Okay, I got it working; it's a tricky if you don't know what you are doing.  Thanks for your help!

You have to disable the antilogout rule at lan (system>advanced) which grants access to the lan IP of the pfsense. This rule is in place to make sure you don't log yourself out from the administration. Beware that disabling that rule might log you out if you have incorrect rules at LAN, so verify your settings before applying a new ruleset.

@sai: Port 67 is the port a bootp/dhcp server listens on, port 68 is the port the DHCP server sends out information on. So there is a DHCP server on your WAN. These things tend to spew a lot of packets. Very annoying. Thanks.

No idea.  As I told you before, I am not crazy about that patch and you will have to get it into the tree through someone else.  Sorry.

I dropped all of the Gateways but still cannot connect to the WAN from my host on the OPT1 network.  I can connect from my LAN to the host on the OPT1 network.

thank u works fine

Yes, sorry, working now!!!

Thanks that worked for me. I modified the bittorrent rule and set state timeout to 120 seconds and state type to modulate state.

My fault it was something else.

thx i the future i will look before asking ive founded what ive looking for Squid will not start on boot-up in transparent mode. The service also stops when certain changes are made to the firewall. (Example: changing web-gui access from HTTP to HTTPS). I experienced the same problem onto different systems. My quick fix for the boot-up was to add two lines before exit 0 in /etc/rc: /usr/local/bin/beep.sh start 2>&1 >/dev/null sleep 15 /usr/local/etc/rc.d/proxy_monitor.sh& exit 0 If the service stops when firewall changes are made, I reapply my access control list, and SQUID starts working again. (Just starting the service from the gui seems to be hit and miss with respect to the access control rules actually working).

There is only one setting where you can disable the firewall completely and that is at system>interfaces like sullrich told you. This is a 1.0.1 release? Maybe a reinstall is in order.

@dr-rox: Strange, even after upgrade rules works only after reboot. Sounds like a reinstall is in order then.

Thats for the link hoba. I search for vpn, didnt try hamachi. figures lol. Ill check that out as well sullrich.

Our acl's are of a first match type.  Put a rule at the beginning that allows the restricted PC access to the website(s) needed (and to DNS possibly) and follow that up with a deny rule from that restricted PC to any.  The remaining policy will apply to the rest of your machines. –Bill

Should be related.

Please search the forum. Nearly any question concerning ftp has already been answered. pfSense has a ftp proxy that will dynamically open and close ports for ftp when needed and replace the private IP with the correct public one IF configured correctly.

The mainproblem is when trying to block anything but http is that lot's of IM Applications or P2P Apps switch to use port 80 if they can't get out on their default ports. You only might be able to cut this down by using a proxy. Try the squid package and configure it for transparent use. On top of that block anything going out but the desired ports.

To make all local subnets available to the other end either use a subnet that covers all subnets at the multi interface site or build 3 parallel tunnels. The webgui will be availble through ipsec without any problems by it's local IPs. You will find sime IPSEC Clients and a howto to one of them at out linksection: http://pfsense.com/index.php?id=33

set the source to "single host or alias" and then type sshblock, :) thanks again.

hoba, Thanks for the reply, I have them enabled. sfm