Ok, here: http://forum.pfsense.org/index.php/topic,51264.msg278165.html
;D

@jimp:

As I said above, it probably will not work for PPTP.

First, because those interfaces are not selectable for/by UPnP, and second, UPnP works with broadcast/multicast and that traffic doesn't carry over PPTP, if I recall correctly.

You are correct, broadcast/multicast is not carried over PPTP :(

Thanks, I'll try that as soon as I can.

OK, so ive just tried to bridge LAN to WAN (by bridging the interfaces) and I am unable to ping out on a device that has a WAN IP set static. Im guessing its not as easy as just bridging the interfaces? any links on what to do or how to bridge them would be appreciated.

I think part of the problem was that my ubuntu session was a VM and had virtual box at the end of my computer name.  I figured out how to change that, added a new user on the webconfigurator, generated a new key pair, pasted the public key into the box, and everything worked great!

Thanks for the suggestions everyone, the key is now working perfectly.  Now if I could just figure out how to fix my one server where the pfsense update to 2.0.1 didn't work correctly.  :(

Two cores/CPUs is about the most that gets you significant benefit today. In a year or two, that'll be different.

If you have access to a machine with a matched or faster connection than yours outside of your lan, you could try iperf.

thank you for your infomation.

It won't block it because the server has probably shifted the connection to a different port.

You will need to install an IP block that blocks her access to the Internet for probably 5-10 minutes at 5pm, long enough for the server to timeout and kill the connection.

I would set up an infinite (reserved) DHCP lease so that her system always gets the same IP address.

@luke240778:

On Status > Gateways, the new one says online.. BUT computers on my LAN can ping 8.8.8.8 and so on, but can't open any www. sites, which to me means DNS problem.

Unfortunately humans often translate a browser error message to "can't open site zzz" with significant information loss. The browser error report is almost always more informative than "can't open …"

The problem could be upstream congestion, no access to the name server, broken upstream link between you and the hosts you attempted to access, ... The browser error report will likely give a clue to help identify a specific cause.

@luke240778:

A second attempt and different results.. Gateway status says Online, but not even pfSense can ping it via IP or ping anything else on the www.

As above, giving the ping command and its response is almost always more informative than "can't ping".

Well after some search i saw that using mikrotik and sending some attributes to mikrotik as mikrotik-rate-limit works well for users..i want to use pfsense though..maybe some attributes can solve my problem?

Your last point was correct. Some sites enforce an IP:login relationship. If you load balance HTTPS, then those sites will fail if any part of the connection goes across the "wrong" wan.

Use a failover group for HTTPS instead of load balancing, or perhaps try enabling sticky connections under System > Advanced on the Misc tab under Load Balancing.

You should not have the source port set to 443 in your timed https rule. Set it to '*'.

Steve

@deej1:

Sorry the logs are always empty, they don't have anything useful in them at all.

I find this so surprising I need clarification: When you write "the logs are empty" do you mean "the logs contain nothing at all" or do you mean "the logs don't report anything that seems relevant to this particular problem"?

@deej1:

Hope that is enough info, Thanks for your help

Thanks for the additional information. Unfortunately it is not enough for me to be able to identify the problem.

When I asked @wallabybob:

When pfSense has "fallen over"
1. What is reported on the client when you attempt to ping an internet host by IP address (say 8.8.8.8, a Google name server)?
2. What is reported on the pfSense console when you attempt to ping a client computer?

I was looking for more details than @deej1:

The pfsense box cannot ping 8.8.8.8,

Ping can report a number of different errors and the exact text of the report contains considerably more information than the high level summary "cannot ping". Please provide the details I asked for.

Your report @deej1:

The pfsense box cannot ping 8.8.8.8,

seems to contradict your earlier report that you can ping from pfsense shell to an external website. Maybe the details of the ping response will explain the apparent contradiction. Can you explain this apparent contradiction? (Note I get ping response from 8.8.8.8 over the public internet.)

None of your pfSense interfaces has a public IP address. So what is between pfSense and the targets of the nessus scan? What is between pfSense and the public internet?

There was a glitch a while back that prevented the remounting command functioning but I thought that had been fixed with 2.0.1.
The / and /cf should be mounted read only in Nanobsd.

[2.0.1-RELEASE][root@pfsense.fire.box]/root(27): mount -p /dev/ufs/pfsense0      /                      ufs    ro,sync,noatime        1 1 devfs                  /dev                    devfs  rw                      0 0 /dev/md0                /tmp                    ufs    rw                      2 2 /dev/md1                /var                    ufs    rw                      2 2 /dev/ufs/cf            /cf                    ufs    ro,sync,noatime        1 1 devfs                  /var/dhcpd/dev          devfs  rw                      0 0

You can try remounting it RO manually:

/etc/rc.conf_mount_ro

Steve

You have to block using firewall rules.  We do block 443/HTTPS traffic to Facebook CIDR networks during regular office hours.

For us, we block the following destination CIDR networks:

69.63.176.0/20
69.171.224.0/19
63.135.80.0/20
66.220.144.0/20
65.201.208.24/29
65.204.104.128/28
74.119.76.0/22
204.15.20.0/22
173.252.64.0/18
96.16.0.0/15

Ok so this seems to have something to do with me setting up an ipsec tunnel. I have a second pfsense install that I know was able to check for updates. I then setup a tunnel to another location and then noticed it could no longer check for updates. Nothing else has changed. Even if I disable ipsec it can still not check for updates.

I have another tunnel I need to setup to another pfsense but I don't want to break that one too.

Any ideas?

As I understand it, you need to use Microsoft's RADIUS implementation via IAS in order to authenticate PPTP sessions against AD. IAS doesn't need to be on the domain controller (it can be on a member server) but IAS needs to be installed somewhere and pfSense needs to be configured to auth via RADIUS against it.