There isn't any mechanism for LDAP to give that info to pfSense. It does work for OpenVPN logins using RADIUS with the rules passed back in Cisco acl style using an avpair reply attribute (Search around, there are examples on the forum), but LDAP doesn't have a way to do that at this time. You could set that up in NPS, most likely.

I want pfsense to act like a normal router with a firewall that blocks any one from behind the wan to see whats in please Yes?  as it does by default… And?  ^What Divsys said^

If you register the unit and login to the portal, you can download a full installation image for the factory firmware. It's technically possible to switch using a firmware upgrade, but it's not recommended. You can backup the config and reinstall and be up and running in a few minutes in most cases.

I'm not sure what happened, but after I posted last night, I went and did some firewall and port scans. Just fooling around. After that, I checked the packages again and THEY WERE ALL THERE. So, all's well.  ;D

Well yeah the default any any rule allows icmp, if your not going to use a any any rule and you want to ping you would have to have a rule that allows icmp. So my wireless guest segment is pretty locked down, but you can see I allow them to ping pfsense interface so they can validate connectivity.  Then any other IP of the firewall at all on any port is blocked.  I then allow them out to anything they want as long as not rfc1918 (local networks) - this allows them internet access.  Notice they can not even use pfsense for dns, I hand them public via dhcp for that. [image: allowicmp.png] [image: allowicmp.png_thumb]

My question: who is "Hugh", and why is he worried about packet loss via pfSense?

Your "Filter rule association" shows "None", which means your port forward was created, but there's no associated firewall rule that is actually allowing the traffic thru the firewall.  Change the "Filter rule association" section to "Add associated filter rule". Should be good to go as far as PFsense is concerned.

no proxy. most of the storage is consumed by ntopng i presume.

Hello, use a radius server for all internally employees and the captive portal for all guests only. Set them up in different VLANs and install Squid & SquidGuard & SARG to realize a proper logging for all actions you want. You could also setup static IP addresses and/or a user authentication for Squid. many ways are able to wake on.

i know what you mean, but if this is the point, so they should remove the feature and say it's not exist for security reasons or whatever, but they choose to put half of it, as you could enable it but you won't be able to bypass any sites with FQDN you must get all IPs and bypass it.

Any firewall rules on your WAN interface for your PBX? Since your using Siproxd, make sure the destination address is "WAN address".

Yes the gateway would be whatever you make pfsense IP in the 192.168.2.0/24 network. VM networking is very simple on esxi… Just think as your vswitches as real switches and the network card you connect to them are just uplinks to your real switch.. So with pfsense on your esxi host you end up with something like attached.  Blue stuff is virtual switches and nics, pfsense is VM as well. While your vmkern could have a gateway - to be honest unless you want it to have internet access no real reason to point it to pfsense lan IP.  If your just going to ba accessing it from something else on the 192.168.2.0/24 network be it virtual or physical.  See attached my esxi host vswitches.  While I do have my vmkern broke out on its own vswitch and its own physical nic uplink.. Its still on my lan network 192.168.9.0/24 in my case.  So pfsense has 192.168.9.253 on lan which is gateway for anything on that network.  While it has other networks as well for example the dmz is 192.168.3.253 -- see attached pfsense interfaces. The only difference in your setup and mine is your behind a double nat, since you don't have a public IP on pfsense wan.. So more than likely you would want to make the pfsense wan IP the dmz host in your isp device.  So that all ports get sent to pfsense wan.  Or if you want to do any port forwarding you will have to do both on your isp device and pfsense. [image: typicalesxi-doublenat.jpg] [image: typicalesxi-doublenat.jpg_thumb] [image: esxinetworking.png] [image: esxinetworking.png_thumb] [image: pfsenseinterfaces.png] [image: pfsenseinterfaces.png_thumb]

@zer0: @Derelict: Yeah you need a separate pfSense interface for your guest wi-fi.  Something like this: https://forum.pfsense.org/index.php?topic=88942.msg491700#msg491700 Thank you for reply, did you mean a separate NIC or a VLAN on the LAN interface. Either. Also, can VLANs actually work given my setup and switches? No idea I didn't research those switches. They need to support 802.1q to do VLANs.

I can see VIP and the desired server on the subnet are different addresses VIP .110 -> "real" .100 But I can't see how you can make it work if they're supposed to be the same VIP .100 -> "real" .100 for certain ports, which I think was the original question. After rereading the OP, I see this is indeed what he was probably after, the "Fantom" IP is a Virtual IP under "Firewall>Virtual IPs".

This is a 32-bit Intel system running a full install. 1 gig of RAM. The really weird thing is that the RRD graphs still show a completely steady low mbuf usage, much less than the limit set by kern.ipc.nmbufs.

But "verb 1" is a valid config entry, "verb default" isn't.

Really solid, we're days away from release candidate and not likely to make any changes once we hit RC, with release soon after.

Please get in touch via support.

Thank you for your reply divsys, @divsys: In order to get the VLAN solution working properly, you're going to need a VLAN capable switch of some kind. Can a router with dd-wrt software opearte as a managed switch? or am i far from it? Once you moved away from a "Single NIC" installation, your pfSense would have firewalls rules like a more traditional setup, WAN blocked and LAN allowing outgoing. did "pfctl -d" isnt this supposed to drop all firewalls? the USB NIC approach, they're pretty hit I was hoping that the fact that i get the message on connection was a good sign, isn't it? You're probably better off finding a reasonable VLAN switch and working forward from there. Im probably better off buying a more appropriate pfsense machine, but the whole point was to utilize stuff laying around :) thanks again