Oh good!  I apologize, for I couldn't test this until Monday at work, and I wanted to be ready with the knowledge of a fix if necessary on Monday morning.
Thank you, -pc

There are 2 options at system>advanced:

Enable filtering bridge
If you have not enabled the filtering bridge traffic between the 2 bridged interfaces is not filtered.

Disable webGUI anti-lockout rule 
This rule is invisible and prevents from shutting down access to the webgui. If you are sure your rules are correct and you don't lock yourself out completely disable this hidden rule.

It's for the traffic the rule describes you put this in.

It's really unusual my network cards are pointing in two different subnets. The problem only occurs when i try to ping our windows cluster i can't seem to see how my firewall could see each packet twice. But every second packet is a dup! tcpdump also shows that the seq numbers are different could it be an arp problem? At the moment i am lost.

nm solved it. ./status.php

o yeah my bad.. ;D

Portforwarded connections will still originate from the public IP of the host that is sending the request. Connections are only natted outbound (internal IP of server is replaced with WAN IP of the natting device). No need for this rule.

Ok that's good to know! I won't mess with it for now.

Very impressed with pfSense in general though - keep up the excellent work :)

sim

Check your rules order, maybe there is something wrong. Besides that your setup looks valid to me. What version are you running? Btw, if you click the small block icon in front of your firewall logs it tells you which rule caused the block.

It is a wireless backhaul…i think i got my problem figured out...I have too many outgoing connections for the amount of bandwidth that I sepcified. I increased my upload to 3.5Mbs and download to 3.5Mb s and it solved the problem. I just some wireless delay when I start pushing over 3Mbps on outgoing traffic.

There are a few other ways to discover (or guess) the number of PCs behind a box. At first you did not mention if and you you setup NAT on pfSense. If you have not configured snmp (and I think you did not from the outside) there are other ways to manage that. E.g. IP-ID scanning the traffic coming from your router. For thats sake it is the provider and if sth is easily able to "log" your traffic, its him. I would guess he uses some kind of ip-id scanning (some ISP in germany had done so) and if you are using many boxes with weak random ip-id implentations (like windows or some linuxes, too), you can paint a diagram and match it against the ip packets and their ids to draw some kind of picture which shows, how much boxes are active behind the NAT.

For an example, look here: -> http://www.cs.columbia.edu/~smb/papers/fnat.pdf

I don't know if freebsd's implementation of pf matches the one of openbsd completely, but there you could use the keyword "random-id" as a key in the NAT clause to scramble all IDs leaving your network to behave really random and to blur your internal structure.

if you want to manage it coming from an external ip it should be an external IP. If you only want to manage it from another machine in the same subnet like the WAN IP or from a seperate management interface you can choose something else.

And of course, 10Mbit is slower than the 30Mbit or so you were getting before which means your backups will take even longer!  No, you really really want a bigger box ;)

–Bill

You have to try it from a client behind the pfsense or at wan. the filter block connections incoming on an interface. if you ping from the pfsense itself it's outgoing traffic which will be always allowed.

OK
If this can be in future - i very glad.
Thks.

@Grey:

As I haven't seen authpf in pfsense until yet (a pity, but I don't know how hard it would be to implement, but it sure would be a nice addition to captive portal), I'd say you could do it, if you map your users to a definite IP each and configure rules for that IP. You could e.g. use DHCP with their MACs and so map User A to IP x.x.x.a and user B to IP x.x.x.b.
IP-based filtering is not that nice, I know, and far from being fool proof. But I am curious if there are other methods already in pfSense (perhaps HEAD)?! :)

No.  Patches accepted.

At the moment quick workaround:

Login via Shell or Console and change dir to /tmp. Edit rules.debug and delete the "ng0" part in makro "pptp" (right on top of the file). Then reload the filter rules via "pfctl -f rules.debug". Worked for me this far and immediatly shut down the unwanted access from outside to web and ssh port.

Thanks for filing, hoba :)

@Aderium:

Could I just disable the rule instead of removing them ? It would be annoying to remove and recreate or backup and restore ….

Same difference.

–Bill