Found the problem!!! It was were azureus was changing the upnp on the modem to go stright to the pc nic instead of through pfsense and then pfsense was loosing track of the ports and traffic as all out going traffice was going throug pfsense but incoming wasn't

Take a look at http://www.net-security.org/article.php?id=876

I fix the prob - Dummy mistake. I forgot to make NAT -Outbound Rules on lan and opt1 for 192.168.1.0/24 X Advanced flag the error was that the other machine was told on public net,  but route the packets  back on 192.168.1.0/24 iface directly to client and not over the gw-adress. Thanks.

Yeah, those are wrong. at LAN: block, proto any, source any, destination OPT1 subnet block, proto any, source any, destination OPT2 subnet pass, proto any, source lan subnet, destination any (default LAN to any) at OPT1: block, proto any, source any, destination LAN subnet block, proto any, source any, destination OPT2 subnet pass, proto any, source OPT1 subnet, destination any at OPT2: block, proto any, source any, destination LAN subnet block, proto any, source any, destination OPT1 subnet pass, proto any, source OPT2 subnet, destination any You always block incoming traffic at an interface.

whatever works best for you  ;)

in youre rule you have ! mailserver or do you have !mailserver ??? !mailserver is correct picture is not clear in this

no tried and same problem.

@althornin: You are allowing "prod net rule allow any to any" - your firewall is doing exactly that! change the rule to "allow any to !mgmt"…. Yes i know this, but id like to know can i map rules to interfaces. Eg. Packet flow is something like this: Packet in Int1 -> Check against int1 rules -> Packet routed to Int2 -> Check against Int2 rules. If this is not posible i think i try to modify that Firewall: Rules page so that i cab see all my rules in one page (like checkpoint). I think this way i can get more cleaner picture how my fw rules are checked. Br, Ville

Can't say that I have ever seen the need for this.  Can you explain why that option is only needed in you're case?

Just keep in mind: You always have to block Incoming traffic at an Interface, so if you want to block traffic from LAN to Opt1 your rule has to be applied to the LAN Interface. In your scenario I would use some Aliases to get your blacklist function and to keep number of rules low to have a better overview: at all Interfaces: block proto any source-ip "blacklistip" source-port any destination-ip any destination-port any block proto tcp/udp source-ip any sourceport any destination-ip any destination-port "blacklistports" pass proto any source-ip <interface>subnet sourceport any destination-ip any destination-port any Needed Aliases for this: blacklistip -  hosts alias with all blocked IPs blacklistports - ports alias with blocked ports This way you can simply add your IPs to the blackistip alias or ports to the blacklistports (at least if you want to handle them all the same way). For special needs you can combine ports and hosts aliases or invent more aliases. Try to use the alias system as much as you can. It can simplify things a lot.</interface>

That will most probably be a feature of 1.1 alias system. Not yet doable.

I did not get things working with siproxd and asterisk. Maybe I am feeling slow to day, but I am not getting it. Where should my asterisk box be pointing. I have a connection with iconnecthere and sipphone, and fortunately these are my only 2 SIP based providers. So what I need to do to the asterisk side so I can route my SIP accounts through siproxd on the pfsense box? K

@Leoandru: @billm: The client connection limit and max connections/second are for the rule.  Soooo if client connection limit is set to 10, you can have 10 state entries total, it could be 10 from one host, or one each from 10 hosts.  New connections/second works the same way. –Bill Is it possible to have the Simultaneous client connection limit work on a per host basis? It would be a nice feature. I have been having problems lately with persons running bittorrent opening many connections all at the same time. EDIT: What about an option for limiting the total number of connections per source? "max-src-conn" In other words, limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. Work up a GUI + filter.inc patch and we will entertain it.

Ok… I wait... Thank!! Let me know if you need any test...

do you have setup the firewall rulles for ping ? if you put on the lan tab the opt1 tab and the opt2 tab this rule icpm * * * * * then they can ping lan network opt1 netwerk opt2 network and the internet

It works Thanx a lot

@sullrich: Aren't you comparing apples to oranges?  Last time I checked m0n0wall doesn't support atheros. True, m0n0wall doesn't support Atheros. I need to check this with the atheros card removed.

apparently now works fine, thk sullrich :D

Wait for beta2 which has a static port option.  Search the forums for more information as this has been talked about already.

Yep.