Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound PPTP failing after advanced configuration

    Scheduled Pinned Locked Moved
    NAT
    2
    4
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darrendavid
      last edited by

      hey all-

      so on a totally green out-of-the-box embedded pfsense BETA4 install, I had no issues with connecting to a remote PPTP server from a Windows XP machine on my LAN. After setting up several virtual IPs, inbound port forwarding and traffic queues, I'm not longer able to connect to the same PPTP server. Below is my rules.debug, I'm wondering if there's anything out of the ordinary that might be blocking outbound VPN connections?

      thanks, as always.

      System Aliases

      loopback = "{ lo0 }"
      lan = "{ sis0  }"
      wan = "{ sis1  ng0 }"
      OPT1 = "{ sis2 }"

      User Aliases

      set loginterface sis1
      set loginterface sis0
      set loginterface sis2
      set optimization normal

      scrub on sis1 all random-id
      altq on sis1 hfsc bandwidth 750Kb queue { qwanRoot }
      altq on sis0 hfsc bandwidth 6000Kb queue { qlanRoot }

      queue qwanRoot bandwidth 750Kb priority 0 hfsc { qwandef, qwanacks, qP2PUp, qHTTPUp }
      queue qlanRoot bandwidth 6000Kb priority 0 hfsc { qlandef, qlanacks, qP2PDown, qHTTPDown }
      queue qwandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
      queue qlandef bandwidth 1% priority 3 qlimit 500 hfsc (  default realtime 1% )
      queue qwanacks bandwidth 1% priority 7 hfsc (  realtime 10% )
      queue qlanacks bandwidth 1% priority 7 hfsc (  realtime 10% )
      queue qP2PUp bandwidth 1% priority 0 qlimit 500 hfsc (  red ecn realtime 1Kb )
      queue qP2PDown bandwidth 1% priority 0 qlimit 500 hfsc (  red ecn realtime 1Kb )
      queue qHTTPDown bandwidth 512Kb priority 2 hfsc (  red ecn )
      queue qHTTPUp bandwidth 512Kb priority 2 hfsc (  red ecn upperlimit 512Kb )

      UPnPd rdr anchor

      rdr-anchor "upnpd/"
      nat-anchor "pftpx/      "
      nat-anchor "natearly/"
      nat-anchor "natrules/      "

      FTP proxy

      rdr-anchor "pftpx/*"
      nat on $wan from 10.0.1.0/24 port 500 to any port 500 -> (sis1) port 500
      nat on $wan from 10.0.1.0/24 to any -> (sis1)
      nat on $wan from 10.0.2.0/24 to any -> (sis1)
      #SSH Lockout Table
      table <sshlockout>persist

      Load balancing anchor - slbd updates

      rdr-anchor "slb"

      FTP Proxy/helper

      rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
      rdr on $OPT1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022

      NAT Inbound Redirects

      rdr on sis1 proto { tcp udp } from any to 111.222.333.444/32 port { 53 } -> 10.0.1.10 port 53

      Reflection redirects

      rdr on $lan proto { tcp udp } from any to 111.222.333.444/32 port { 53 } -> 127.0.0.1 port 19000
      rdr on $OPT1 proto { tcp udp } from any to 111.222.333.444/32 port { 53 } -> 127.0.0.1 port 19001

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port { 8001 } -> 10.0.1.10 port 8001

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 8001 } -> 127.0.0.1 port 19002
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 8001 } -> 127.0.0.1 port 19003

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port { 22 } -> 10.0.1.10 port 22

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 22 } -> 127.0.0.1 port 19004
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 22 } -> 127.0.0.1 port 19005

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port { 25 } -> 10.0.1.10 port 25

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 25 } -> 127.0.0.1 port 19006
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 25 } -> 127.0.0.1 port 19007

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port { 993 } -> 10.0.1.10 port 993

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 993 } -> 127.0.0.1 port 19008
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 993 } -> 127.0.0.1 port 19009

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port { 995 } -> 10.0.1.10 port 995

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 995 } -> 127.0.0.1 port 19010
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 995 } -> 127.0.0.1 port 19011

      rdr on sis1 proto tcp from any to 111.222.333.444/32 port 49160:49300 -> 10.0.1.10 port 49160:*

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49160 } -> 127.0.0.1 port 19012
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49161 } -> 127.0.0.1 port 19013
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49162 } -> 127.0.0.1 port 19014
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49163 } -> 127.0.0.1 port 19015
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49164 } -> 127.0.0.1 port 19016
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49165 } -> 127.0.0.1 port 19017
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49166 } -> 127.0.0.1 port 19018
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49167 } -> 127.0.0.1 port 19019
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49168 } -> 127.0.0.1 port 19020
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49169 } -> 127.0.0.1 port 19021
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49170 } -> 127.0.0.1 port 19022
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49171 } -> 127.0.0.1 port 19023
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49172 } -> 127.0.0.1 port 19024
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49173 } -> 127.0.0.1 port 19025
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49174 } -> 127.0.0.1 port 19026
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49175 } -> 127.0.0.1 port 19027
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49176 } -> 127.0.0.1 port 19028
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49177 } -> 127.0.0.1 port 19029
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49178 } -> 127.0.0.1 port 19030
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49179 } -> 127.0.0.1 port 19031
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49180 } -> 127.0.0.1 port 19032
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49181 } -> 127.0.0.1 port 19033
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49182 } -> 127.0.0.1 port 19034
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49183 } -> 127.0.0.1 port 19035
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49184 } -> 127.0.0.1 port 19036
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49185 } -> 127.0.0.1 port 19037
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49186 } -> 127.0.0.1 port 19038
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49187 } -> 127.0.0.1 port 19039
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49188 } -> 127.0.0.1 port 19040
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49189 } -> 127.0.0.1 port 19041
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49190 } -> 127.0.0.1 port 19042
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49191 } -> 127.0.0.1 port 19043
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49192 } -> 127.0.0.1 port 19044
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49193 } -> 127.0.0.1 port 19045
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49194 } -> 127.0.0.1 port 19046
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49195 } -> 127.0.0.1 port 19047
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49196 } -> 127.0.0.1 port 19048
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49197 } -> 127.0.0.1 port 19049
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49198 } -> 127.0.0.1 port 19050
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49199 } -> 127.0.0.1 port 19051
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49200 } -> 127.0.0.1 port 19052
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49201 } -> 127.0.0.1 port 19053
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49202 } -> 127.0.0.1 port 19054
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49203 } -> 127.0.0.1 port 19055
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49204 } -> 127.0.0.1 port 19056
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49205 } -> 127.0.0.1 port 19057
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49206 } -> 127.0.0.1 port 19058
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49207 } -> 127.0.0.1 port 19059
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49208 } -> 127.0.0.1 port 19060
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49209 } -> 127.0.0.1 port 19061
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49210 } -> 127.0.0.1 port 19062
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49211 } -> 127.0.0.1 port 19063
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49212 } -> 127.0.0.1 port 19064
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49213 } -> 127.0.0.1 port 19065
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49214 } -> 127.0.0.1 port 19066
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49215 } -> 127.0.0.1 port 19067
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49216 } -> 127.0.0.1 port 19068
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49217 } -> 127.0.0.1 port 19069
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49218 } -> 127.0.0.1 port 19070
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49219 } -> 127.0.0.1 port 19071
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49220 } -> 127.0.0.1 port 19072
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49221 } -> 127.0.0.1 port 19073
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49222 } -> 127.0.0.1 port 19074
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49223 } -> 127.0.0.1 port 19075
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49224 } -> 127.0.0.1 port 19076
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49225 } -> 127.0.0.1 port 19077
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49226 } -> 127.0.0.1 port 19078
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49227 } -> 127.0.0.1 port 19079
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49228 } -> 127.0.0.1 port 19080
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49229 } -> 127.0.0.1 port 19081
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49230 } -> 127.0.0.1 port 19082
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49231 } -> 127.0.0.1 port 19083
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49232 } -> 127.0.0.1 port 19084
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49233 } -> 127.0.0.1 port 19085
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49234 } -> 127.0.0.1 port 19086
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49235 } -> 127.0.0.1 port 19087
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49236 } -> 127.0.0.1 port 19088
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49237 } -> 127.0.0.1 port 19089
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49238 } -> 127.0.0.1 port 19090
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49239 } -> 127.0.0.1 port 19091
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49240 } -> 127.0.0.1 port 19092
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49241 } -> 127.0.0.1 port 19093
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49242 } -> 127.0.0.1 port 19094
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49243 } -> 127.0.0.1 port 19095
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49244 } -> 127.0.0.1 port 19096
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49245 } -> 127.0.0.1 port 19097
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49246 } -> 127.0.0.1 port 19098
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49247 } -> 127.0.0.1 port 19099
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49248 } -> 127.0.0.1 port 19100
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49249 } -> 127.0.0.1 port 19101
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49250 } -> 127.0.0.1 port 19102
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49251 } -> 127.0.0.1 port 19103
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49252 } -> 127.0.0.1 port 19104
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49253 } -> 127.0.0.1 port 19105
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49254 } -> 127.0.0.1 port 19106
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49255 } -> 127.0.0.1 port 19107
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49256 } -> 127.0.0.1 port 19108
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49257 } -> 127.0.0.1 port 19109
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49258 } -> 127.0.0.1 port 19110
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49259 } -> 127.0.0.1 port 19111
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49260 } -> 127.0.0.1 port 19112
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49261 } -> 127.0.0.1 port 19113
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49262 } -> 127.0.0.1 port 19114
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49263 } -> 127.0.0.1 port 19115
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49264 } -> 127.0.0.1 port 19116
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49265 } -> 127.0.0.1 port 19117
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49266 } -> 127.0.0.1 port 19118
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49267 } -> 127.0.0.1 port 19119
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49268 } -> 127.0.0.1 port 19120
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49269 } -> 127.0.0.1 port 19121
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49270 } -> 127.0.0.1 port 19122
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49271 } -> 127.0.0.1 port 19123
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49272 } -> 127.0.0.1 port 19124
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49273 } -> 127.0.0.1 port 19125
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49274 } -> 127.0.0.1 port 19126
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49275 } -> 127.0.0.1 port 19127
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49276 } -> 127.0.0.1 port 19128
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49277 } -> 127.0.0.1 port 19129
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49278 } -> 127.0.0.1 port 19130
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49279 } -> 127.0.0.1 port 19131
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49280 } -> 127.0.0.1 port 19132
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49281 } -> 127.0.0.1 port 19133
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49282 } -> 127.0.0.1 port 19134
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49283 } -> 127.0.0.1 port 19135
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49284 } -> 127.0.0.1 port 19136
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49285 } -> 127.0.0.1 port 19137
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49286 } -> 127.0.0.1 port 19138
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49287 } -> 127.0.0.1 port 19139
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49288 } -> 127.0.0.1 port 19140
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49289 } -> 127.0.0.1 port 19141
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49290 } -> 127.0.0.1 port 19142
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49291 } -> 127.0.0.1 port 19143
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49292 } -> 127.0.0.1 port 19144
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49293 } -> 127.0.0.1 port 19145
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49294 } -> 127.0.0.1 port 19146
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49295 } -> 127.0.0.1 port 19147
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49296 } -> 127.0.0.1 port 19148
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49297 } -> 127.0.0.1 port 19149
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49298 } -> 127.0.0.1 port 19150
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49299 } -> 127.0.0.1 port 19151
      rdr on $lan proto tcp from any to 111.222.333.444/32 port { 49300 } -> 127.0.0.1 port 19152
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49160 } -> 127.0.0.1 port 19153
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49161 } -> 127.0.0.1 port 19154
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49162 } -> 127.0.0.1 port 19155
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49163 } -> 127.0.0.1 port 19156
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49164 } -> 127.0.0.1 port 19157
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49165 } -> 127.0.0.1 port 19158
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49166 } -> 127.0.0.1 port 19159
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49167 } -> 127.0.0.1 port 19160
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49168 } -> 127.0.0.1 port 19161
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49169 } -> 127.0.0.1 port 19162
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49170 } -> 127.0.0.1 port 19163
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49171 } -> 127.0.0.1 port 19164
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49172 } -> 127.0.0.1 port 19165
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49173 } -> 127.0.0.1 port 19166
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49174 } -> 127.0.0.1 port 19167
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49175 } -> 127.0.0.1 port 19168
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49176 } -> 127.0.0.1 port 19169
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49177 } -> 127.0.0.1 port 19170
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49178 } -> 127.0.0.1 port 19171
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49179 } -> 127.0.0.1 port 19172
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49180 } -> 127.0.0.1 port 19173
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49181 } -> 127.0.0.1 port 19174
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49182 } -> 127.0.0.1 port 19175
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49183 } -> 127.0.0.1 port 19176
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49184 } -> 127.0.0.1 port 19177
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49185 } -> 127.0.0.1 port 19178
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49186 } -> 127.0.0.1 port 19179
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49187 } -> 127.0.0.1 port 19180
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49188 } -> 127.0.0.1 port 19181
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49189 } -> 127.0.0.1 port 19182
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49190 } -> 127.0.0.1 port 19183
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49191 } -> 127.0.0.1 port 19184
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49192 } -> 127.0.0.1 port 19185
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49193 } -> 127.0.0.1 port 19186
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49194 } -> 127.0.0.1 port 19187
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49195 } -> 127.0.0.1 port 19188
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49196 } -> 127.0.0.1 port 19189
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49197 } -> 127.0.0.1 port 19190
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49198 } -> 127.0.0.1 port 19191
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49199 } -> 127.0.0.1 port 19192
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49200 } -> 127.0.0.1 port 19193
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49201 } -> 127.0.0.1 port 19194
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49202 } -> 127.0.0.1 port 19195
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49203 } -> 127.0.0.1 port 19196
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49204 } -> 127.0.0.1 port 19197
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49205 } -> 127.0.0.1 port 19198
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49206 } -> 127.0.0.1 port 19199
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49207 } -> 127.0.0.1 port 19200
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49208 } -> 127.0.0.1 port 19201
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49209 } -> 127.0.0.1 port 19202
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49210 } -> 127.0.0.1 port 19203
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49211 } -> 127.0.0.1 port 19204
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49212 } -> 127.0.0.1 port 19205
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49213 } -> 127.0.0.1 port 19206
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49214 } -> 127.0.0.1 port 19207
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49215 } -> 127.0.0.1 port 19208
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49216 } -> 127.0.0.1 port 19209
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49217 } -> 127.0.0.1 port 19210
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49218 } -> 127.0.0.1 port 19211
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49219 } -> 127.0.0.1 port 19212
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49220 } -> 127.0.0.1 port 19213
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49221 } -> 127.0.0.1 port 19214
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49222 } -> 127.0.0.1 port 19215
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49223 } -> 127.0.0.1 port 19216
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49224 } -> 127.0.0.1 port 19217
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49225 } -> 127.0.0.1 port 19218
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49226 } -> 127.0.0.1 port 19219
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49227 } -> 127.0.0.1 port 19220
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49228 } -> 127.0.0.1 port 19221
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49229 } -> 127.0.0.1 port 19222
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49230 } -> 127.0.0.1 port 19223
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49231 } -> 127.0.0.1 port 19224
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49232 } -> 127.0.0.1 port 19225
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49233 } -> 127.0.0.1 port 19226
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49234 } -> 127.0.0.1 port 19227
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49235 } -> 127.0.0.1 port 19228
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49236 } -> 127.0.0.1 port 19229
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49237 } -> 127.0.0.1 port 19230
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49238 } -> 127.0.0.1 port 19231
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49239 } -> 127.0.0.1 port 19232
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49240 } -> 127.0.0.1 port 19233
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49241 } -> 127.0.0.1 port 19234
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49242 } -> 127.0.0.1 port 19235
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49243 } -> 127.0.0.1 port 19236
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49244 } -> 127.0.0.1 port 19237
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49245 } -> 127.0.0.1 port 19238
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49246 } -> 127.0.0.1 port 19239
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49247 } -> 127.0.0.1 port 19240
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49248 } -> 127.0.0.1 port 19241
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49249 } -> 127.0.0.1 port 19242
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49250 } -> 127.0.0.1 port 19243
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49251 } -> 127.0.0.1 port 19244
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49252 } -> 127.0.0.1 port 19245
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49253 } -> 127.0.0.1 port 19246
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49254 } -> 127.0.0.1 port 19247
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49255 } -> 127.0.0.1 port 19248
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49256 } -> 127.0.0.1 port 19249
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49257 } -> 127.0.0.1 port 19250
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49258 } -> 127.0.0.1 port 19251
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49259 } -> 127.0.0.1 port 19252
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49260 } -> 127.0.0.1 port 19253
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49261 } -> 127.0.0.1 port 19254
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49262 } -> 127.0.0.1 port 19255
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49263 } -> 127.0.0.1 port 19256
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49264 } -> 127.0.0.1 port 19257
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49265 } -> 127.0.0.1 port 19258
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49266 } -> 127.0.0.1 port 19259
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49267 } -> 127.0.0.1 port 19260
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49268 } -> 127.0.0.1 port 19261
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49269 } -> 127.0.0.1 port 19262
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49270 } -> 127.0.0.1 port 19263
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49271 } -> 127.0.0.1 port 19264
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49272 } -> 127.0.0.1 port 19265
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49273 } -> 127.0.0.1 port 19266
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49274 } -> 127.0.0.1 port 19267
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49275 } -> 127.0.0.1 port 19268
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49276 } -> 127.0.0.1 port 19269
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49277 } -> 127.0.0.1 port 19270
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49278 } -> 127.0.0.1 port 19271
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49279 } -> 127.0.0.1 port 19272
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49280 } -> 127.0.0.1 port 19273
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49281 } -> 127.0.0.1 port 19274
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49282 } -> 127.0.0.1 port 19275
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49283 } -> 127.0.0.1 port 19276
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49284 } -> 127.0.0.1 port 19277
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49285 } -> 127.0.0.1 port 19278
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49286 } -> 127.0.0.1 port 19279
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49287 } -> 127.0.0.1 port 19280
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49288 } -> 127.0.0.1 port 19281
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49289 } -> 127.0.0.1 port 19282
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49290 } -> 127.0.0.1 port 19283
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49291 } -> 127.0.0.1 port 19284
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49292 } -> 127.0.0.1 port 19285
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49293 } -> 127.0.0.1 port 19286
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49294 } -> 127.0.0.1 port 19287
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49295 } -> 127.0.0.1 port 19288
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49296 } -> 127.0.0.1 port 19289
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49297 } -> 127.0.0.1 port 19290
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49298 } -> 127.0.0.1 port 19291
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49299 } -> 127.0.0.1 port 19292
      rdr on $OPT1 proto tcp from any to 111.222.333.444/32 port { 49300 } -> 127.0.0.1 port 19293

      rdr on sis1 proto tcp from any to 111.222.333.555/32 port { 80 } -> 10.0.1.2 port 80

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.555/32 port { 80 } -> 127.0.0.1 port 19294
      rdr on $OPT1 proto tcp from any to 111.222.333.555/32 port { 80 } -> 127.0.0.1 port 19295

      rdr on sis1 proto tcp from any to 111.222.333.555/32 port { 443 } -> 10.0.1.2 port 443

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.555/32 port { 443 } -> 127.0.0.1 port 19296
      rdr on $OPT1 proto tcp from any to 111.222.333.555/32 port { 443 } -> 127.0.0.1 port 19297

      rdr on sis1 proto tcp from any to 111.222.333.555/32 port { 22 } -> 10.0.1.2 port 22

      Reflection redirects

      rdr on $lan proto tcp from any to 111.222.333.555/32 port { 22 } -> 127.0.0.1 port 19298
      rdr on $OPT1 proto tcp from any to 111.222.333.555/32 port { 22 } -> 127.0.0.1 port 19299

      block in all tag unshaped label "SHAPER: first match rule"
      pass in on  $wan proto tcp from any to 10.0.1.0/24 port 6881:6999  keep state tagged unshaped tag qP2PUp
      pass out on $lan proto tcp from any to 10.0.1.0/24 port 6881:6999 keep state tagged qP2PUp tag qP2PDown
      pass in on  $lan proto tcp from 10.0.1.0/24 to any port 6881:6999  keep state tagged unshaped tag qP2PDown
      pass out on $wan proto tcp from any to any port 6881:6999 keep state tagged qP2PDown tag qP2PUp
      pass in on  $wan proto tcp from !10.0.1.0/24 to 10.0.1.2  keep state tagged unshaped tag qHTTPUp
      pass out on $lan proto tcp from any to 10.0.1.2 keep state tagged qHTTPUp tag qHTTPDown
      pass in on  $lan proto tcp from 10.0.1.2 to !10.0.1.0/24  keep state tagged unshaped tag qHTTPDown
      pass out on $wan proto tcp from any to !10.0.1.0/24 keep state tagged qHTTPDown tag qHTTPUp

      anchor "ftpsesame/*"
      anchor "firewallrules"

      loopback

      anchor "loopback"
      pass in quick on $loopback all label "pass loopback"
      pass out quick on $loopback all label "pass loopback"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"

      enable ftp-proxy

      pass in quick on sis2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on sis2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

      anchor "ftpproxy"
      anchor "pftpx/*"
      pass in quick on sis0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on sis0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on sis1 inet proto tcp from port 20 to (sis1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

      allow access to DHCP server on LAN

      anchor "dhcpserverlan"
      pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
      pass in quick on $lan proto udp from any port = 68 to 10.0.1.1 port = 67 label "allow access to DHCP server on LAN"
      pass out quick on $lan proto udp from 10.0.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

      allow access to DHCP server on opt1

      anchor "dhcpserverOPT1"
      pass in quick on $OPT1 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
      pass in quick on $OPT1 proto udp from any port = 68 to 10.0.2.1 port = 67 label "allow access to DHCP server"
      pass out quick on $OPT1 proto udp from 10.0.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
      block in log quick on $wan proto udp from any port = 67 to 10.0.1.0/24 port = 68 label "allow dhcp client out wan"

      pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

      LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

      antispoof for sis0
      antispoof for sis2

      block anything from private networks on WAN interface

      anchor "spoofing"
      block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

      Support for allow limiting of TCP connections by establishment rate

      anchor "limitingesr"
      table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

      block bogon networks

      http://www.cymru.com/Documents/bogon-bn-nonagg.txt

      anchor "wanbogons"
      table <bogons>persist file "/etc/bogons"
      block in log quick on $wan from <bogons>to any label "block bogon networks from wan"

      let out anything from the firewall host itself and decrypted IPsec traffic

      pass out quick on sis1 all keep state label "let out anything from firewall host itself"

      pass traffic from firewall -> out

      anchor "firewallout"
      pass out quick on sis1 all keep state tagged qP2PUp queue (qP2PUp, qwanacks) label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state tagged qHTTPUp queue (qHTTPUp, qwanacks) label "let out anything from firewall host itself"
      pass out quick on sis1 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qP2PDown queue (qP2PDown, qlanacks) label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state tagged qHTTPDown queue (qHTTPDown, qlanacks) label "let out anything from firewall host itself"
      pass out quick on sis0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
      pass out quick on sis2 all keep state  label "let out anything from firewall host itself"

      let out anything from the firewall host itself and decrypted IPsec traffic

      pass out quick on sis2 all keep state label "let out anything from firewall host itself"

      make sure the user cannot lock himself out of the webGUI or SSH

      anchor "anti-lockout"
      pass in quick from 10.0.1.0/24 to 10.0.1.1 keep state label "anti-lockout web rule"

      SSH lockout

      block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

      User-defined rules follow

      Anchors for rules that might be matched by queues

      anchor qwanRoot tagged qwanRoot
      anchor qlanRoot tagged qlanRoot
      anchor qwandef tagged qwandef
      anchor qlandef tagged qlandef
      anchor qwanacks tagged qwanacks
      anchor qlanacks tagged qlanacks
      anchor qP2PUp tagged qP2PUp
      anchor qP2PDown tagged qP2PDown
      anchor qHTTPDown tagged qHTTPDown
      anchor qHTTPUp tagged qHTTPUp
      pass in quick on $wan proto { tcp udp } from any to {  10.0.1.10 } port = 53 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT "

      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port = 8001 flags S/SA keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT apache on frizzle"
      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port = 22 flags S/SA synproxy state  queue (qwandef, qwanacks)  label "USER_RULE: NAT "
      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port = 25 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT frizzle SMTP"
      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port = 993 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT frizzle IMAPS"
      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port = 995 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT frizzle POP3S"
      pass in quick on $wan proto tcp from any to {  10.0.1.10 } port 49159 >< 49301 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT frizzle torrentflux"
      pass in quick on $wan proto tcp from any to {  10.0.1.2 } port = 80 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT www HTTP"
      pass in quick on $wan proto tcp from any to {  10.0.1.2 } port = 443 keep state  queue (qwandef, qwanacks)  label "USER_RULE: NAT www HTTPS"
      pass in quick on $wan proto tcp from any to {  10.0.1.2 } port = 22 flags S/SA synproxy state  queue (qwandef, qwanacks)  label "USER_RULE: NAT www SSH"
      pass in quick on $OPT1 from 10.0.2.0/24 to  !10.0.1.0/24 keep state  label "USER_RULE"
      pass in quick on $lan from 10.0.1.0/24 to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any"
      pass quick proto carp keep state
      pass quick proto pfsync

      VPN Rules

      #–-------------------------------------------------------------------------

      default rules (just to be sure)

      #---------------------------------------------------------------------------
      block in log quick all label "Default block all just to be sure."
      block out log quick all label "Default block all just to be sure."</sshlockout></bogons></bogons></virusprot></virusprot></sshlockout>

      1 Reply Last reply Reply Quote 0
      • J
        jeroen234
        last edited by

        on a virgin pfsense there is a lan rule that allows all ports on the wan to be accest with traffic shaper u remove that rule

        so now you have to open the ptpp port( 1723) to the wan

        allow access on interface lan source all port all  destenation all port 1723

        1 Reply Last reply Reply Quote 0
        • D
          darrendavid
          last edited by

          Hrm, no luck. I added:

          Interface: LAN
          Protocol: TCP/UDP
          Source: *
          Source Port: *
          Destination: *
          Destination Port: 1723
          State type: Keep State

          and I'm still having the same issue, outbound PPTP is failing. anything else i can try?

          thanks, darren

          1 Reply Last reply Reply Quote 0
          • D
            darrendavid
            last edited by

            ah ha! changed the rule to GRE and we're good to go!

            cheers,
            darren

            1 Reply Last reply Reply Quote 0
            • First post
              Last post