i think whoever gave you that sheet with the current "linux' firewall rules, probably has no clue how a firewall should work, and made an overcomplicated mess of things. do note that i personally know (almost) nothing about firewalling :)

@johnpoz: if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense.  If its running on virtual then it could create new virtual mac if you did something in the setup, etc. Yes, it is physical hardware, so that is good. @johnpoz: So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;) Knowing it isn't there and being actually able to see it are two different things.  There is a lot of information and I'm brand new to pfsense, so actually finding it, was difficult.  New tools are the hardest to use. @johnpoz: Glad you got it sorted.  It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running. Yea, welcome to the hardest to setup software in the world!  It is better now than a few years ago, but I've setup at least 100 accounts in PHPed and I still use a cheat sheet.  Once you get the account setup, then there is also a component that must be installed into PHP on the web server and php.ini needs to be updated with the ports and IP of the users.  Its rather a pain to setup.  Once setup, it is amazing.  I can't live without it.  The ability to step line by line through a PHP program is very helpful when there is a strange bug.  Plus the code prefill and highlighting are very helpful.  For example, if you create a variable called $rec_num, next time you type $rec it prefills $rec_num.  That really cuts down on typos.

I was thinking of something similar myself where an external modem like this one connects to the 4G either : http://www.maplin.co.uk/p/tp-link-3g4g-single-band-n150-portable-wireless-n-router-n40ql or http://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/osprey-black-from-ee/details The question is how I can get the roadwarrior clients that use the primary link to connect. The ip address of the 4G is most likely dynamic so hence the question if anyone has done something similar. Cheers, Raj

It seems that I have a similar problem at one of the sites where I have dual wan ( PPoE and wan 1 and static ip on wan 2). Backup link is over 3G router , slow, but working. I have received a  notification by email " WAN01_PPPOE is down, removing from routing group dualnet. Pfsense 2.1.5 32 bit installed on a 2GB kingston usb memory, embeded version with vga ( intel atom D2500cc). I can't login remote as the second wan doesn't have a public IP :(. I will check the logs tomorrow. BR, Adrian

depends on what you're doing with it. In many cases, yes. In some cases, no firewall will do exactly what IOS can do for more complicated routing-specific needs. Or if you have interfaces in it other than Ethernet (T1 CSU/DSU, among other line cards).

would stopping them to resolve work? you could use dns resolver wildcards to make entire TLD's resolve to localhost … advanced section in "services-->resolver' server: local-zone: "xxx" redirect local-data: "xxx 3600 IN A 127.0.0.1" result on client pc: heper@i7 ~ $ nslookup  hornytube.xxx    <---BEFORE Server:        10.0.0.1 Address:        10.0.0.1#53 Non-authoritative answer: Name:  hornytube.xxx Address: 87.250.153.105 heper@i7 ~ $ nslookup  hornytube.xxx    <---- AFTER Server:        10.0.0.1 Address:        10.0.0.1#53 Name:  hornytube.xxx Address: 127.0.0.1 heper@i7 ~ $ nslookup  pfsenseresolver.xxx Server:        10.0.0.1 Address:        10.0.0.1#53 Name:  pfsenseresolver.xxx Address: 127.0.0.1

@watts3000: I am curious why do you want to replace SSTP? Are you having some technical problems. Or do you want to replace it just because it's Microsoft we run SSTP and L2TP and have zero problems. The machine that supports the SSTP links right now is a virtual machine, and I want to get that traffic/dependency off the network for those VMs.  So, it's either set people up to connect to the pfsense system, or put in real hardware for people to reach. A software solution doesn't add (significant) heat to my datacenter - which is why I was hoping for an easy install/deployment.

http://i.imgur.com/7jAfrAo.jpg Gotta love squid.

Sure.  Just make LAN rules that pass only what's necessary for exchange and the default rule set will block everything else.

@MiXeDeMoTiOnS: I installed Snort and it basically killed my internet connection it brought down my speed to a complete crawl or basically timed out some of the pages.  I was wondering is Snort suppose to slow your connect I'm pretty new so some advice on this subject would be greatly appreciated. Snort will not impact your speed unless you are enabling every possible rule and have a 8088 8 MHz processor from the 1980s …  :D Blocking is another issue (feature).  No IDS is "install and forget".  Every IDS installation requires environment-specific tuning.  Refer to the Packages sub-forum here and search for all the Snort configuration threads.  There is an excellent Master Suppress List thread that reviews fixes for the most common false positives from Snort. Another recommendation is to first run Snort in non-blocking mode for a few days or a week or two.  That way you can see what it would have blocked, and then have time to evaluate/research each alert to see if it is indeed a false positive in your environment.  Many of the HTTP_INSPECT alerts are generally false positives. Bill

Hi Thanks for the reply. I tried your suggestion and it is still not displaying a reason code. When I look in sgerror.php the $err_msg  parameter looks undefined. include "globals.inc"; include "config.inc"; $page_info = <<<eod<br># ---------------------------------------------------------------------------------------------------------------------- # SquidGuard error page generator # (C)2006-2007 Serg Dvoriancev # ---------------------------------------------------------------------------------------------------------------------- # This programm processed redirection to specified URL or generated error page for standart HTTP error code. # Redirection supported http and https protocols. # ---------------------------------------------------------------------------------------------------------------------- # Format: #        sgerror.php?url=[http://myurl]or[https://myurl]or[error_code[space_code]output-message][incoming SquidGuard variables] # Incoming SquidGuard variables: #        a=client_address #        n=client_name #        i=client_user #        s=client_group #        t=target_group #        u=client_url # Example: #        sgerror.php?url=http://myurl.com&a=..&n=..&i=..&s=..&t=..&u=.. #        sgerror.php?url=https://myurl.com&a=..&n=..&i=..&s=..&t=..&u=.. #        sgerror.php?url=404%20output-message&a=..&n=..&i=..&s=..&t=..&u=.. # ---------------------------------------------------------------------------------------------------------------------- # Tags: #        myurl and output messages can include Tags #                [a] - client address #                [n] - client name #                [i] - client user #                [s] - client group #                [t] - target group #                [u] - client url # Example: #        sgerror.php?url=401 Unauthorized access to URL [u] for client [n] #      sgerror.php?url=http://my_error_page.php?cladr=%5Ba%5D&clname=%5Bn%5D // %5b=[ %d=] # ---------------------------------------------------------------------------------------------------------------------- # Special Tags: #      blank    - get blank page #        blank_img - get one-pixel transparent image (for replace banners and etc.) # Example: #        sgerror.php?url=blank #        sgerror.php?url=blank_img # ---------------------------------------------------------------------------------------------------------------------- EOD; define('ACTION_URL', 'url'); define('ACTION_RES', 'res'); define('ACTION_MSG', 'msg'); define('TAG_BLANK',    'blank'); define('TAG_BLANK_IMG', 'blank_img'); # ---------------------------------------------------------------------------------------------------------------------- # ?url=EMPTY_IMG #      Use this options for replace baners/ads to transparent picture. Thisbetter for viewing. # ---------------------------------------------------------------------------------------------------------------------- # NULL GIF file # HEX: 47 49 46 38 39 61 - - - # SYM: G  I  F  8  9  a  01 00 | 01 00 80 00 00 FF FF FF | 00 00 00 2C 00 00 00 00 | 01 00 01 00 00 02 02 44 | 01 00 3B # ---------------------------------------------------------------------------------------------------------------------- define(GIF_BODY, "GIF89a\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B"); $url  = ''; $msg  = ''; $cl  = Array(); // squidGuard variables: %a %n %i %s %t %u $err_code = array(); $err_code[301] = "301 Moved Permanently"; $err_code[302] = "302 Found"; $err_code[303] = "303 See Other"; $err_code[305] = "305 Use Proxy"; $err_code[400] = "400 Bad Request"; $err_code[401] = "401 Unauthorized"; $err_code[402] = "402 Payment Required"; $err_code[403] = "403 Forbidden"; $err_code[404] = "404 Not Found"; $err_code[405] = "405 Method Not Allowed"; $err_code[406] = "406 Not Acceptable"; $err_code[407] = "407 Proxy Authentication Required"; $err_code[408] = "408 Request Time-out"; $err_code[409] = "409 Conflict"; $err_code[410] = "410 Gone"; $err_code[411] = "411 Length Required"; $err_code[412] = "412 Precondition Failed"; $err_code[413] = "413 Request Entity Too Large"; $err_code[414] = "414 Request-URI Too Large"; $err_code[415] = "415 Unsupported Media Type"; $err_code[416] = "416 Requested range not satisfiable"; $err_code[417] = "417 Expectation Failed"; $err_code[500] = "500 Internal Server Error"; $err_code[501] = "501 Not Implemented"; $err_code[502] = "502 Bad Gateway"; $err_code[503] = "503 Service Unavailable"; $err_code[504] = "504 Gateway Time-out"; $err_code[505] = "505 HTTP Version not supported"; # ---------------------------------------------------------------------------------------------------------------------- # check arg's # ---------------------------------------------------------------------------------------------------------------------- if (count($_POST)) {     $url  = trim($_POST['url']);     $msg  = $_POST['msg'];     $cl['a'] = $_POST['a'];     $cl['n'] = $_POST['n'];     $cl['i'] = $_POST['i'];     $cl['s'] = $_POST['s'];     $cl['t'] = $_POST['t'];     $cl['u'] = $_POST['u']; } elseif (count($_GET)) {     $url  = trim($_GET['url']);     $msg  = $_GET['msg'];     $cl['a'] = $_GET['a'];     $cl['n'] = $_GET['n'];     $cl['i'] = $_GET['i'];     $cl['s'] = $_GET['s'];     $cl['t'] = $_GET['t'];     $cl['u'] = $_GET['u']; } else {       # Show 'About page'         echo get_page(get_about());         exit(); } # ---------------------------------------------------------------------------------------------------------------------- # url's # ---------------------------------------------------------------------------------------------------------------------- if ($url) {     $err_id = 0;     // check error code     foreach ($err_code as $key => $val) {             if (strpos(strtolower($url), strval($key)) === 0) {               $err_id = $key;               break;             }     }     # blank page     if ($url === TAG_BLANK) {             echo get_page('');     }     # blank image     elseif ($url === TAG_BLANK_IMG) {           $msg = trim($msg);           if(strpos($msg, "maxlen_") !== false) {               $maxlen = intval(trim(str_replace("maxlen_", "", $url)));               filter_by_image_size($cl['u'], $maxlen);               exit();           }           else {               # --------------------------------------------------------------               # return blank image               # --------------------------------------------------------------               header("Content-Type: image/gif;"); //  charset=windows-1251");               echo GIF_BODY;           }     }     # error code     elseif ($err_id !== 0) {             $er_msg = strstr($_GET['url'], ' ');             echo get_error_page($err_id, $er_msg);     }     # redirect url     elseif ((strpos(strtolower($url), "http://") === 0) or (strpos(strtolower($url), "https://") === 0)) {             # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~             # redirect to specified url             # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~             header("HTTP/1.0");             header("Location: $url", '', 302);     }     // error arguments     else {         echo get_page("sgerror: error arguments $url");     } } else {         echo get_page($_SERVER['QUERY_STRING']); //$url . implode(" ", $_GET)); #        echo get_error_page(500); } # ~~~~~~~~~~ # Exit # ~~~~~~~~~~ exit(); # ---------------------------------------------------------------------------------------------------------------------- # functions # ---------------------------------------------------------------------------------------------------------------------- function get_page($body) {         $str = Array();         $str[] = '';         $str[] = "\n$body\n";         $str[] = '';         return implode("\n", $str); } # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # IE displayed self-page, if them size > 1024 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ function get_error_page($er_code_id, $err_msg='') {         global $err_code;         global $cl;         global $g;         global $config;         $str = Array();         header("HTTP/1.1 " . $err_code[$er_code_id]);         $str[] = '';         $str[] = ''; if ($config['installedpackages']['squidguarddefault']['config'][0]['deniedmessage']) { $str[] = " <center> # {$config['installedpackages']['squidguarddefault']['config'][0]['deniedmessage']}: {$err_code[$er_code_id]} </center> "; } else { $str[] = " # Request denied by {$g['product_name']} proxy: {$err_code[$er_code_id]} "; }         if ($err_msg) $str[] = " ### **Reason:** $err_msg";         $str[] = ' * * * ';         if ($cl['a'])        $str[] = " **Client address:** {$cl['a']} ";         if ($cl['n'])        $str[] = " **Client name:** {$cl['n']} ";         if ($cl['i'])        $str[] = " **Client user:** {$cl['i']} ";         if ($cl['s'])        $str[] = " **Client group:** {$cl['s']} ";         if ($cl['t'])        $str[] = " **Target group:** {$cl['t']} ";         if ($cl['u'])        $str[] = " **URL:** {$cl['u']} ";         $str[] = ' * * * ';         $str[] = "";         $str[] = "";         return implode("\n", $str); } function get_about() {         global $err_code;         global $page_info;         $str = Array();         // about info         $s = str_replace("\n", " ", $page_info);         $str[] = $s;         $str[] = " ";         $str[] = '';         $str[] = ' **HTTP error codes (ERROR_CODE):';         foreach($err_code as $val) {                 $str []= "** | $val";       }         $str[] = ' | **';         return implode("\n", $str); } function filter_by_image_size($url, $val_size) {           # load url header           $ch = curl_init();           curl_setopt($ch, CURLOPT_URL, $url);           curl_setopt($ch, CURLOPT_HEADER, 1);           curl_setopt($ch, CURLOPT_NOBODY, 1);           curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);           $hd = curl_exec($ch);           curl_close($ch);         $size = 0;         $SKEY = "content-length:";         $s_tmp = strtolower($hd);         $s_tmp = str_replace("\n", " ", $s_tmp); # replace all "\n"         if (strpos($s_tmp, $SKEY) !== false) {             $s_tmp = trim(substr($s_tmp, strpos($s_tmp, $SKEY) + strlen($SKEY)));             $s_tmp = trim(substr($s_tmp, 0, strpos($s_tmp, " ")));             if (is_numeric($s_tmp))                   $size = intval($s_tmp);             else $size = 0;         }         # === check url type and content size ===         # redirect to specified url         if (($size !== 0) && ($size < $val_size)) {               header("HTTP/1.0");               header("Location: $url", '', 302);         }         # return blank image         else {               header("Content-Type: image/gif;");               echo GIF_BODY; $str[] = ' MJ ';         } } ?>    [/u][/u][/s][/i]**</eod<br>

OK. Via VPN > OpenVPN > Client, is this right ? Thanks ;) EDIT : Auto-reply : here for those who want. Thanks Nicolas

Your WAN interface can send data out to the Internet or receive data in from the Internet.  IP_WAN is your WAN interface.  In your example, your WAN is receiving data from the Internet at the rate of 6 Mbps.

I forgot about that thread. Yes all info looks correct. It would need flashing to DirectIP for pfsense. That still don't guarantee it will be supported by the freebsd u3g0 driver. Worth a try as DIP will work in most OS.

Thank you very much: after saving twice in a row the rc.d scripts appeared! :) I just started to collect flows again thanks to the softflowd package. Sincerely gratefully.

Yeah, no problem. To answer your question: No, I did not. The Mac Mini was the client's machine.

I think you may be right Stephen. I will try out the localhost tomorrow. Yes it makes more sense not to have it on the LAN. I have no excuse other than it being the weekend and limited unpaid time working on a test machine. I will get there in the end. ;) When I get to a happy conclusion I will amend my previous posts.

@fearnothing: @Nullity: I have LAN and WAN set to deny everything but the traffic I specify. It sounds tedious, but it was much easier than expected. The security and privacy (misconfigured apps are less likely to leak info) improvements are worth the trouble, imo. You also get to see just how spammy some of the stuff on your network really is, if you have logging turned on. My printer seems to think the network is icecream which is badly in need of its UPnP chocolate sprinkles. lol. Yeah, some iOS devices were leaking some reasonably private information in plain-text. I have a love-hate relationship with UPnP, but I think most of us do. That reminds me… I really need to setup a remote syslog service to send all my logs to.