I and one other in my team have been working on getting BGP in FRR to work in our new data center for a bit. We know when to quit and we are willing to seek knowledge from someone wiser than us. Any takers?
hello, my English is not very good, I have a pfsense, and have formed logs External syslog server, but the events of firewall are not regitrados in the server logs, the messages of authentication and messages of the system if, but what me intereza is really the messages of discarded or blocked packages, the server logs in freeBSD 6,1 Release, and syslog-ng 1.6,
you are comparing a small linux box (200 MHz, 16 Mb RAM) to a computer with 256 or 512 Mb of RAM and a big processor.
so it is normal to have unstability problem with the small router when it handels a lot of connections, bittorent and P2P…. but DD-WRT have a X86 version that runs on PCs and it is really stable and faster than Pfsense.
I am using now many dd-wrt boxes as access points, and pfsense is doing the rest (DHCP, authentication...) pfsense never crash but it have a lot of bugs and missing futures.
it would be appreciated if pfsense have some of DD-WRT futures like
additionnal DHCP options / DNSmasq as DHCP server, windows networking is not working well in pfsense (from LAN to WAN, LAN clients cannot see PC connected on WAN domain for exemple in latest pfsense release). i think that this problem is related to a DNS / firewall bugs ?
I prefer SPI firewall than pfsense, but it is a personal choice
Access restrictions per IP or MAC address is also missed in actual Pfsense release. blocking P2P and other applications or website is easy with dd-wrt
QoS, priority per IP, MAC, subnet or application... in VLANs also
the hotspot options : DD-WRT can use chillispot, nocat, spuntik for authentications... it would be nice if chillispot can be add to pfsense via a package (it needs a package for chillispot, radius, webserver... MySQL is also preferable).
a monitoring package like Rflow is also missed in pfsense, it is not perfect in dd-wrt but the best is to have a package or a small software that list all connected users (users, mac, ip, time and trafic) with the possibility to disconnect users
-finally a nice future that could be easy implemented in pfsense I thnik, is the possibility to define a user groups and to add (in captive portal) its static DHCP mapping
anyway pfsense is a very good firewall and the support on the forum is very fast and appreciable.
Where is the rule number you are seeking. The space before my closing double quote was on purpose to terminate the pattern so that ONLY the rule number being sought is returned. Otherwise, the above might also match some other rule number that started off with the rule number you are seeking. Ie, '77' and '77x' (x = 0 thru 9) would all match.
Without knowning more details (what server- and what firewall-arch) I would respond to
I want to avoid viruses on the server´s system files and in E-Mails, sent and received over the server
Scan e-Mails on their way to the server via a mailgateway. It wouldn't be the first time there was some strange side effect when doing the scanning on the same system having the normal mail service on. Get them out before they reach the final destination server (and the user) and run an additional AV on the normal filesystem of the server for file services.
But I would not run that kind of thing on the firewall itself. Keep the firewall architecture as clean as possible and don't mix it with further services if they don't have necessarily to do with it. E.g. split the fw-arch into three nets, WAN, DMZ and LAN and setup the mailgateway in the DMZ area. So you don't have any probably "bad things" in your LAN before it passes all your desired tests.
Depending on what exactly you need I can do support for you too. You can reach me by mail at holger <dot>bauer <at>citec-ag <dot>de. Remote service shouldn't be any problem. If you need someone on site we could discuss this as well.</dot></at></dot>
Do a nslookup on these sites. Then add all these IPs to a hosts alias and use policybased routing to send these connections out only through one of your wans. Alternatively you could just send out https protocol only one of your wans. At our office the https rule fixed 99% of all issues with onlinebanking sites (at least if they run as browsersession rather than using a special application).
Out head code has support for adding URLs as aliases btw but that version is not ready yet for productional use.
The soekris is even easier to setup as it simply works with enabled keyboard and video and you don't have to swap kernels (though it doesn't have these components, the bios works around it pretty well). Just install pfsense from cdrom to your media in a system that supports booting from cdrom. Leave the nics assigned as sis and move the media to the soekris after the install has finished. You should be able to access the gui right away after booting up form the default lan interface. Enabling serial console at system>advanced is recommended. We installed a 2,5" hdd in my notebook this way and mounted it to bills soekris 4801 during the hackathon.
got pfsense rc2h running on an ibm 1u with one 3Ghz intel 4 interfaces.
had 400+ users last week on one day, 250 avg for 3 other days. ran like a champ. Will be bringing up a dell poweredge 1850 with dual xeon 3.4s and 4 interfaces to be the primary in a carp pair soon.
That's correct though there are some mechanisms to throttle the opposite end.
See http://www.openbsd.org/faq/pf/queueing.html#red and http://www.openbsd.org/faq/pf/queueing.html#ecn for some backend information of the shaper pfSense uses.
(Configuration: 192.168.1.2 pfsense Beta3 with a PPPOE Wan Connection as the default gateway and 192.168.1.4 pfsense running squid with a second PPPOE Wan connection.)
First. When I configure a Nat rule on the 192.168.1.2 for redirecting http traffic to 192.168.1.4:3128(squid) I get simply no HTTP Respond back so nothing works. The same NAT rule works fine, when I configure it on 192.168.1.4 and set this box as the default gateway.
You can't redirect to an internal server from inside. With reflection, it might work, but will be horribly slow. PF isn't designed for it and the NAT hooks aren't in the correct place to allow for it. We won't be changing that behaviour, it's a limitation in the OS.
The second bug has nothing to do with squid (it dos not works with or without a transparent squid).
Second. When I configure on 192.168.1.2 the second box (192.168.1.4) as a rulebased loadbalancing gateway and create a firewall rule selecting this gateway for port 80 traffic, the inbound traffic works fine, but the outbound traffic is terribly slow (<1 kb/s) after something like 64 kb.
Will pfsense be a participating mentoring organization in the google summer of code 2006? If so, when will there be ideas posted on the google participating mentoring organization links?
Unlikely. But FreeBSD will be. Don't let our lack of participation prevent you from implementing any of these ideas:
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.