@Gertjan: And why still using the initial router (or is it a modem also ?) ? Send it on holiday (remove the routing activity) - this makes your setup simpler to administrer. pFsense handles the routing very well (at least at the last time I checked  ;D). I can't remove the router becaus it does more things then I showed here. I want to use pfSense just as firewall. I don't need its router and other features.

This depends on the way the application/sender is working. If it really opens up a new connection for every mail it will be blocked by this rule. This might be the case the way norton does it but other applications might behave different.

@redpanther: I just downloaded the iso but I have a question. Is there a way to time limit access to the net for certain pc's by ip or mac? I have 3 that need 24/7 access and have 3 that need to be denied access from 23:00-06:00 by denied I mean totally blocked not even able to get a ping out. With RC2, I was able to setup a block for 2 computers that my kids use to keep them from staying up all night.  It may be what you were looking for. My code can be found here: http://forum.pfsense.org/index.php/topic,682.msg10895.html#msg10895

Here are my parental control rules, maybe this will help get you started. /root/parental: #!/bin/sh /bin/date >> /root/parental.out case $1 in goodnight) echo "blocking children";         /sbin/kldload ipfw ;         /sbin/ipfw add 5 deny tcp from 192.168.1.202 to any;         /sbin/ipfw add 5 deny tcp from 192.168.1.205 to any;; goodmorning) echo "allowing children";         /sbin/kldunload ipfw ;; *) echo "nothing to do";; esac exit 0 crontab: home brew parental control 59 20 * * 0-4 /root/parental goodnight >> /root/parental.out 59 23 * * 5-6 /root/parental goodnight >> /root/parental.out 59 5 * * * /root/parental goodmorning  >> /root/parental.out Just for clarification: the PF rules that you setup in the web gui take priority before the ipfw rules. this example will not coexist with the captive portal without modification, which I do not use anyway.

You usually don't have 2 ipadresses in a bridgescenario. You should only have 1 IP adress here. The Interface that is bridged to another one won't have an IP. Something here is borked. Also you are running RC1 which is way too old to be supported and numrous bugs have been fixed since that release. Update to RC2 and run the updatescripts to go to RC2e. Also rebuild your config from scratch. In fact I know that the bridge is working correctly as I have tested it inside out lately due to 2 bugreports which in the end showed up to be missconfigurations of some sort.

I wonder how that setup works at all. Your WAN subnet includes the LAN and DMZ subnet. This can't work properly. You have to rearrange your subnets in a different way. At the moment you have conflicting subnets.

HEAD has everything that RELENG_1 has plus more.

That did not work  :'( Do you have any other idea? What I don't understand is why would I need different settings than those I "copied" from M0n0? Isn't pfSense derived from Mono-Wall? I really hope to get this working today    :-\ Thanks for your help! Chris

I suggest supplying inofficial unsupported patches for this atm. Everybody who's using it can report back here. That gives us at least an overview how well this is working if we consider implementing that later. Janz, can you do that?

I mean connecting to MSN with the standard Microsoft MSN Client. Someone on IRC suggested earlier that I try another IM client to see if that works, but I haven't tried that yet.

i have already read that doc and it did help a lot.. a lot of hard work is going into this project…POSIX is more fun than NT  ;D

Download the full update of RC2 from one of our mirrors and feed it to system>frimware update. The box will reboot after installation. After that remove the squid package at system>packages, installed packages tab, [x]. Then readd it again by pressing th [+] next to the squid line at the packages tab (just the way you did that the first time).

Plain firewall rules really isn't sufficient to block web sites, if you want to do it effectively.  Anyone looking to block web sites should look at a proxy server in addition to your perimeter firewall.

The rules label was incorrect.  That is now fixed. These rules where inherited from m0n0wall: allow our DHCP client out to the WAN XXX - should be more restrictive (not possible at the moment - need 'me' like in ipfw) pass out quick on $wanif proto udp from any port = 68 to any port = 67 block in $log quick on $wanif proto udp from any port = 67 to $lansa/$lansn port = 68 pass in quick on $wanif proto udp from any port = 67 to any port = 68

can you send me the screenshots on how to do it? :) :) :) :) :) Pleaseeee…... ;) ;D ;D ;D im a novice... :) THANKS A LOT!

Confirmed. Look for a bugfix in the upcoming RC2. Thanks for reporting.

You should consider adding tcp 443 (https) too but besides that your rules seem to be ok. Please add new posts with a more descriptive topic next time.

i couldnt get traffic shaping working unless i bridged them….....dunno why and i tried pass rules on WAN interface to allow in web traffic to server,no good im gonna have to start from scratch or install ipcop...........

@Juve: Put the block rules first!  It will work better then  ;) Yeah, rules are matched top down and first match wins  ;)

Check system>advanced settings. Disable webgui antilockout rule there (it keeps access to the firewall itself open at LAN) but make sure you have some other rule in place allowing access to the webgui. The other option you mention is at this page too and is called "Static route filtering".