What is the point of having a firewall if all networks are in the same layer2 network? You could do it with 1 interface when using vlans but that is virtually 2 seperate networks again.

You can shut down NAT by enabling advanced outbound nat at firewall>nat, outbound tab. Delete all nat mappings that it creates for you in the table at the bottom.

I actually need the same functionality.  On our old Sonicwall we were able to firewall out our remote Citrix users between 8 AM and 6 PM.  I know there's some way to control that within Citrix as well so we'll probably have to use that option once we get the m0n0wall/pfsense fully in place.

Thanks for the replies. That cleared things up. For some reason I mistakingly thought layer7 and SPI were the same thing.

this may be attributed to NAT reflection not being enabled on all configurations.

The clients checks itself by connecting to the outside port it forwarded and see if it works. eMule has some KAD network issues with this UDP port forward as well. So yes, it would actually work from the outside. But testing from the inside would/could fail.

Starting with version 2 a user manager will be included for administration. That one will be a lot more fine grained. So after 2.0 is released we can do something with this.

Release schedule for 2.0 is currently quite uknown.

The number is the line number which refers to the rule in /tmp/rules.debug.

i've not had the best of experiences with the 3c2000 cards. regardless it should work.

Did you reboot your box to enforce the ifconfig settings?

a manual ifconfig sk0 media 100baseTX full-duplex should work anyhow.

From the console menu, the webgui or ssh, pick one.

@KiaN:

Ok, now I get it :

@hoba:

Btw, you should upgrade to 1.0.1. 1.0 had a really annoying bug where rules sometimes were not reloaded.

Yep, tis why I asked what version you were running. Glad to hear its working now :).

Tomorrow already looks promising :)

No problem. Glad to hear you got it working. Pass the word along about pfsense ;).

remote admin works on the router WAN port only. it works only on port 80 or 8080

there is a single way to remote admin your routers : setup a PPTP connection to your gateway (pfsense)

Give me more details to give you more help (I have a similar setup)

chady

See http://cvstrac.pfsense.com/tktview?tn=1138,6 for how to setup a workaround rule for this problem. At least for natreflection this should work for 1.0.1 without this rule but you will  need it for ftphelper anyway so it won't hurt  ;)

@jeroen234:

if port 56 is not open they can not access the dnsserver

DNS is port 53/UDP (TCP for zone transfers)

Okay, I got it working; it's a tricky if you don't know what you are doing.  Thanks for your help!

You have to disable the antilogout rule at lan (system>advanced) which grants access to the lan IP of the pfsense. This rule is in place to make sure you don't log yourself out from the administration. Beware that disabling that rule might log you out if you have incorrect rules at LAN, so verify your settings before applying a new ruleset.

@sai:

Port 67 is the port a bootp/dhcp server listens on, port 68 is the port the DHCP server
sends out information on. So there is a DHCP server on your WAN. These things tend to spew a lot of packets. Very annoying.

Thanks.

No idea.  As I told you before, I am not crazy about that patch and you will have to get it into the tree through someone else.  Sorry.

I dropped all of the Gateways but still cannot connect to the WAN from my host on the OPT1 network.  I can connect from my LAN to the host on the OPT1 network.

thank u

works fine

Yes, sorry, working now!!!