OK, I'm Dumb!
The remote site's lan subnet is 192.168.1.0/24 and I could access all devices on that network. Remote PF sense LAN is 192.168.1.1

Months ago, on my local pfSense I set up a test network for the client with the same subnet and assigned 192.168.1.1 to a spare nic on my pf sense. I then promptly forgot I had done that!
So I was actually trying to log into my own firewall.

Interesting though that 192.168.1.1 was hitting my firewall but all other requests to 192.168.1.0/24 go over the ipsec tunnel to the remote site, even though the subnet is configured on the local firewall.

Sorry for wasting your time guys.

I get the idea of nat redirection wit socat,
as seen in http://aplawrence.com/Girish/socat.html

socat TCP-LISTEN:5000,fork TCP-CONNECT:23.3.4.45:25

but I don't see actually actually I can make it
work with loadbalancing.

Since the requests coming from a public IP adress are sent by the load balancer to two differents lan IP, I would need to have two different socat command but listening on the same port ?

I don't see how such a setup is possible, so I will look if can achieve the same http load balancing feature with HA proxy or a Reverse Squid.

Can anybody test it? It's my problem or pfSense release? For testing you can connect to ftp server only, without downloading. If problem exists, after you setted these sysctl enviroments, you will be disconnected from sever after ~one minute. Wait a little more and try to send other command like "dir".

okay, you want to setup a transparent firewall, this would mean a bridge.  If you have both WAN and LAN enabled, it should at least get a link. Sometimes, you have to set speed and duplex manually. I would check on this with the existing setup. Once you have completed that, then you can move on to setting up the WAN/LAN bridge. Since it will be a bridge, you are going to have to manually set an IP on LAN, without dhcp turned on. You will also have to set some system tuneables in the advanced config.

If you are just try to setup a NATed or routed solution, then you just have to work out that pesky link problem. As a test, put in a 4 port switch between the router and pfsense and see if you can get a connection.

see captive portal

Have a look at pfBlocker from the Packages, that should help:
http://forum.pfsense.org/index.php/topic,42543.0.html

If drivers are an issue, you're probably stuck as you'd need an entire new base OS, which entails a LOT of work. If you haven't already, try 2.1 to see if that's better with your hardware. If you need something newer than that, you're in for a lot of work or stuck. If you can back port drivers to an 8.1 or 8.3 base, and compile your own kernel with all our kernel patches applied to the source, that's easier to do manually and replace the kernel than to run through an entire build.

I suspect you don't have a good physical connection between the switch and pfSense LAN interface - perhaps a broken cable or one end is not completely plugged into the socket. Please post the output of the pfSense shell command```

ifconfig re0 @jhilgeman: > In /var/log/dhcpd.log, I see the normal startup info, and hten on the last few lines: > > Listening on BPF/re0/<mac>/192.168.1.0/24 > Sending on BPF/re0/<mac>/192.168.1.0/24 > Sending on Socket/fallback/fallback-net > > Nothing else.</mac></mac> The DHCP server is not seeing DHCP requests from the client. @jhilgeman: > When I ping, I -was- getting something about sendto: No host found" or something like that, I think, but when I do it now, I'm getting: > > sendto: No buffer space available PERHAPS the LAN interface transmit buffers are full with ARP requests waiting for the interface to report it has seen carrier from a switch or another NIC. It could also be the re driver doesn't correctly work with your particular NIC which is apparently a fairly new variant.

I use CARP VIPs for 2 reasons. It is better than ProxyARP in some ways, and in the future, I can setup clustering without have to redo IP alias or ProxyARP. If you are never going to cluster, then IP alias VIPs would be the way to go IMO. Once you have the VIP setup, then you can setup NAT and the rules. There is 1:1 NAT or port mapping. port mapping allows for potentially more internal servers as you can put different ports on different servers. There is a book and a document repo that you can use to help you with the setup.

Thanks wallabybob and stephenw10. The issue is resolved by updating the following in System Tunables:

Change net.link.bridge.pfil_member to 0
Change net.link.bridge.pfil_bridge to 1

It would seem if I didn't change these, I'd need to set up rules to allow LAN "subnet" to access WLAN "subnet" and vice versa? Both interfaces are set as "None" and they both are essentially on the same subnet. I think I did set up such rule for WLAN interface to access LAN but that didn't work. I'm just curious if there's a way to get this to work if I choose to keep bridge filtering.

Yes, the entire crash report is needed, or at least the first bit.

Actually if you submitted the crash report in the GUI, and if you let me know your IP and the approximate time of the crash I can pull the crash report data from our servers and look at it directly.

The first thing you need to check is if your switches support 802.1Q or Vlan Trunking/Tagging. If they don't support that you can't use vlans for your setup. You can also check if your NIC on pfsense supports 802.1Q. If it does and your switch supports is as well, then you could move into planning on how to set it up.

The security vulnerability with Voip on the same network as computers is that someone could eavesdrop on the phonecalls if they are connected to the same network. It won't affect your hardware.

Thanks for your information. :D

Thanks for the update. Hopefully someone w/ some weight will see the requests and think twice before making the app off limits to the Masses. Or al least miss out on all the beta testing help.

Moxie…...78-)

Probably. It depends on what type of VPN your server is using.

http://doc.pfsense.org/index.php/VPN_Capability_Overview

Steve