Don't want to sound rude but please search the forum. The ftp proxy and how to set it up is REALLY described every few lines throughout the forum.

Finally got this working. I started clean and didn't import my nat or ruleset  then set OPT2 with pass any from 192.168.100.0/24 to 10.10.10.0/24 pass any from 10.40.0.0/16 to 10.10.10.0/24 pass any from 10.10.10.0/24 to 192.168.100.0/24 pass any from 10.10.10.0/24 to 10.40.0.0/16 I didn't add the gateway to OPT2 while testing, and now I get an error when I try to add it in, I guess because of the balancer. Eventually I'll try deleting the balancer, adding the gateway, then re-creating, but for now I don't care because everything is working that I need.

Doh! Sorry…  :-[

I get a filtered bridge working when I replace the content of /tmp/rules.debug with pass in  quick on fxp1 all pass out quick on fxp1 all pass in  on fxp0 all pass out on fxp0 all It seems that something is wrong with the generated rules. update, yes, found something: nat on $wan from 192.168.1.0/24 to any -> (fxp0) in the FTP PROXY part of rules.debug. Found the solution in the NAT section - outbound, here you have advanced nat. Check this and remove the NAT rule below. I'm glad I found it.

Nice and thanks for the great diagrams of your network to understand the problem  :D

@Gez: WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP @sai: I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way. Well I don't know if this is has something to do with it as I'm no expert either but my only broadband option here in rural Ireland is satellite broadband, which has the peculiar feature that if I do a traceroute to any external website I notice that packets are routed from my private address space of 192.168.30.0 out through the satellite modem, with its public, fixed IP address on the WAN interface, and back to another private 192.168.4.0 address space somewhere in Germany, taking 2 hops there, before finally taking its course through routers with public addresses again.  I've never really questioned it as I assumed satellite works differently but it does seem a bit odd. As for logging, yes it's not working properly. It works for about 10-20 minutes and then stops logging completely till I reboot.  I've done a completely fresh hard disk install of 1.0.1 but same problem.

What is the point of having a firewall if all networks are in the same layer2 network? You could do it with 1 interface when using vlans but that is virtually 2 seperate networks again. You can shut down NAT by enabling advanced outbound nat at firewall>nat, outbound tab. Delete all nat mappings that it creates for you in the table at the bottom.

I actually need the same functionality.  On our old Sonicwall we were able to firewall out our remote Citrix users between 8 AM and 6 PM.  I know there's some way to control that within Citrix as well so we'll probably have to use that option once we get the m0n0wall/pfsense fully in place.

Thanks for the replies. That cleared things up. For some reason I mistakingly thought layer7 and SPI were the same thing.

this may be attributed to NAT reflection not being enabled on all configurations. The clients checks itself by connecting to the outside port it forwarded and see if it works. eMule has some KAD network issues with this UDP port forward as well. So yes, it would actually work from the outside. But testing from the inside would/could fail.

Starting with version 2 a user manager will be included for administration. That one will be a lot more fine grained. So after 2.0 is released we can do something with this. Release schedule for 2.0 is currently quite uknown.

The number is the line number which refers to the rule in /tmp/rules.debug.

i've not had the best of experiences with the 3c2000 cards. regardless it should work. Did you reboot your box to enforce the ifconfig settings? a manual ifconfig sk0 media 100baseTX full-duplex should work anyhow. From the console menu, the webgui or ssh, pick one.

@KiaN: Ok, now I get it : @hoba: Btw, you should upgrade to 1.0.1. 1.0 had a really annoying bug where rules sometimes were not reloaded. Yep, tis why I asked what version you were running. Glad to hear its working now :).

Tomorrow already looks promising :)

No problem. Glad to hear you got it working. Pass the word along about pfsense ;).

remote admin works on the router WAN port only. it works only on port 80 or 8080 there is a single way to remote admin your routers : setup a PPTP connection to your gateway (pfsense) Give me more details to give you more help (I have a similar setup) chady

See http://cvstrac.pfsense.com/tktview?tn=1138,6 for how to setup a workaround rule for this problem. At least for natreflection this should work for 1.0.1 without this rule but you will  need it for ftphelper anyway so it won't hurt  ;)

@jeroen234: if port 56 is not open they can not access the dnsserver DNS is port 53/UDP (TCP for zone transfers)