It's exactly as Perry points out.  Just remember that the LAN interface can't control traffic starting from the Wireless network or vice-versa.  Nice to see that it's working and that there are no hardware problems either. :)

This actually works with the same subnet on both sides? Is this a bridge, or..?

Totally awesomez! Thanks, Scott.

stop squid 2)mcserver# nc -l 3128 firefox http://192.168.165.10:3128 netcat returns: GET / HTTP/1.1 Host: 192.168.165.10:3128 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive firefox http://google.com netcat returns: <nothing></nothing>

ok i got an answer: "…this is a common problem we do encounter with many routers that are not Cisco/AVM, the address translation of IPSec is not handled correctly, therfore our gateway can't differentiate between the incomming connections..." So it's IPSec. Any ideas?

Scott, It was done. In fact, I can't reproduce the problem now. Computers … ??? I had FTP Proxy Helper only at OPT4. Now I have it well working at LAN, OPT3 and OPT4 (with localhost rules, of course). :) Many thanks, Josep Pujadas

Our thoughts were to create one tab for VLANs. Once you click that tab there will be a dropdown box to select which VLAN you want to work with.

Setting up Virtual IP addresses for my public IP's seems to be the answer! Thanks for the help.

Yeah, UTM (Unified Threat Management) is the marketing term. Though you could just as easily call pfsense a UTM device, it has firewall, VPN, IDS/IPS, and some content filtering, and we're working to fill more of the check boxes that make a UTM device. Not because we think it's great (I still like to split out things a lot more than any UTM would with everything turned on), but because that's what people want.

@cmb: It's probably a bug, and probably still a bug in 1.2b1. We removed IPv6 from the kernel entirely, this definitely isn't going to work (no need to allow/block IPv6 traffic, pfsense is going to completely ignore it all). Funny, my dutch linux/bsd magazine stated that their are real plans to push ipv6 into real action. :) I am aware that ipsense blocks by default -well done-, but it doesn't hurd to add a rule explicitly denying some traffic. (and by this trowing up a 2nd barrier ;D).

http://doc.m0n0.ch/handbook/examples.html

Thanks what i was thinking. I having a bit of problem enabling msn video conference ports i looked around and found they are dinamyc and Microsoft recomends a huge port range. The actual Real-time Transport Protocol (RTP) streams are sent using dynamically allocated UDP ports in the range of 5004–65535. Without a way to open these UDP ports on any firewall in the path dynamically, the streams fail to reach their destination. From: http://technet.microsoft.com/en-us/library/b9bd86b1-a604-d747-b219-bb2ac5473e87.aspx#EKAA It was better to say leave every thing open :P

@Gandalf: I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense? I'll check it out, I see its in the FreeBSD ports tree so I'm sure it will work.

The rebuild from scratch took care of the problem. Apparently the config.xml file didn't make it through the upgrades in the past successfully. Thanks for the assistance and for the developers of this great piece of software. Keep up the good work!

@cmb: I would recommend using a proper split DNS infrastructure and don't use reflection. It's ugly any way it's done, but it's really ugly how we currently do it.  :)  A replacement is in the works for a future (post-1.2) release. But if I turn reflection off, then whatever I try rsync won't work, did I miss something??

Ok! Thanks, Cry

pass in quick on $lan  route-to { ( rl2 firstfailoverip ) } from any to any keep state ( max-src-nodes 5 max-src-states 5 tcp.established 60 max-src-conn-rate 5 /1, overload <virusprot>flush global  )  label "USER_RULE: adsl fail airband" obviously replace firstfailoverip for my gateways ip address and with this rule being the only pass i can get 20 connections in my download manager thanks</virusprot>