Thanks!

If you have an older copy of glTail it can't interpret the log files from pfSense 2.0. I'm not sure if anyone has managed to get it working 100% with 2.0.

Not sure I would use firewall as NFS server. It also looks like you fstab is backwards. Should it not be: <ipaddress>:/data1 /zajedno1    nfs ….. Even if you did a reboot might and an upgrade certainly would reconfigure the exports for you. There are better things out there to do that with, like freeNAS or openNAS ...</ipaddress>

I'm not sure if that's in the version of relayd that FreeBSD/pfSense has. You could try it and see, the example there is fairly straigthforward. But I don't see any reference to ssl in the man page for our relayd, which is version 4.6 I think.

A flood of any type of traffic you're passing is bad news for every firewall. The lowest performance limit on anything any firewall does is new connections per second, and you'll hit that pretty quickly under a decent sized flood, or if the box is fast enough to handle that, you'll hit the state table limit quickly regardless of how high it is. Traffic you're blocking has little impact though. That's generically true of every firewall, they're almost always the most susceptible thing on any network to DDoS attacks (if you have adequate bandwidth to where you aren't knocked offline entirely and at the mercy of your provider).

itonmytips, You can save all reports LightSquid simply copying (via SFTP, for example) /var/lightsquid/report ;) []`s Jack

My UML290 works fine without changing anything on 4G, though from the sounds of it you don't have 4G coverage, which is probably why. I know that card has similar requirements on other routers with connectivity where no 4G exists.

Generally doesn't matter either way. OpenVPN is easier to deal with if you have multiple non-contiguous subnets. Aside from that, with always-on static IP connectivity it's a toss up. OpenVPN is better in general at dealing with changing public IPs seamlessly because its negotiation process is much less complex but that wouldn't apply in this scenario (I would expect at least). It's easier to do redundant connectivity with a routing protocol with OpenVPN, so I run all my site to site connections to our datacenters with OpenVPN, as I can have one tunnel up on each WAN on my side and automatically switch between them if one connection goes down.

@ptt: You can do this using Policy Route, just check the Docs: http://doc.pfsense.org/index.php/Multi-WAN_2.0 Do you have some  an example,please ? I am New in pfsense 2.0

It's worth searching the forum - this question has come up a few times before (look for things like second disk and so on).

It isn't really possible, at least not easily. You might be able to come up with an L7 pattern for it. Though it's easy for people to change their browser string so it's not really perfect protection either.

The size of the address pool is only limited by the subnet mask. You could have a /16 on one interface if you wanted giving you 65000 addresses! I would choose to have separate subnets on each interface because it gives you far more control on who sees what. Assuming you have sufficient computing power for your needs that is. Look at the default LAN to any rule. That will allow traffic into the LAN interface as long as it is coming from an IP on the LAN subnet, pretty much all LAN traffic. It has no restriction on the destination. Traffic from the LAN subnet with destination of one of your other internal subnets will be allowed to pass. Once into the pfSense box there is no restriction on what interface it exits from so it will be routed to the correct interface for that subnet. If you have similar rules on each interface then traffic will be routed between subnets in either direction. This is a very permissive rule set though.  ;) Steve

There is no gui from freebsd packages. You will need to configure them the same way you do on freebsd. The available package with gui are listed on system -> packages

Recommendations like that may be hard to come by unless someone else in all those regions can speak up about the local carriers. In general though, OpenVPN should work fine as long as you have enough CPU on your firewall to handle encrypting at the line speed at each location (or at least the fastest possible between two sites). Even if you had a "private" link between cities I'd still be tempted to run a VPN over it. Probably better to have a mesh VPN where each site connects to each other site directly, rather than routing through a single connection back to a central hub. Both setups would work, but a hub-and-spoke setup will use more bandwidth in the long run if the two "remote" sites need to talk back and forth a lot.