Thanks for the confirmation.  I discovered that I had not modified the subnet mask for the opt if from 32 to 24 :-( All is well now ;-) Tor

Ok. Just to let you all know that it works. Thank you all for your help. Cheers

It will allow them to connect from BOS to CLT but it will not pass the thru the DMZ.

@Numbski: I'm seeing that all of my pfSense boxes have a fixed number of states that it can handle, which is 10,000. What sets this number?  Is it an arbitrary limit?  Kernel limitation?  Driver limitation? I have an environment I'm looking to put 2 or more pfSense firewalls into place to share the load, and I think they have the horsepower to handle far more than a WRAP box can, but they are both limited to this 10,000 number.  What establishes this limit? The 10K states is an arbitrary default set by pf.  Each state eats approx. 1K of RAM so 10K states could potentially eat 10MBytes - the pf (note, I'm not talking about pfsense) developers chose 10K due to a desire to have pf work out of the box on low memory platforms.  We've chosen to keep that limit, however, as hoba pointed out, this is changable in System->Advanced.  At some point, I may choose to make this a dynamic dynamic default based on system memory, but 10K is actually a halfway decent default that most users won't exceed. –Bill

Well, not the wan interface, just the DMZ.

show me a tracert from this opt client to a lan IP. I'm using pfSense with multiple interfaces and firewalling between them even with aliases and it works like expected. Do you really see blocks at status>systemlogs, firewall? if yes, what rule does cause the block (click the small block icon in front of the line).

Forgot to mention beta-2. But I've already downloaded the latest snap http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-03-2006/ and will test it tomorrow at first :)

I've come to similar probs with beta and (nat) rule creation. Sometimes it seems that the filter did not get updated as reported by pfSense. Will check this in the latest snapshot but sometimes it helps to edit a filter rule, save it and hit reload. Greets, Grey

On the incoming interface (EG. LAN)

I have added this on my web server to limit the SSH brute force attacks, and it works quite well. But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;) What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded. iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

That'd be okay.  I'd use them only for 1 or 2 OPT subnets.  And so far, no need for traffic shaping, since it's just for home. But I continue leaning further toward the EPIA CL6000 with two LANs, even as we "speak".

Ok the squid works fine, Tranparent Mode and the portforwarding. But wenn I configure an other pfsense box, wich is the defaulf gateway in my lan, to forward every port 80 traffic (with the same portforwarding rule) to the squid pfsense box with an other PPPOE connection to the net it does not work. Something wrong in my mind?

@bushtor: Will do ;-) .. especially if you tell me where I can find the dhcp mac config file from the ipcop box shell. Sorry, a typo :-(  Of course I meant 'the pfsense box shell'… However I have located it ans solved the problem ;-) Tor

Other solution: enable remote syslog server at the pfsense and create a block rule with "log" enabled disable logging of default deny rule install syslog deamon at your client that sends you a mail on receiving this alert or plays a beep or a popup or whatever (depends on the tool you use) create a rule in the webgui for this connection to pass above the logging rule and disable it (you can quickenable/disable this rule by clicking the small pass icon in front of the rule and hitting apply) It's not like a popup and only clicking an allow or deny button but might work depending on how often you need it.

i'm happy to hear that  :D thanks a lot !

@rexster: @sullrich: DNSForwarder and friend already uses that.  This is at a different level. (oot) but there at least few thousands hosts in the list. how can i make the update automatic? Please un-hijack this thread and start a new one.  I really have no idea how we are now talking abotu DNS Forwarder in the ALIAS thread!

So it looks like by default, the ftp helper is enabled on all interfaces.  In order for LAN and WAN to access my ftp server in the DMZ, I had to disable the ftp helper on all interfaces, LAN, WAN, and DMZ.  As soon as I turned that off, all is well.

Download the config.xml and copy/paste your macs to the right part keeping the formatting of the xml intact. Then reupload it.

"Is dual wan compatible with FTP? Short answer: no. If you are trying to use the FTP proxy and DUAL wan or Load Balancing this will not work due to the fact that we have to redirect traffic to a userland proxy when the helpers are enabled. However, the long answer is that you can utilize dual wan ftp if you use a 1:1 or port-forward the large port ranges required by the server which in most cases of newer ftp daemons is configurable." ok  ;)… and how about the long answer?  ??? ??? I already use NAT 1:1, Passive FTP (port 55000-60000) and disable userland FTP-Proxy. Download is slow, but upload is fine.

http://www.experts-exchange.com/Security/Q_20968914.html