Fixed in latest code.

It seems a mistype var name thx for reporting.

Thanks for sharing your experience. I'm glad everything worked out for you but still take care when using Alpha software in a production environment.

Yeah it was wrong, thanks for tracking this.

Should be fixed on new snapshots though for your vlan interfaces to change you have to recreate them.

Thanks Ermal, that has fixed it.

hm… i updated from 1.2.3 to 2.0. on 1.2.3 i had couple of rules on lan and since wifi was bridged to lan those rules applied on wifi too. when i updated fw to 2.0 those rules were still there but didn't affect wireless anymore, only lan. this is why i thought that bridge not there and everything works through internal routing or something...  :)

Has there been any updates on this issue?

Interfaces:
vr0 = Wan
vr1 = Lan

by default i'am use pppoe gateway
but iptv server worked through gateway from DHCP (10.12.127.1)

pfsense reboot,
execute
netstat -rn
–

Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            87.236.40.69       UGS         0  4270493 pppoe0 87.236.40.69       87.236.41.207      UH          3    46009 pppoe0 87.236.40.248      87.236.40.69       UGHS        0      393 pppoe0 87.236.40.249      87.236.40.69       UGHS        0       17 pppoe0 127.0.0.1          127.0.0.1          UH          0        0    lo0 192.168.5.0/24     link#2             UC          0        0    vr1 192.168.5.199      00:1d:60:66:19:2a  UHLW        1  2452728    vr1   1100 –
executing
dhclient -vr0
netstat -rn Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            87.236.40.69       UGS         0  4273176 pppoe0 10.12.127.0/24     link#1             UC          0        0    vr0 87.236.40.69       87.236.41.207      UH          3    46106 pppoe0 87.236.40.248      87.236.40.69       UGHS        0      399 pppoe0 87.236.40.249      87.236.40.69       UGHS        0       17 pppoe0 127.0.0.1          127.0.0.1          UH          0        0    lo0 192.168.5.0/24     link#2             UC          0        0    vr1 192.168.5.199      00:1d:60:66:19:2a  UHLW        1  2454912    vr1   1001

Log System:

Apr 23 23:56:28 dhclient: netstat
Apr 23 23:56:28 dhclient: PREINIT
Apr 23 23:56:28 dhclient: netstat
Apr 23 23:56:28 dhclient: EXPIRE
Apr 23 23:56:28 dhclient: Deleting old routes
Apr 23 23:56:28 dhclient: netstat
Apr 23 23:56:28 dhclient: PREINIT
Apr 23 23:56:28 dhclient[44225]: DHCPDISCOVER on vr0 to 255.255.255.255 port 67 interval 7
Apr 23 23:56:28 dhclient[44225]: DHCPOFFER from 10.12.127.1
Apr 23 23:56:28 dhclient: netstat
Apr 23 23:56:28 dhclient: ARPSEND
Apr 23 23:56:30 dhclient: netstat
Apr 23 23:56:30 dhclient: ARPCHECK
Apr 23 23:56:28 dhclient[44225]: DHCPOFFER from 10.12.127.1
Apr 23 23:56:30 dhclient[44225]: DHCPREQUEST on vr0 to 255.255.255.255 port 67
Apr 23 23:56:30 dhclient[44225]: DHCPACK from 10.12.127.1
Apr 23 23:56:30 dhclient: netstat
Apr 23 23:56:30 dhclient: BOUND
Apr 23 23:56:30 dhclient: Starting add_new_address()
Apr 23 23:56:30 dhclient: ifconfig vr0 inet 10.12.127.14 netmask 255.255.255.0 broadcast 10.12.127.255
Apr 23 23:56:30 dhclient: New IP Address (vr0): 10.12.127.14
Apr 23 23:56:30 dhclient: New Subnet Mask (vr0): 255.255.255.0
Apr 23 23:56:30 dhclient: New Broadcast Address (vr0): 10.12.127.255
Apr 23 23:56:30 dhclient: New Routers (vr0): 10.12.127.1
Apr 23 23:56:30 dhclient: Adding new routes
Apr 23 23:56:31 dhclient: Creating resolv.conf
Apr 23 23:56:31 dhclient[44225]: bound to 10.12.127.14 – renewal in 1800 seconds.
Apr 23 23:56:34 check_reload_status: rc.newwanip starting
Apr 23 23:56:35 php: : Informational: rc.newwanip is starting vr0.
Apr 23 23:56:35 php: : rc.newwanip working with (IP address: 10.12.127.14) (interface: wan) (interface real: vr0).
Apr 23 23:56:42 php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - 10.12.127.14.
Apr 23 23:56:42 php: : Creating rrd update script
Apr 23 23:56:43 check_reload_status: reloading filter
Apr 23 23:56:46 apinger: alarm canceled: wan(87.236.40.69) *** delay ***
Apr 23 23:56:47 check_reload_status: updating dyndns
Apr 23 23:56:54 check_reload_status: reloading filter
Apr 23 23:57:01 check_reload_status: reloading filter
Apr 23 23:57:59 apinger: ALARM: wan(87.236.40.69) *** delay ***
Apr 23 23:58:13 check_reload_status: reloading filter
Apr 23 23:59:11 apinger: alarm canceled: wan(87.236.40.69) *** delay ***
Apr 23 23:59:25 check_reload_status: reloading filter
Apr 24 00:05:30 apinger: ALARM: wan(87.236.40.69) *** delay ***

See the system info pane on the dashboard.

I ran into this, too. If you are running the 2.0 dashboard package on 1.2.x and upgrade to 2.0 firmware, it is no longer needed. Installing the 2.0 dashboard package when running a 2.0 firmware causes the webgui to revert to a 1.2.x menu structure, breaking some links and removing some menu options. Removing the 2.0 dashboard package and reinstalling 2.0 firmware resolves the issue.

that's awesome…i'm mainly waiting on squid to be working in 2.0....when it's working then i'll have everything i rreally care about working

i'm still holding out until squid works on 2.0 but thanks for the update

Thanks! I can now access my internal sites. Just updated to snapshot built on Sun Apr 19 16:39:51 EDT 2009

You should make a new topic for that question. Otherwise, people will not be able to answer you.

and yes, I did click renew to see what would happen. Nothing– it came back the same way.

Also, forgot to mention in the original post, at one point, I issued a command "ifconfig re0 down" while testing something else. I of course later issued "ifconfig re0 up." I don't know if that had anything to do with this or not, but I don't know why the status page would pick up the "down" and not the "up."

I has update to "built on Sat Apr 18 12:46:37 EDT 2009"

The "rules.debug" file:

#System aliases

loopback = "{ lo0 }"
WAN = "{ em2 }"
LAN = "{ em0 }"
DMZ = "{ em1 }"

User Aliases

DMZ_Special_IP = "{ 89.202.157.133/32 124.238.254.52/32 124.238.254.53/32 220.165.9.102/32 69.64.6.11/32 }"
DNS_Server = "{ 172.20.211.1 }"
NOd32_Server = "{ 172.20.211.1 }"
OUTDNS = "{ 172.16.0.1 172.16.0.2 }"
SafeWeb = "{ 218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }"
Web = "{ 172.20.211.1 }"
YEY = "{ 192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }"
block_lan = "{ 192.168.1.200 192.168.0.250 }"
block_wan = "{ 121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }"
flv_site = "{ 202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }"
limit_IP = "{ 192.168.0.8/29 192.168.0.16/28 192.168.0.32/27 192.168.0.64/26 192.168.0.128/26 192.168.0.192/26 192.168.1.8/29 192.168.1.16/28 192.168.1.32/27 192.168.1.64/28 192.168.1.128/26 192.168.1.192/26 }"
limit_LAN = "{ 192.168.1.5/32 }"
remote = "{ 192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }"
student = "{ 192.168.1.61/32 192.168.1.62/32 192.168.1.63/32 192.168.1.64/27 192.168.1.96/29 192.168.1.104/30 192.168.1.108/32 192.168.1.11/32 192.168.1.12/30 192.168.1.16/28 192.168.1.32/28 192.168.1.48/29 192.168.1.56/32 192.168.1.57/32 192.168.1.58/32 192.168.0.11/32 192.168.0.12/30 192.168.0.16/28 192.168.0.32/28 192.168.0.48/29 192.168.0.56/30 192.168.0.60/32 }"

set loginterface em2
set loginterface em0
set loginterface em1
set optimization normal
set limit states 50000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $DMZ all    fragment reassemble

dnpipe 1 bandwidth 512Kb mask src-ip 0xffffffff

dnpipe 2 bandwidth 512Kb mask dst-ip 0xffffffff

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules Subnets to NAT

tonatsubnets = "{ 192.168.0.0/23 172.20.211.0/24  }"
no nat on $WAN to port tftp
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 172.17.1.141/32 port 500
nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 172.17.1.141/32 port 4500
nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 172.17.1.141/32 port 5060
nat on $WAN from $tonatsubnets to any -> 172.17.1.141/32 port 1024:65535

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"

NAT Inbound Redirects

rdr on em0 proto udp from any to 192.168.0.1 port { 53 } -> 192.168.0.1
rdr on em0 proto tcp from any to 192.168.0.1 port { 8081 } -> 172.20.211.1
rdr on em2 proto tcp from any to 172.17.1.141 port { 1194 } -> 192.168.0.1
rdr on em1 proto udp from any to 172.20.211.254 port { 53 } -> 192.168.0.1

Setup Squid proxy redirect

rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "firewallrules"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for em2
antispoof for em0

allow access to DHCP server on LAN

anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for em1
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on em0 from any to (em0) keep state label "anti-lockout rule"

NAT Reflection rules package manager late specific hook

anchor "packagelate"

User-defined aliases follow

table <safeweb>{  218.90.160.243 61.132.87.170 172.16.0.170 211.153.23.37 59.151.28.198 222.191.227.8 218.90.160.26 61.160.99.109 }
table <remote>{  192.168.1.1 192.168.1.2 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.10 192.168.0.40 192.168.0.50 192.168.1.3 192.168.0.3 192.168.0.111 }
table <outdns>{  172.16.0.1 172.16.0.2 }
table <dns_server>{  172.20.211.1 }
table <web>{  172.20.211.1 }
table <limit_lan>{  192.168.1.5/32 }
table <block_wan>{  121.14.95.120/32 124.115.1.198/32 219.133.38.246/32 219.133.38.247/32 219.133.38.248/32 219.133.38.249/32 219.133.38.250/32 219.133.41.15/32 219.133.41.168/32 219.133.41.240/32 222.73.78.22/32 222.73.78.24/32 222.73.78.25/32 222.73.78.30/32 222.73.78.31/32 222.73.78.43/32 58.221.29.154/32 58.251.62.79/32 58.251.62.85/32 58.60.11.31/32 58.60.11.34/32 58.60.9.41/32 58.60.9.62/32 58.60.9.63/32 58.60.9.64/32 58.61.166.136/32 60.173.112.123/32 60.191.202.41/32 218.18.95.153/32 121.0.19.170/32 124.237.77.154/32 60.190.24.236/32 61.188.87.137/32 61.153.153.195/32 61.153.153.194/32 61.153.153.100/32 61.153.153.196/32 61.153.153.197/32 61.153.153.198/32 61.153.153.101/32 61.153.153.202/32 202.102.245.46/32 121.11.65.162/32 218.60.13.98/32 61.183.8.19/32 61.155.236.210/32 61.164.121.50/32 116.252.178.11/32 59.175.144.130/32 61.131.203.96/32 61.131.203.91/32 61.131.203.94/32 }
table <flv_site>{  202.102.81.231/32 202.102.81.232/32 211.151.50.0/24 61.164.47.226/32 61.164.47.166/32 61.147.115.0/24 202.102.7.135/32 222.73.50.12/32 222.73.50.14/32 116.252.179.16/32 124.94.101.145/32 121.205.88.20/32 58.218.179.214/32 59.63.157.25/32 60.191.101.40/32 218.0.4.203/32 58.218.209.183/32 121.9.215.13/32 58.218.204.114/32 58.218.204.113/32 202.102.74.150/32 202.102.74.151/32 202.102.74.152/32 202.102.74.153/32 202.102.74.156/32 202.102.74.249/32 221.238.19.153/32 58.215.110.223/32 58.215.106.190/32 208.65.153.253/32 220.181.61.148/32 220.181.61.149/32 220.181.61.150/32 220.181.61.151/32 }
table <block_lan>{  192.168.1.200 192.168.0.250 }
table <nod32_server>{  172.20.211.1 }
table <yey>{  192.168.0.69/32 192.168.0.70/32 192.168.0.71/32 192.168.0.72/29 192.168.0.80/32 192.168.0.81/32 192.168.0.82/32 }

User-defined rules follow

pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from <safeweb>to 192.168.0.0/23 keep state  label "USER_RULE: SafeWeb in"
pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from any to <remote>keep state  label "USER_RULE: any2 remote"
pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto udp  from <outdns>to <dns_server>port = 53 keep state  label "USER_RULE: OUT DNS 2 DNS Server"
pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto tcp  from any to <web>port = 80 keep state  label "USER_RULE: Web"
pass  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  proto tcp  from any to {  192.168.0.1 } port = 1194 keep state  label "USER_RULE: NAT openvpn "
block  in log  quick  on $WAN reply-to ( em2 172.17.1.142 )  from any to any  label "USER_RULE: block wan  2 any"
pass  in log  quick  on $DMZ  from any to any keep state  label "USER_RULE: DMZ-> any"
pass  in log  quick  on $LAN  from <limit_lan>to any keep state  dnpipe ( 1, 2)  label "USER_RULE: limit_LAN"
pass  in log  quick  on $LAN  from <remote>to any keep state  label "USER_RULE: remote 2 any"
block  in log  quick  on $LAN  from any to <block_wan>label "USER_RULE: LAN 2 block Web"
block  in log  quick  on $LAN  from any to <flv_site>label "USER_RULE: LAN 2 block flv Web"
block  in log  quick  on $LAN  from <block_lan>to any  label "USER_RULE: block_lan 2 any"
pass  in log  quick  on $LAN  from 192.168.0.0/23 to <safeweb>keep state  label "USER_RULE: LAN 2 Safe Web"
pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to any port = 80 keep state  label "USER_RULE: HTTP"
pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to <web>port = 81 keep state  label "USER_RULE: DMZ OA"
pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to any port = 443 keep state  label "USER_RULE: HTTPS"
pass  in log  quick  on $LAN  proto tcp  from 192.168.0.0/23 to <nod32_server>port = 8081 keep state  label "USER_RULE: NOd32 Server"
pass  in log  quick  on $LAN  proto tcp  from <yey>to {  172.20.179.1 } port = 8080 keep state  label "USER_RULE: yey OA"
block  in  quick  on $LAN  from any to any  label "USER_RULE: block LAN 2 any"

VPN Rules Setup squid pass rules for proxy

pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state
pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state

anchor "limitingesr"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"</yey></nod32_server></web></safeweb></block_lan></flv_site></block_wan></remote></limit_lan></web></dns_server></outdns></remote></safeweb></yey></nod32_server></block_lan></flv_site></block_wan></limit_lan></web></dns_server></outdns></remote></safeweb></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>

This problem may be solved, but we need people to test.

Please see http://forum.pfsense.org/index.php/topic,15669.0.html

@cr_hyland:

I agree that it makes perfect sense from an actual traffic flow point of view but it is the opposite for lan interfaces interfaces as opposed to wan interfaces. That is why a simple option to invert the graph for internal interfaces would make it much easier to understand.

Yes, it is opposite but think about that a minute. Download traffic is "IN" for WAN interface and "OUT" for LAN interface because that is how data flows as opposite to upload traffic which is "IN" traffic for LAN and "OUT" for WAN because data comes in to LAN int from server/workstation/name_your_machine and trough WAN goes out to some client/server to which data data is sent.

Yes, it can be confusing on first look but after a time (I use pfS/m0n0 platform from early days) it is normal way to show data.

Sasa