now ping from OPT1 to the internet via the GUI.  Now to just get that working on a client machine associated to OPT1.  Thanks in advance. NickZ

When just clicking save the is no difference in the processor usage. I decided to just disable the "Log packets blocked by the default rule" and the usage normal now. Thanks!

Hi GruensFroesch, Thank you for your answer and sorry for the delay, i do some tests and i think i found a good way to converting my kerio rules … i can remove the * and have a choice: only local or only internet (or both), the same way of sending to direclty to the lan or internet interface. If you see a bug let me know, i'm new user for pfsense  ;D Actually, i do a rule for ping, it's the same way for http, ftp, etc, .... The last 3 rules do the jobs ... Thank you for answer. Max_firewall [image: fire1.JPG] [image: fire1.JPG_thumb]

Interesting. You could that. If you're using IIS, you would first NAT all web traffic for those 3 sites to a single instance of IIS, configured with multiple websites. You'd need to set the host header values of those websites to respond the URL requests. Then, modify your hosts file (c:\windows\system32\drivers\etc\hosts) to point traffic for those URLs to the appropriate web servers inside your LAN. Following along? I think that should work. If more than 1 of these sites are secure though, you may run into complications.

Excelent :) It worked Thanks a lot!!

I hate having the DB in my LAN, but unfortunately the mobo on my test box doesn't have space for anymore nics so I can't create another zone. Ok, it sounds like I have the rule setup correctly then so I'm not sure why the fin_wait_2 states are taking so long to timeout. For testing purposes I just hit the page again a single time and closed the browser as soon as it loaded (less than one second).  I filtered the pfsense state table for '1433' and it took over a minute for all the records to be purged (kept refreshing it throughout in case it was latency in the gui being updated). After the browser was closed I noticed several new connections being established from webserver to db on 1433, but I'm not sure what that was about yet. I just saw your comment about set state to 'none', so I will try that as well.  I had considered it when I saw the option, but figured it might actually increase the number of states for pages that make multiple database hits.

Depends on your ruleset (which you don't mention). However, the forwarded ports I would expect to be open, assuming you've forwarded them to an active service.

Thanks guys. I'll follow the steps you described. Is better prevent… Best regards, Teixeira

oh , thx for reply

This thread just saved my butt. I'm dropping some search engine glue for any other poor souls: FTP server doesn't work FTP server won't work Publish FTP server NAT FTP server

#1 You should be running 1.2-RC1 if you are not. #2 up your state table in System -> Advanced

Thanks I'm using a copy of defaut rule and i restrict only for my x.x.x.x ip

@GruensFroeschli: how did you disable the firewall? as you write it it sounds a bit like: "no rules = no firewall" you can diable the firewall completly under "advanced" with "Disable the firewalls filter altogether." do you see in the logs that the access is blocked? Sorry for not being clearer.  I disabled the firewall from under "advanced".  In the logs or through pftop (if I remember correctly; I will try again shortly), I could not see any mention of a blocked request.

1514 is the max frame size of Ethernet (excluding jumbo frames, which aren't used on the Internet), which is likely what your WAN is. You shouldn't ever see > 1514 on the Internet. I'd just ignore it.