that would require that we move away from CARP.

I don't discuss future plans here.  (try reddit… lol)

Le gonzopancho est mort, vive le gonzopancho !

Check out: https://forum.pfsense.org/index.php?topic=56941.0

figured it out.. set a static ip on the lan with the gateway the same as the LAN interface and connect wifi to existing network…

Wrong section but here's how you configure the AD authentication for pfSense.

https://forum.pfsense.org/index.php?topic=44689.0

Pictorial guide:  http://www.geeklk.com/2014/03/pfsense-configuring-windows-active-directory-authentication/

You'll need to assign the correct groups and rights as you require.

I would suggest that your first troubleshooting step is to disable squid and squidguard, then clear out any tables those package have created. You can then verify that the desired traffic is passing through the firewall, which verifies your firewall rules allow it to pass.

Once you have things working without squid and squidguard, you will need to reintroduce those packages and debug your settings. If you have a squid or squidguard problem that you cannot solve, I suggest you post again in the Cache/Proxy forum.

Won't affect the existing ones since they're already tagged, and by changing it in the portal it'll apply correctly going forward. Should be good.

I, too, am sitting on a couple 2.1.5 systems due to the limiter issues. Happily upgrading systems that don't require limiters+NAT/HA.

Don't sweat it.  I find it better to use Google to search these forums than the forum search function.

@phil.davis:

@Nullity:

The "block private networks" toggle does not seem to be causing any problems, I assume that is because no traffic (I am aware of) originates from there.

Correct - there should be no incoming connection attempts originated from those private IP addresses. And so actually having "block private networks" in this case is a good thing, because if someone inside your ISP network does attempt something, it will be blocked.

If the ISP is now giving you a private IP and you previously had a public IP, then that will prevent you from offering any services to the outside world (e.g. a VPN server for you to connect in when you are outside…).

They are using 172.16.. Mine use 10.. They should not be doing that, but they do. You might happen to have chosen 172.16.100.0/24 for your LAN, quite rightly according to the standards. And it would now conflict with what your ISP chose. The ISPs should be using the Carrier-Grade-NAT 100.64.0.0/10 https://en.wikipedia.org/wiki/Carrier-grade_NAT - by doing that they will be sure not to accidentally conflict with customer-chosen private address space.

I still have a public IP, I think. I can definitely open ports and have them confirmed as "open" externally.

Routing is an area I am not yet comfortable with, but I have read about egress routing being different than ingress routing (apologies for the poor explanation).

I will read up on the topic of routing & carrier-grade NAT's peculiarities, but I was immediately paranoid about security. I guess, technically, an external  private IP is no different than an external publuc IP, from the firewalls's perspective.

PS. Thanks for all your work with pfSense and the forums, Phil. You are a proper example of compassionate open-sourcery (along with cmb, ermal, etc). :)

@lionelhunt:

Hi everyone, I have setup pfsense as a firewall at work network.We all use exchange as our mailing platform. I have one user that would like to add a private pop account to his email accounts. When I do the testing, pop works, but not smtp, in other work user can receive his private emails but not send. How do I enable just this single user to send via his personal email account?Any help would be greatly appreciated.

Do you explicitly block outbound SMTP or any ports outbound in general?

If you do, set a static IP for his machine (or reserve one in DHCP) and create an allow rule with source IP as the machine IP, destination port as SMTP.

If you do not block any outbound traffic, then this issue is probably related to your service provider (some of them will block outbound SMTP traffic unless you route your mail through their open relays).

@Phishfry:

I think this article has some merits…

http://techcrunch.com/2015/10/23/coding-academies-are-nonsense/

Put succinctly, coding is writing text files in foreign languages containing instructions suitable for an absolute idiot to follow.

Generally speaking, yes. The most important thing is to have a brain and use it to think.

For standard interactive-style browser-based… app development targeted at the screen of a laptop/tablet/smartphone then I expect that I should be just a drag-and-drop build-your-app thing. In fact I am surprised it is still so complex. Really most apps just have a combination of standard interface elements, text and graphics that let you interact with and add to back-end content. There should just be GUI-based tools that build those for you. Why are we still writing any PHP/HTML?

But someone has to build and maintain the operating systems, app-builder code, firmware for new hardware nobody has thought of just yet... I don't think any of that is going away in a rush.

Learning new languages and methods can be done by just playing on a GitHub project that uses some new language, and reading the online doc. But it is very useful to have a resource somewhere (book by someone who really knows how the new language fits together) to get you up and running, show you "best practice", introduce you to the library functions that are available, useful, important and so on. Otherwise you fluff about for ages and write code for things where there is already a function available.

@Carreswag:

Yes but what if you used RTBH with it? Large UDP floods could be stopped correct? Other question: Also fastnetmon is open source and free, and he claims to push extreme bandwidth through it. Does it seem as if fastnetmon works? http://www.lowendtalk.com/discussion/43473/open-source-ddos-dos-monitoring-toolkit-fastnetmon

It doesn't do what you think it's doing. fastnetmon is only watching traffic and detecting attacks, it's not pushing, routing or blocking anything. It probably misses a bunch of attack traffic, but that's fine given it's a flood and it doesn't need everything or even a majority of traffic to detect attacks. It feeds routers with RTBH. If you feed a really, really fast router with it, that router can drop the traffic in question up to Mpps like he says no problem. But it's dropping everything to the destination IP in question, it's just a means of automatically null routing an attacked IP to keep it from affecting other things on your network.

@Carreswag:

Also I only want to know about the capabilities of the hardware and software involved.  Let's pretend we have a 10gbps line and that an attacker can only send 8-9Gbps :)

For the usual large UDP packet flood, something like an XG-1540 could block 8-9 Gbps of 1500 byte UDP packets without having a significant impact. That type of attack's easier to handle though, outside the bandwidth exhaustion issues.

You'll quickly find yourself in trouble if you're trying to mitigate DDoS with any stateful firewall, especially if passing the traffic.