OK, that's what I needed.  Thanks.

-Robert

No, but it should make 1.3.

It's pf, not ipfw. You have to make your rule changes via the webGUI, otherwise they'll be overwritten. If your existing ruleset does not allow you into the webGUI, you can make temporary rule changes at the command line. Your running ruleset is /tmp/rules.debug. Info on changing it can be found here:
http://www.openbsd.org/faq/pf/

Don't do anything other than add a rule to permit access to the webGUI, then go into the webGUI and setup the same rule there, as well as whatever else you want. Editing the ruleset manually is unsupported and may cause problems, I strongly suggest having someone on the LAN side let you into the webGUI rather than doing this.

You could use tunneling with SSH to get into the webGUI, that's probably a better and easier solution.

After a lot more testing I come to the conclusion that simply my old observations must have been wrong (maybe I shoudn't do setups at late night) ;) .

Summarizing this meas: the confusion started with the fact that the bridged LAN IP can be accessed from the outside network (ping and webinterface and ssh). All other observation where just due to other effects, e.g. the pptp stuff still works.

Hence, what remains from here is just, that it's probably a bug that the internal ip can be accessed from outside in bridge mode. Furthermore, this cannot be deactivated by deactivating the anti-lockout rule. This is discussed here: http://forum.pfsense.org/index.php/topic,5441.msg32479.html#msg32479 .

Sorry for the long post and the confusion.

Look in firewall rules -> LAN, edit the default firewall rule and click the advanced button.

@dcbour:

Wan - Cogeco - blocks SMTP except to their own server.

Hopefully you mean from their Server.
On WAN you can only block/reject packets that enter on this interface…

Chris

@Kim:

Thanks for that. So in the NAT window, I would just do the following: (where 10.7.31.20 is our Exchange/Web Server) - see attachment? - Then the same for HTTP and HTTPS?

Yes. Once you have the first one done, you can use the handy + create a new rule based on the first one, and just change the ports.
@Kim:

Do I also need to create a Firewall rule to Block * from the WAN? (and order the rules so this is the last rule?) - or does pfSense block everything else by default?

Defaults to blocked.
@Kim:

What are the VIPs?

You would define Virtual Ips if you had additional static IP addresses assigned to you by your provider.

@Cry:

@tulsaconnect:

We plan to use Dell hardware, and unfortunately the newer Dell's are using Broadcom NICs, which aren't as well supported under FreeBSD as Intel NICs.  I wonder how the onboard NICs are connected internally – e.g. at something better than PCI-X or PCIe bus speeds... ?

From discussions with somebody I know you'll find you get better throughput with add-in Intel GBit cards even on boxes with onboard Intel GBit.  He wasn't sure why, but even when the add-in cards had the same chips as the onboard cards he still saw better performance (beyond 100 Mbs, don't remember the exact values) with the add-in cards.

From what I was told from an Intel engineer was that, the OnBoard NIC's use shared resources relying heavily on the CPU whereas an Add In NIC, usually has it's own timer chips, etc.

Thanks for the replies everyone.

I've taken the plunge and set it up, took a whole day because had to rewire everything as I wanted the server in the loft, however its all done now and working.

I've got a small problem though, my broadband speed has dropped, i'm on 4meg and used to be able to download at 420kb sec and now my max is 30, I have no idea whats wrong, either its a coincidence and somethings wrong at my ISP end or the pfsense box is causing it, which I doubt.

sounds like you may be running into a known issue.
http://cvstrac.pfsense.org/tktview?tn=1352,32

how about this. I use EchoLink (HAM radio Voip Thing) i need to trigger ports 5198 5199 UDP but i dont want to open them, two computers on the lan use them. I would rather trigger then have a hole.

@Matts:

Ok Solved,

It seems that the IP adress of the LAN side in a bridge really should be different than on the WAN-IP.

But, it needs to be in the same subnet or it will not work 100% well.

I have the feeling that this IP on LAN can be used for another system because it does not exist in the ARP table on the router.

But, beware, this adress is needed different AND needs to be in the same SubNet !!!

Yeah I verified that's a bug. I opened a ticket.
http://cvstrac.pfsense.org/tktview?tn=1352

@john99:

Thank's a lot for the helpful informations!

At the moment, my firewall (fli4l:) is also the gateway for the local WXP-lients and
a little AD-serveer(W2K3).

Question:
If pfSense is set up as a transparent bridging firewall, it cannot be anymore a
gateway (and therefore reached from the internal network with an IP) ?

Not on the same interface. You can leave your LAN setup as it is now, add an OPT interface bridged to WAN and use it for your publicly accessible services.

Yes, look under Advanced Options when you add/edit a firewall rule.

damn am i a idiot.

thx a lot, that was it!

cheers