@wallabybob:

I'm not sure if this answers your question: If I recall correctly pfSense will update a dynamic DNS registration on 25 days since last registration.

I confirm.
/etc/inc/dyndns.class - lines 811-875 - function _detectChange() will return 'true' if

A new IP WAN is found 25 days passed without IP WAN change The IP WAN update is being called for the first time …

What I didn't discover is where and how often dyndns.class is being called to do the checking.
But: I have proof that the checking is done at least ones a day: I found it in my (and your) system log file:

.. Mar 8 01:01:00 php: : phpDynDNS: No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry. .. Mar 7 12:00:00 php: : phpDynDNS: No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry. ..

The update from 12 AM was triggered after a WAN IP change - the one at 01:01 was triggered by (some kind of daily check).

Conclusion: the forced update after 25 days when your IP doesn't change should work.

edit:
Stupid me.
/etc/crontab

.. 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update ..

So, every 01:01 the WAN IP is checked …

I just realised that what i am having problems with is that squid and lightsquid are installed but for some reason, squid will not start.  If i remove squid and then install again, will all the old cache and logs still be there?  i really dont want to lose the last couple months of usage that i see in the lightsquid logs

we will run the tests soon, the reason we are doing this is to get rid of the Cisco and their licensing terms.

Cisco is in the most cases waste of the money when we are talking about Firewall, its cheaper to invest in "monster" server one time fee and run a monster firewall with no such a limitation as VLANS, VPNs etc… as the Cisco is selling a VLANS as it where a
"milk" for example IPSEC plus license for Cisco ASA 5505 20 vlans limit ? what a f***** the VLAN is nothing new and there is
absolute no reason to make the licenses on vlans which is the primary factor in the networking, this is just as example, but there is
another "licenses" features that should be included in the firewall when we purchase it but no, they sell the hardware, features just everything is limited,
so not any more...

Tom

jimp, yes that was the problem… I tried with Firefox and no problem. Then I tried Chrome in incognito mode so it doesn't use previous caches and it works too... Thanks!

Nothing different, I have rsa keys working fine on pfsense 2.0.

The public key goes on the host(server) machine, not the client. The client is the machine you are connecting "from".
So put your local machine's id_rsa.pub in the pfsense authorized_keys and you'll be all set.

Check for any kind of proxy or filter between your firewall and our server, including something like snort that could be blocking certain http traffic.

I think NICs that don't support vlans are fairly uncommon these days. I haven't seen one, but it is my understanding that if you had one it would still appear on the vlan page and you could select it. Once configured I expect it would default to an mtu of 1496, which is not likely to cause you big problems in my experience. I serve a lot of clients with a WAN (PPPoE) mtu of 1452 and never a complaint.

Godt at se du er begyndt at bruge en ordentlig firewall Anders. ;)

just metioning ran into a similar  problem a yesterday days,, it seams the only way to get the work was to run setup wizard under system.  if you manually enter in  a gateways or any system  they are not registered properly.. the only way they register properly is once the wizard was used.. any changes manually could break and the only way to repair again was via the setup wizard this was the amd version ( it sure seems buggy that version)

best way I find that works  to control internet access ,  set your  lan to something like 172.16.0.1/23  or 172.16.0.1 /22 put dhcp on 172.16.0.0 /24 and  create  very restrictive  fire wall rules for within this ip range  then on range of 172.16.1.0  or higher leave it uncontrolled,  or create  a rule that leave out port 80  across the entire lan .  then create an alias  that enables port 80 for certain ips  with in those ranges  (you can just do it on a single ip range too  give the upper half dhcp and the lower half  static ( you can use captive portal for more restriction control  but it will also have to block  port 8000 as this is the port all port 80 get redirected through

this way any one who logs on to your system with dhcp will automatically be assigned into a highly  controlled  internet. and to access fully they have to connect by static  ip and / or static arp  . those you wish not to be controlled so much  give them a static ip in the  172.16.1.0 range or higher .and create an alias for them that  open all the ports  or what form of access you want

it  hard for them to  cheat the system easily  . since the only  way for them to actually access the internet  fully, is to use a static ip of one that already assigned to another computer. any other ip  will will have very restrictive  internet

if you just want them to access gmail the best is  install mozilla thunder bird ( or any imap client)  on  go into gmail configuration  and enable imap. then simply  only allow ports 1-79 and 81 - 1000. do this on the  for the ip range of 172.16.0.1  .  this way they will be able to send receive emails. but will not be able to surf. ( for set up you need full access ( PORT 80)  TO SET UP IMAP SETTING AUTOMATICALLY  after that port 80 can be disabled again or enter setting in manually  .. but otherwise  you can do the same sort of thing  create alias that allows certian ips to have access to certain websites while at the same time enabling port 80 or the entire port range for those  particular ips

if you do not want to use a subnetmask  you can  install a second network lan  and plug it into your switch  with a different ip that you use a completely different ip range on.  and that one you can use  static ip, do not enable dhcp on this card..  it the same difference  as above  just less can go wrong and it  a bit harder for someone to determine  the ip range in use and more so if you using different switches to separate the  allowed users and restricted users.

otherwise like mentioned before with out doing it this way. the user could simple  give themselves a different ip    but because it is static Ip based  it makes surfing  or stealing  some else ip a real pain because most of the time nothing will work for accessing the internet. and if your hardware  switches /equipment  have some good  network  management  on them    they will lock out  any  duplicate ips right away as soon as the appear

@mohandshamada:

SO IF MY LAN NETWORK IS LIKE THAT 192.168.1.0/23
AND MY SERVER IS IN THIS RANGE IS OK

yes

Hello,

I never installed it on pfSense, I used it once in Zentyal.

@jimp:

I can't say I've seen that happen before on any one of the hundreds of boxes I've used. Did you do anything special with the keymap during or after the install?

Do you have a system that is using a US or English locale to try from, or only ones using the Hungarian locale?

I have another Hungarian Win7 system from which it woks well…

Throughput in Mbit/s is meaningless for a DoS of that type. You are worried with pps (packets per second).

Tiny packets, especially tiny UDP packets, can be quite troublesome to forward in large quantities.

Some tweaks here can help:
http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards

pfSense_SMP.8:options    PPS_SYNC

It's already there. Though you might need to disable pfSense's openntpd (/usr/local/sbin/ntpd) and use the FreeBSD version (/usr/sbin/ntpd) instead. Probably not that easy, but I know of at least one other person out there who attempted it, though I don't know the results.

Thank you very much.  I was able to find a good definition and I understand better now.  ;D

Does anyone have any ideas on this? I have a few customers that want this system setup for them and I do not want to do it without network discovery working correctly.

@jimp:

PPPoE always gets a subnet mask of 255.255.255.255

Gateway doesn't really matter for PPP connections the way it does for others. Though I haven't seen it give out 0.0.0.0 before, it should be giving the "server address" value to the clients for their gateway.

Does it actually work? I don't recall seeing any other complaints about the PPPoE server.

excuse my english,
i have the same problem, works ok with captive portal, but with pppoe server no default gateway asigned to the pppoe client (0.0.0.0). DNS Works OK indeed, ping to google.com resolves ok to IP address, but cannot reach or explore.
NAT ok, Firewall Rule for PPPoE ok.
Tested on 2 Pfsense Servers 2.0.1 Release.
Need Help

PD: maybe should i try the patch commented before?