YIPPI!
After setting up WAN2 and another reboot, WAN1 works as it should!

So this topic can be closed!
Thanks!

fetch -o /etc/inc/auth.inc https://raw.github.com/bsdperimeter/pfsense/RELENG_2_0_0/etc/inc/auth.inc

(Assuming you're on 2.0-RELEASE)

@hec:

Do i need for every service like smtp, imap,… an own ip address? I don't have so much ips to waste them.

No. You can have on ip for many services.

It logs some things to the system logs, and things like config changes are tracked in the configs themselves, you can see a list of those under Diagnostics > Backup/Restore, on the Config History tab.

Unless your NAS can act as a syslog server, then no. Periodic copies of logs would not be ideal for many reasons, the main one being that you can't guarantee you'd capture all events between copies because they could scroll out of the clog file.

Check the system log from the console (such as clog /var/log/system.log or dmesg -a) and you'll probably find that your HDD is failing and tossing a bunch of DMA timeouts or g_vfs_* errors.

Thank you very much.
I'll do.

You started another thread here:
http://forum.pfsense.org/index.php/topic,42575.0.html

In the future put your question in the correcht subforum "packages".

Hi,

there shouldn't be a problem but why do you want to use an old version 1.2.3 and a RC version ? 2.0 final is out.

What do you mean with load balancer?
Do you mean Multi-WAN/Failover for outbound connections or du you mean LoadBalancing for incomming connections (LoadBalancing an webserver on you LAN) ?

I am using Multi-WAN with pfsense 2.0 and it is working really good. So you should use pfsense 2.0 for this, too.

What you want to do is setup 802.11q vlan trunking between the switch and pfSense and again between your AP and switch.

Change switch for GS108T to support management, vlans, etc. Apple AirPort does not support VLAN or multiple BSSID (you only need one AP to run mutiple BSSID unique networks, unique security settings, unique LAN when used with VLAN) but I think all WRT54GL will be new enough to support multiple BSSID. Most likely your choices will be limited to DD-WRT (recommend Broadcom), Cisco/HP/Symbol/etc, ubiquity or other specialty vendors. The only reason I can think to keep Apple Airport is if you want to use the Time Machine backup feature, otherwise it's (IMO) just an overpriced sub-par consumer-grade router, not even a web UI or even CLI, no wall mounting, when all other routers have 5 ports, they have 3.

For the bandwidth limit you can do it easy with captive portal, just type in the speed limit.

In pfSense 2.0 some things (certificates, authentication) are moved to global config that way you can e.g setup AD 1 time use it for portal, proxy, etc. Have a look under system settings!

CPU usage is already logged under RRD Graphs > System. Any other info you can get from the system I am sure you can hack RRD or SNMP rather easily to be able to log it.

Not sure what system you have that supports logging power usage, but I only see that in high end systems like HP true server grade. When I look on HP support for DL360 G5 & DL360 G7 I don't see BSD listed, so I'm not sure how you would manage to get the needed data without the proper agent. Honestly in that case you might want to run VMWare ESXi if that data is important to you. Now the issue with that is free ESXi won't show more than 1-2 hours of graphs and I don't think it supports SNMP either: so more than likely licensing fees or hacking will be required there. But it sounds like you are in a proper environment, so there are features to gain that should fit in well.

Change pfsense gui port and disable gui redirect rule

I am using captive portal to authenticate routed traffic from a WiFi net to my home network. A pfSense box is the DHCP server on the WiFi network. WiFi clients get their IP address by DHCP without problem and without requiring authentication from the captive portal.

I don't know if Captive Portal operates at layer 2 (bridging) or layer 3 (routing). I have no experience with Captive Portal on a bridged interface. Do you really need to bridge WiFi net and LAN?

You mentioned DHCP relay. Why not use the pfSense box as DHCP server?

If you are reasonably experienced with pfSense you could probably fairly easily set up something like what you described so you can experiment with it.

I saw several people complaining about that a while back. I don't know if it will help, but perhaps a firmware update might also work. Otherwise you will have to find a way to compile and use a different kernel or module. This is one reason I look for Intel NIC based servers when I can.

@anothereric:

Maybe I'll try fooling with gitsync on my mule just for the cheap thrill.

If you have a test box setup then go for it. Once you're happy with the procedure then you can make a decision on your main box.

Steve

Not sure…. maybe I was tired ... maybe something went wrong when I was installing as I have now reinstalled the latest build again and it is working fine..... hate these sort of issues...must have been me  :-\

So, I was able to follow this tutorial and it worked out great!! Thanks!!

I just have one question…. I've been reading about pre-shared key authentication versus X.509 PKI authentication as seen in this article http://www.iceflatline.com/2010/10/secure-remote-access-to-your-home-network-using-pfsense-and-openvpn/, so my question is… which one does this set up.

There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication. Am I correct? If so, what would I need to do to turn it into X.509?

Thanks!

So I have a pfsense 1.2.3 router, with pppoe server it asigns a static ip to the client from my wan interface. works great here is the log.

Oct 26 20:42:22 mpd: Incoming PPPoE connection request via em2: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: Name: "CSR" Oct 26 20:42:22 mpd: Peer name: "CSR" Oct 26 20:42:22 mpd: Response is valid Oct 26 20:42:22 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: 192.168.101.2 -> 173.160.XXX.XXX

Can ping client after connection and connect to to Remote Desktop Server. I'm using VMWare ESXI, and when I pause the 1.2.3 router and enable the pppoe server on my new 2.0 router. With the same PPPOE Server config, everything looks good (after disabling compression and changed the auth to CHAP) but it seems that I can not ping or connect to the Remote Desktop Server like I can with the 1.2.3 Router.One last note is that I can ping the PPPOE client public IP when it connects to the PPPOE Server from the web interface.

Oct 26 20:33:48 poes: Incoming PPPoE connection request via em4: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:33:48 poes: [poes10] Accepting PPPoE connection Oct 26 20:33:48 poes: [poes10] opening link "poes10"... Oct 26 20:33:48 poes: [poes10] link: OPEN event Oct 26 20:33:48 poes: [poes10] LCP: Open event Oct 26 20:33:48 poes: [poes10] LCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] LCP: LayerStart Oct 26 20:33:48 poes: [poes10] PPPoE: connection successful Oct 26 20:33:48 poes: [poes10] link: UP event Oct 26 20:33:48 poes: [poes10] link: origination is remote Oct 26 20:33:48 poes: [poes10] LCP: Up event Oct 26 20:33:48 poes: [poes10] LCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #1 Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Request #121 (Req-Sent) Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: SendConfigAck #121 Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Reject #1 (Ack-Sent) Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #2 Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Ack #2 (Ack-Sent) Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] LCP: auth: peer wants nothing, I want CHAP Oct 26 20:33:48 poes: [poes10] CHAP: sending CHALLENGE len:20 Oct 26 20:33:48 poes: [poes10] LCP: LayerUp Oct 26 20:33:48 poes: [poes10] CHAP: rec'd RESPONSE #1 Oct 26 20:33:48 poes: Name: "CSR" Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread started Oct 26 20:33:48 poes: [poes10] AUTH: Trying INTERNAL Oct 26 20:33:48 poes: [poes10] AUTH: INTERNAL returned undefined Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread finished normally Oct 26 20:33:48 poes: [poes10] CHAP: ChapInputFinish: status undefined Oct 26 20:33:48 poes: Response is valid Oct 26 20:33:48 poes: Reply message: Welcome Oct 26 20:33:48 poes: [poes10] CHAP: sending SUCCESS len:7 Oct 26 20:33:48 poes: [poes10] LCP: authorization successful Oct 26 20:33:48 poes: [poes10] Bundle up: 1 link, total bandwidth 64000 bps Oct 26 20:33:48 poes: [poes10] IPCP: Open event Oct 26 20:33:48 poes: [poes10] IPCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] IPCP: LayerStart Oct 26 20:33:48 poes: [poes10] IPCP: Up event Oct 26 20:33:48 poes: [poes10] IPCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigReq #1 Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Request #123 (Req-Sent) Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigAck #123 Oct 26 20:33:48 poes: [poes10] IPCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Ack #1 (Ack-Sent) Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] IPCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] IPCP: LayerUp Oct 26 20:33:48 poes: 10.5.250.4 -> 173.160.XXX.XXX Oct 26 20:33:48 poes: [poes10] IFACE: Up event Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:58 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting

Here is a copy of the mpd.conf from 2.0, Disabled compression and changed to chap

pppoe_standard:         set bundle no multilink         #set bundle enable compression         set auth max-logins 1         set iface up-script /usr/local/sbin/vpn-linkup         set iface down-script /usr/local/sbin/vpn-linkdown         set iface idle 0         set iface disable on-demand         set iface disable proxy-arp         set iface enable tcpmssfix         set iface mtu 1500         set link no pap chap         set link enable chap         set link keep-alive 60 180         set ipcp yes vjcomp         set ipcp no vjcomp         set link max-redial -1         set link mtu 1492         set link mru 1492         set ccp yes mpp-e40         set ccp yes mpp-e128         set ccp yes mpp-stateless         set link latency 1         #set ipcp dns 10.10.1.3         #set bundle accept encryption         set ipcp dns 192.168.2.4 75.75.75.75

Questions
Am I missing some firewall change that is different then 1.2.3 and need a rule to fix this?
Why the change from CHAP to PAP as the default in 2.0?
any thoughts on why the compression was throwing an error with 2.0 or did the 1.2.3 not show errors when it could not negotiate compression?