ok. Thanks for the help
cconk01

@GruensFroeschli:

Only if you want the subnet behind your second router NATed (which you probably want).
http://forum.pfsense.org/index.php/topic,7001.0.html

Not even in that case. All locally connected subnets, whether locally attached or configured via static route automatically have outbound NAT rules created for every WAN interface. This is true in 1.2 RC versions and newer at least, probably some 1.2 beta releases prior to RC. I don't recall exactly when it was added but it's been that way for a while. You only need AON if you require static port or have some complex NAT needs requiring you to disable the aforementioned automatic behavior.

I updated the linked page to reflect this.

PPPoE is typical terminated by a small (home use) router.
I don't know if it is possible by windows itself

that's great info, thanks.

Antivirus as a whole is exceptionally overrated, and its effectiveness today is very poor. People put far too much weight into the value of antivirus in any role. Malware changes too quickly today for it to be effective. Back in the days when email virii were the biggest concern it was effective - the executables didn't change as they were spread by infected machines. Now that the most common means of distribution is the spamming of URLs where you download infected files it's nearly useless because those who are spreading this stuff will change the file as soon as most AV is detecting it. AV vendors can't put definitions out quickly enough to stay ahead. I frequently download the exe's from virus spammed links and run them through virustotal.com. After doing that on 100+ occasions, virtually all of them are detected by fewer than 10% of the AV engines and the few if any that detect it will vary greatly from one piece of malware to another so no vendor is always protecting you.

Would I mind seeing it in pfSense? Not at all. I wouldn't use it though. One it's not effective, two it's a significant performance hit, look at Untangle's hardware requirements. For a network of 50 users they recommend the same class of hardware that people run 1000+ users on with pfSense.

On the networks I run I force outbound connections through a proxy and block executable downloads from all but a very few trusted users. Vastly more effective than antivirus, and significantly faster.

To sum up a comparison between Untangle and pfSense, Stoutman put it best - they are both good, at different things.

No worries Ermal.  I'm glad you looked at it, and maybe if things get changed with FreeBSD, this can be made possible in the future.

–[ cable modem ] –  [hub] – [ pfsense ] –-[ lan switch ]
                                 |           /           
                              [ linksys ] /

get a hub or switch, plug your cable modem into it, along with pfsense WAN interface, and a linksys or other router.

this way pfsense would pull a DHCP address from the cable modem, and so would the soho router which would then NAT it to a static internal ip for pfsense to use via opt1

then policy route VOIP to opt1

1: For only 3 sites i would instal 3 PSK tunnels.
One between each location.

You basically add what subnet lies on the other side of the tunnel in the config, and OpenVPN does the rest for you automatically behind the scene.
If you configure correctly you wont have to worry about correct routing.

2: I'm used to OpenVPN so naturally i say use OpenVPN ;)
I'm not sure about IPSEC.
But i think it doesnt make much of a difference.

3: Can you ask more specific questions?

PS: Can you post the link to your original thread?

alright i'll wait until RC1 gets released and then i'll try a fresh install. i'll update once i try this.

@familyguy:

@fredde:

install and start ntop , should tell you what´s hogging the line

/F

Do you mean installing ntop on the pfsense box?

Yes, system -> packages -> ntop
that´s asumed you dont run embedded version

/f

@ermal:

It's not a bug nor a feature its customization. You're onyour own noatime does not bring anything to pfSense in general so why use it?

It is not the "noatime" that bothers me - it is in a more general consideration - i think it is a problem that the /etc/fstab contents are not respected.

This means that it is quite difficult to add extra disks and have them automatically mounted at boot time.

I know that pfsense it an "appliance" - but it is still *nix beneath the surface - IMHO there should be some kind of (similar) mechanism that sould allow such.

The web server in pfSense is lighttpd in pfSense 1.2 it is configured by default for 1 maybe 2 connections only. This is okay for just standard firewall config on a limited resource box. This is bad for captive portal especially if you have more than one person connecting to captive portal at the same time.

pfSense 1.3 addresses this issue when captive portal is enabled the lighttpd is given more resources so it can handle more connections.

If you want to manually add these changes now to your pfSense firewall take a look at the following links.

This prepares the pfSense built in web server for more concurrent traffic.
http://forum.pfsense.org/index.php/topic,8861.msg50280.html#msg50280

This helps optimize PHP so it doesn't hold web server resources for a long period of time.
http://forum.pfsense.org/index.php/topic,8878.0.html

A workaround for now that will automatically remove the lock file after it is older than 3 minutes.
http://forum.pfsense.org/index.php/topic,8152.msg57899.html#msg57899

After making these changes I have supported over 130 people behind captive portal with no further problems.

Yep!

Heres a good over detailed explanation in case your curious…    ;D

http://www.usr.com/support/6000/6000-ug/two.html

@onhel:

Ottawa and Kentucky are a bit out my ways.  Next time something is setup within a 3 hour drive of New York City, I'm there!

I'd be up for a session that was near NYC too.  Otherwise, a virtual environment/webinar would be cool.  I wouldn't mind paying if it was done well.

Best,

make a second machine for the file server.  freeNAS is build for this kind of thing, its similar to pfsense  http://freenas.org

What GruensFroeschli linked is appropriate if you're using the DNS forwarder. If you're using the DNS forwarder, what it's reporting on is your ISP's DNS servers.