Many thanks.

not really  :(

I found a fix. For Gene6 FTP server, open ports 50000 - 50100 in pfSense.

For IIS FTP on 2003 Server enable the direct metabase edit. Then cd\Inetpub\AdminScripts and run adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700" and then open the ports in pfSense. Restart the FTP service. You can use whatever high ports you want, not just 5500-5700, they're just an example.

For IIS FTP on 2000 Server, make sure you have SP4. Use regedt32.exe to locate the key *HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters* and add a value named PassivePortRange of type REG_SZ. Edit the entry and type in your port range and open the ports in pfSense. Close the registry editor and restart the FTP service.

Other FTP server applications should be similar, but I only use and know these well since I'm an MCSE.

It applies for the traffic specified in the rule.

If you are not using NAT, then you need to turn the FTP helpers off on each of the interfaces.

I know with Cisco switches you can setup a private VLAN where the isolated ports can only communicate with the promiscuous port(s).  For example you have two computers on two isolated ports, and pfsense connected to a promiscuous port, each computer can communicate with the pfsense box, but not with each other.

The router/pfsense doesn't really interact at all if the communicating computers are on the same subnet.

This was fixed recently.  Run cvs_sync.sh releng_1 && shutdown -r now

This is perfect. Thanks for your help.

@pcatiprodotnet:

Would bandwidth limiting DNS & ICMP per host to a small level that still works well under normal circumstances be a good way to solve this?

You could just block icmp and block DNS to everything except your DNS server.  That'll take care of ICMP tunneling, DNS tunnelling is still available of course, maybe someone else has an idea on how to take care of that (without using the traffic shaper - which would work also, in a roundabout way).

–Bill

Oh good!  I apologize, for I couldn't test this until Monday at work, and I wanted to be ready with the knowledge of a fix if necessary on Monday morning.
Thank you, -pc

There are 2 options at system>advanced:

Enable filtering bridge
If you have not enabled the filtering bridge traffic between the 2 bridged interfaces is not filtered.

Disable webGUI anti-lockout rule 
This rule is invisible and prevents from shutting down access to the webgui. If you are sure your rules are correct and you don't lock yourself out completely disable this hidden rule.

It's for the traffic the rule describes you put this in.

It's really unusual my network cards are pointing in two different subnets. The problem only occurs when i try to ping our windows cluster i can't seem to see how my firewall could see each packet twice. But every second packet is a dup! tcpdump also shows that the seq numbers are different could it be an arp problem? At the moment i am lost.

nm solved it. ./status.php

o yeah my bad.. ;D

Portforwarded connections will still originate from the public IP of the host that is sending the request. Connections are only natted outbound (internal IP of server is replaced with WAN IP of the natting device). No need for this rule.

Ok that's good to know! I won't mess with it for now.

Very impressed with pfSense in general though - keep up the excellent work :)

sim

Check your rules order, maybe there is something wrong. Besides that your setup looks valid to me. What version are you running? Btw, if you click the small block icon in front of your firewall logs it tells you which rule caused the block.