Hoba,

thanks a lot for your reply.

I've now arrived at home again, so I will make a test-setup tomorrow and post here again.

For some reason, pfSense hates me :-(

Just to update you what I already did:
First I tried it on a HP DL 380 G2 with two 64-bit Intel 2-Port GBit NICs, then I bought
a new HP Blade BL20p G3 with 3 onboard GBit NICs.
With both servers pfSense lost packets.

Now I have created a VM for testing purposes and installed pfSense into the VM on
the DL 380 G2.
I hoped to fix the hardware/driver Problems of FreeBSD and my HP/Intel-HW with that virtualization
trick.
But now I cannot get access to the OPT1 interface (that the thread here).

Well tomorrow I will install a test-server for the OPT1-Interface and then I hope that I can solve this for once and
for all together with your help ;-)

I'll try to make the SSH-Access to the pfSense work so that you can have a look directly at it and don't
have to rely on my answers here ;-)

Hoba I wish you a pleasent evening!

Best regards,

Chris

Create firewallrules at firewall>rules, new_interface_tab. You can setup DHCP server for this interface at services>dhcp server, new_interface_tab.

Firewall>NAT ,portforward tab. Hit the +button and set it up the way you want it. Make sure to keep the "autocreate firewallrule" option at the bottom checked. Save and Apply.

UPNP is now a package on pfSense.  I am updating this thread because it seems to appear in searches.

Search for more active upnp threads, they are around.

hoba,
It's the main IP I did the 1:1 nat for.

sai,
thx, that worked!

Thanks, for the help guys!

When I use the "bridge" option, I can't subnet some of the WAN - I would like to know if I can have 2 dmz zones with a subnet of the WAN - with transparent IPs

But it don't looks possible.

Thanks

PS. (not much response to my thread)

Thanks,

MArk

It is not a bug, it is how FreeBSD works.

Thank You

Don't want to sound rude but please search the forum. The ftp proxy and how to set it up is REALLY described every few lines throughout the forum.

Finally got this working. I started clean and didn't import my nat or ruleset  then set OPT2 with
pass any from 192.168.100.0/24 to 10.10.10.0/24
pass any from 10.40.0.0/16 to 10.10.10.0/24
pass any from 10.10.10.0/24 to 192.168.100.0/24
pass any from 10.10.10.0/24 to 10.40.0.0/16

I didn't add the gateway to OPT2 while testing, and now I get an error when I try to add it in, I guess because of the balancer. Eventually I'll try deleting the balancer, adding the gateway, then re-creating, but for now I don't care because everything is working that I need.

Doh! Sorry…  :-[

I get a filtered bridge working when I replace the content of /tmp/rules.debug with

pass in  quick on fxp1 all
pass out quick on fxp1 all
pass in  on fxp0 all
pass out on fxp0 all

It seems that something is wrong with the generated rules.

update, yes, found something:

nat on $wan from 192.168.1.0/24 to any -> (fxp0)
in the FTP PROXY part of rules.debug.

Found the solution in the NAT section - outbound, here you have advanced nat. Check this and remove the NAT rule below.

I'm glad I found it.

Nice and thanks for the great diagrams of your network to understand the problem  :D

@Gez:

WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

@sai:

I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

Well I don't know if this is has something to do with it as I'm no expert either but my only broadband option here in rural Ireland is satellite broadband, which has the peculiar feature that if I do a traceroute to any external website I notice that packets are routed from my private address space of 192.168.30.0 out through the satellite modem, with its public, fixed IP address on the WAN interface, and back to another private 192.168.4.0 address space somewhere in Germany, taking 2 hops there, before finally taking its course through routers with public addresses again.  I've never really questioned it as I assumed satellite works differently but it does seem a bit odd.

As for logging, yes it's not working properly. It works for about 10-20 minutes and then stops logging completely till I reboot.  I've done a completely fresh hard disk install of 1.0.1 but same problem.

What is the point of having a firewall if all networks are in the same layer2 network? You could do it with 1 interface when using vlans but that is virtually 2 seperate networks again.

You can shut down NAT by enabling advanced outbound nat at firewall>nat, outbound tab. Delete all nat mappings that it creates for you in the table at the bottom.

I actually need the same functionality.  On our old Sonicwall we were able to firewall out our remote Citrix users between 8 AM and 6 PM.  I know there's some way to control that within Citrix as well so we'll probably have to use that option once we get the m0n0wall/pfsense fully in place.