Ok so i figured out the problem. It should probably be noted in the documentation that in order for accounting to work FreeRADIUS needs an interface set to listen on port 1813 for Accounting packets.

But now i have a new problem. According to the documentation to reset the counter you simply have to delete the used-octets- <username>file. Well for some reason that does not work. When it regenerates the file it simply picks up where it left off.

At this point i dont think i will even use radius to handle the data caps i will just use it as a counter and handle everything with scripts. But its going to make things a lot more complicated if i cant reset the counter.

Edit: Im also noticing something odd about the accounting. It seems the usage counter continues to increase at a rate of a few hundred KB per minute even when the user is no longer connected to the network. Meaning a user can login then disconnect their machine from the network and until their login session times out they will continue to use data at a relatively slow rate. That will get rather annoying if i cant figure out how to fix it…

Edit2: Its worse that i thought. A user that isnt even connected to the network just used around 20MB in about 10 minutes. Thats going to make this completely unusable...

Edit3: Unless im just missing something stupid i think radius accounting may just be broken on PFSense. I just tried a fresh pfsense install on a different system and its doing the exact same thing...
So... Any ideas?

Oh and what i said about it showing 20MB used in 10 minutes... It got worse than that. It seems a bit random but after a bit more testing i left the test user connected and went to bed. In the morning the user had been disconnected for reaching the 100GB limit set...</username>

I know this is off topic. But does this device support inline IPS?

Also do you know where can I get updated firmware for this device.

Thanks in advance!

My favorite is: http://php.net/manual/en/pcre.pattern.php

Along with:

$regex_sub_pattern_x = "something_x"; $regex_sub_pattern_y = "something_y"; $regex_sub_pattern_z = "something_z"; $regex_pattern = $sub_pattern_x . $sub_pattern_y . $sub_pattern_z;

Kind of torn between the alternatives.

Found this quote interesting.  Never thought of the opcache.
http://stackoverflow.com/questions/7147305/performance-of-variable-expansion-vs-sprintf-in-php

Ultimately the 1st is the fastest when considering the context of a single variable assignment which can be seen by looking at various benchmarks. Perhaps though, using the sprintf flavor of core PHP functions could allow for more extensible code and be better optimized for bytecode level caching mechanisms like opcache or apc. In other words, a particular sized application could use less code when utilizing the sprintf method. The less code you have to cache into RAM, the more RAM you have for other things or more scripts. However, this only matters if your scripts wouldn't properly fit into RAM using evaluation.

Sounds like single quote (nowdocs) catenation may be fastest when only a single var.  But then there is that opcache thing and memory mentioned in the quote.

Have at it… I see zero reason for such a thing..  Its a firewall, pretty sure will know what cpu it has on it before I set it up ;)  After that would have zero reason to look at this info..

if did need any such info, could just read dmesg or sysctl

[2.3.2-RELEASE][root@pfsense.local.lan]/root: sysctl hw.model hw.machine hw.ncpu
hw.model: AMD Turion™ II Neo N40L Dual-Core Processor
hw.machine: amd64
hw.ncpu: 2

Service is killed normally as part of uninstall, see function uninstall_package() in pkg-utils.inc

I'm completely confused with the daemonize stuff or whatever you mention, pretty sure that's not the problem. Put some log_error() stuff in place (or use /usr/bin/logger in the .sh script) and see how many times the service is (re)started on reinstall.

I seek the same:

Is there a manual available how to create my own pfSense and pfsense package repository for pfSense 2.3?

I can find some stuff for 2.1 and older, but not for 2.3, where is a lot changed.

Thanks in advance!

Huh, thanks. I've probably mistyped something since I've grepped entire /usr/local as well, and got nothing. After that, I've searched GitHub, found nothing. Even looked at php56-pfSense-module  (and of course found nothing there ::))

Yes, that's fine. I fully understand that if you are going to modify a component written in a compiled language then you need to have a working build process somewhere and easy way to deploy the changed executables to a test system. I was just pointing out that a lot of contributions can be developed and tested without needing that environment set up.

@doktornotor:

There is no iptables on pfSense in the first place.

Thanks for your reply, because I'm new to BSD and pfsense would you be able to help me set TCPcrypt up, as I see you are very clued on to pfsense setup and you have already saved me with with the code you did on setting up firewalls and there lists.

Got it. The BUILD_AS_NON_ROOT did the trick.

Thank you.

you could probably create a package that hooks into the data of Status_Traffic_Totals (vnstrat) to monitor the usage and disable the interface when a certain amount of gigabytes is transferred.

you could submit a feature request on redmine.pfsense.org to see if the main developers are interested and/or create a bounty for some of the community members

@doktornotor:

Oh well… I'll delete the entire repo and see if it helps.

Hmmmm, that worked. Not exactly an ideal "fix".  >:(

glad to be of some use, every once in a while  8)

Thanks for that pointer, I will check this package out.

I suppose the system I authenticate against is kinda arcane. I run pfsense to manage the network on a leisure flying airport. Our club uses a cloud based system to manage reservations, flights, licenses etc - the whole 9 yards. This system has a REST interface against which I authenticate pilots wanting to access our network. This system is in use roughly by about 250 clubs in Germany. So, it is not completely arcane - but on a global scale it's probably completely irrelevant :-)

cheers
Torsten

Most of the code is just interpreted PHP and bash scripts… So just use the normal installers to install a VM. Then you can GitSync it (see the console menu pfSense tools option, palyback gitsync...)

You can then edit files however you like (for small things, I just use the Diagnostics->Edit in the GUI, and cut-paste from a "real" editor on my laptop).

Then submit the changes to a git clone branch and make a pull request (lots of ways to achieve this - e.g. I have a fork on GitHub, cloned to my laptop, make branches on the laptop, push them up to GitHub when they are good, then make the pull request).

For the most unusual case that you need to compile something, then you will have to work out how to have a "real" build environment.

I've got quite similar issues. By default working with 6rd and my providers gateway, i had lots of fragmented packages as well as packet loss. Therefore connecting to encrypted ipv6 websites was real slow. After analyzing the traffic with wireshark, my provider told me to set the mtu for ipv6 traffic to 1472.

I configured this by setting the mtu on the wan_stf interface and have the radv service distribute this mtu value with its route advertisements. Since pfsense seems to be unable to do such things by default, I used the patch plugin (https://doc.pfsense.org/index.php/System_Patches) and applied the following crude patch:

BEWARE: Only apply this patch, if you are able to deduct its consequences. I am only using the 6rd gateway of my provider for any IPv6 traffic. This might not apply to you. I applied this patch to version 2.3.2-RELEASE-p1

diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc index 4388ef9..4e8e970 100644 --- a/src/etc/inc/interfaces.inc +++ b/src/etc/inc/interfaces.inc @@ -3756,6 +3756,7 @@ function interface_6rd_configure($interface = "wan", $wancfg) {         pfSense_interface_flags($stfiface, IFF_LINK2);         mwexec("/sbin/ifconfig {$stfiface} inet6 {$rd6prefix}/{$rd6prefixlen}");         mwexec("/sbin/ifconfig {$stfiface} stfv4br " . escapeshellarg($wancfg['gateway-6rd'])); +      mwexec("/sbin/ifconfig {$stfiface} mtu 1472");         if ($wancfg['prefix-6rd-v4plen'] >= 0 && $wancfg['prefix-6rd-v4plen'] <= 32) {                 mwexec("/sbin/ifconfig {$stfiface} stfv4net {$ip4address}/" . escapeshellarg($wancfg['prefix-6rd-v4plen']));         } diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 64c40af..46d10be 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -161,7 +161,7 @@ function services_radvd_configure($blacklist = array()) {                 $mtu = get_interface_mtu($realif);                 if (is_numeric($mtu)) { -                      $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; +                      $radvdconf .= "\tAdvLinkMTU 1472;\n";                 } else {                         $radvdconf .= "\tAdvLinkMTU 1280;\n";                 } @@ -363,7 +363,7 @@ function services_radvd_configure($blacklist = array()) {                 }                 $mtu = get_interface_mtu($realif);                 if (is_numeric($mtu)) { -                      $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; +                      $radvdconf .= "\tAdvLinkMTU 1472;\n";                 } else {                         $radvdconf .= "\tAdvLinkMTU 1280;\n";                 }

I hope this might help someone with similar issues. Of course it would be nice if the mtu could be adapted on the pfSense web interface.