Hi, im using pfSense 2.0 + siproxd since Dec 2010 ( pfSense 2.0 Beta5 ) in a Test enviroment and it work fine, at least for my needs. My network topology is: WAN1 –           |--[ pfSense + siproxd ]–--- LAN  --> [ MT PPPoE Server ] –> [ Wireless AP ]    <– -->  [ Wireless CPE ] –->  [ ATA ] ( SPA2102 ) WAN2 –                        |                                     ------> [ SoftSwitch ]–> PSTN

@Alf: I have a completly different question now. We have plugged everything up and everythins is running smooth. The internet connection is constantly maxed at 100Mbit/sec. The only problem is that we cant connect to any games using Battle.net. Do you have any idea what it can be? We have all ports open, nothing is blocked and no traffic shaper. When we try to connect to WoW we're only getting instantly disconnected. WTF? Edit: there is like one constantly playing WoW, everyone else cant connect You need to forward ports per client for battlenet.  i.e.  6112 on wan to client 1, 6113 to client 2, 6114 to client 3 etc. This is why it is important to assign static LAN IPs for each client.  You then notify each user as to the port they need to setup the bnet client for (default 6112). IIRC, there is a limitation of 6 hosts per IP (WAN) for battlenet (at least for WC3/ Dota this holds true).  You must setup the NAT so that each group of clients goes out a certain WAN IP for Bnet.  This is best done with Manual Advance Outbound NAT (AoN). i.e.  You allocate 6112 to 6127 per table (with each client using one of the ports). Then under AoN, you set the NAT so that ports 6112:6127 for 10.0.1.X (table 1) are mapped to one of the WAN gateways, 6112:6127 for 10.0.2.X (table 2) for another WAN gateway so on and so forth.  Make these static ports. This does not negate the 6 hosts per IP limitations but you shouldn't be having that many hosts on bnet to begin with.  For regular WoW access, this should not be an issue so long as all the clients have unique ports.

Advice taken. After I change to port 5080 everything worked. To this day I have no idea why port 5060 did not worked. I do have to many layers of security that could of have cause the issues. IDS+pfsense+ipblock.

Advanced\misc settings and just toggle it on.  It made a huge difference on some of our platforms. @pf2.0nyc: just spent 2 hours searching through older posts - I'm not sure I follow with what powerd is and how to enable/disable it, etc. Is there a tutorial somewhere? thx.

You cannot sync squid settings or cache between the 2. You can setup squid on both. You will just need to configure them on both sides. The service will always be running on the backup node, it just won't have the cache until it starts being used. Yes, I would start there as well then worry about the extra 1 IP you have. If you can get your services moved over or DNS changed out, then there will eventually be no need for the your singe IP address.

I will check that and see. For now, I realized that pfSense has an awesome ability to upgrade built in, so I backed up my working install of the v1.2.3 and then upgraded it to 2.0. This was flawlessly done, and now I have a working version 2.0. Happiness and relief! I would like to understand why my other attempt did not work, so I will look into it and compare settings with this now working version to see what the problem was. Thanks all for the input. I'm looking forward to using pfSense a lot more. ~ Tom

Thanks for the clarification Jimp. Now it makes sense.

You're saying it should boot to Windows 2008 - what exactly does this then have to do with pfSense? Of course, as you've said nothing about what is displayed at this "console screen" it would be hard for us to help you even if it was on topic ;)

Hi ps -f | grep "proxy_monitor.sh" | awk '{print $1}' | xargs kill -9 This command is stopping autorestart squid and squidguard. i had tested.

@phospher: Who created that spy app anyway? Ever visited the smoothwall forums? and or www.imspector.org ? (currently down btw.) I believe it was one of the developers working on smoothwall express who made imspector. (aslak ?) Shouldn't this question be moved to the "packages" thread? I don't know who is the maintainer for this package, or if it even is maintained at all.

@marcelloc: Don't configure LAN and WAN on same subnet unless you are using bridge. configuring a balancer on same subnet you are will not work. The web server will receive your request via firewall and will try to respond directly to you… 192.168.0.1(you) -> 192.168.0.17(balancer) -> 192.168.0.74(server) the response will be 192.168.0.74(server) -> 192.168.0.1(you) -> reject! You asked 192.168.0.17 for a page, not 192.168.0.74. Now I configure WAN of the load balancer to 192.168.2.2 with the default gateway 192.168.2.1. However, I still get no response from 192.168.2.2 and I get the following in the states log. tcp 192.168.0.74:80 <- 192.168.2.2:80 <- 192.168.2.1:51333 CLOSED:SYN_SENT  tcp 192.168.2.1:51333 -> 192.168.0.74:80 SYN_SENT:CLOSED I check the web server (192.168.0.74), there's a connection between it and the default gateway (192.168.2.1). Any suggestion?

I'm not aware of any limits. However 802.1Q itself limits to 4093 (0x0, 0x1 and 0xFFF are reserved)

@podilarius: I know how passive ftp works. I'm connecting from a LAN side client to a WAN side passive ftp server that is listening for incoming connections on a HIGH port >1024 – NOT port 21. For this to work I'd have to open the port on which I connect to the server (e.g. 30000) + all ports >1024 for PASV data transfer on the LAN interface and thats exactly what I DON'T want to do. As mentioned FTP Helper would help with this, but since it doesnt track FTP connections on high ports (as Ermal mentioned) it's useless in this scenario. @ermal: thanks for clearing this up. Already thought that FTP helper would only work when using port 21. === My solution for now: Connecting to the FTP through a socks proxy which isn't restricted as much as the LAN side clients. === Please let me know if there's any "better" way to do this.

@michael.jesse: I tried to access the GUI through a Web interface again and it did not work. I tried to ping the gateway (192.168.1.1) and it failed. I rebooted the router and ping is successful, but still cannot access GUI. I tried to get on through HyperTerminal, but that connection failed as well, both through Winsock and SSH connections. Is there any other way to access this short of reformatting? Can you get on via keyboard and monitor? If you can, you can go into /cf/conf/config.xml and remove the errant NAT entries. Once that is complete you must reboot for it to take effect. This might allow you get in, otherwise you if you can get into console, you can set it back to factory defaults and reload from last known good backup.

If only your webmail service uses port 443 then you can get around it with HA Proxy or similar. Otherwise yes, for all services other than HTTP you need one WAN IP for each service you want to share a port.