Running Squid and Dans in 256MB is always going to be a tight fit. If it's working OK for you be happy about that.  ;) So yes 85% seems entirely expected, quite low even. Steve

@mauirixxx: I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec. Yes, i know its doable, but not with pfsense on the work/office since pfsene NEED a static IP on your home box. I have setup other solutions and many boxes dont need to have a IP for the home box. I think it is made this way so the office could connect to the home, but if home had a stay alive checkbox there isnt any reason to use static ip on both places.

Look up virtual hosts as it applies to apache also. We run one apache server with multiple websites. http://httpd.apache.org/docs/2.2/vhosts/

@maverick_slo: Hi all! I posted here since 2 packages are involved… We have 2 locations with same firewalls (pfsense 2.1 release). On location A I have OpenVPN server for roadwarriors. On location B I connect to this server with OpenVPN client. Configured with SSL-TLS+user auth. Now the weird thing... When connected CPU on pfsense on location B is OK. When I start to download file from location A to location B, snort goes crazy and consumes 100% CPU. See attached image. Any idea? Is this a bug maybe? Regards, M From the looks of that screenshot, it appears you are a victim of multiple identical Snort processes getting started.  If you have only one interface with Snort active, then you should have only a single Snort process showing up.  You have four with the same GUID (the 10837 number).  Shut down Snort and then kill any remaining Snort processes.  Start Snort again and see if things behave better.  This multiple process start problem seems to be more acute on 2.1, but still does not affect everyone.  I am looking into the root cause, but so far have come up empty.  It happens to the majority of folks on reboots. Stop and start Snort from the command line using these commands: /usr/local/etc/rc.d/snort.sh stop /usr/local/etc/rc.d/snort.sh.start Bill

There is OS detection in firewall rules. It isn't perfect, but it can be reasonably accurate. Add a block rule, pick the OS you want to block (if it's there), and if it detects them, it will block them. [image: select_os.png] [image: select_os.png_thumb]

@Sn3ak: I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present. I don't use OpenVPN, so I can't comment on that part. You are correct. VIA padlock, Hifn, and others not listed there are in the kernel, not modules. AES-NI and glxsb are modules because certain use cases warrant not having nor wanting them loaded. Also selecting the cryptodev engine in OpenVPN isn't entirely necessary, we have found. OpenSSL will use a chip that claims support for a specific cipher if that cipher is the one in use. So if glxsb is on, says it does AES-128, and OpenVPN is set for AES-128, then it would use the accelerator chip no matter what the OpenVPN GUI was set for. Same for VIA padlock and so on.

Sorry but you haven't done anything that people in the virtualization sub-forum haven't been doing for a while: http://forum.pfsense.org/index.php/board,37.0.html. That thread you reference was about doing pfsense and FreeNAS in the SAME OS, not via a hypervisor. Not to mention, you wouldn't get SBS to run on FreeBSD anyway, pfsense and FreeNAS are both FreeBSD based and so they thought they might be able to combine them into one physical box under the same OS. It's certainly possible but definitely not ideal. A hypervisor provides the isolation you need to do it "right" (though there are some that still prefer separate physical firewalls for further security).

Orange light?

I have two months to figure out how to do it {Meanwhile I will try to solve another problem I have with pfsense not related to this forum} Anyway Thanks everyone for the help

Yes, by default only LAN clients will have access to the webgui. However it's only restricted by the firewall rules, the webgui listens on every interface. You will have added rules on the WLAN interface to allow any access you have to exclude the webgui if you don't want wifi clients accessing it. That is a curious error though. It looks like access is allowed but the password/uname is wrong. :-\ Steve

hello, Speedtest and Pfsense are the same result, if you are ~50mb line in pfsense you see ~50mb . In my reader is just explain in ~6mb/s for~50mb. I check all my hardware. Is difficult in my house. i have  many switch, 4 switch,  4 room, on poweline networking, snort…. and many. I like this staff. My hp like Procure is very "poor man", "gros feignant" in french. he is not able, if we do not like to stress the newsgroup, mounted to 50mb and as it is the last link, everything is so slow. Tomorrow I'll buy a real switch. And I tell you the result. With a PC directly to the modem or the router I have 50mb / s but through the switch I only ~ 12mb. Sorry for everything and thanks for your help. I had another one in the living room and I exchange switches. And it's better. [[image: 2980642015.png] @ + Jean-Noël PS: I do not understand why when I stress it reaches 50mb / s :)](http://www.speedtest.net/my-result/2980642015)

My 2 cents…. Download an ISO Image of Hiren's BootCD, Version 9 or older ( this is more simple to use ) and burn to CD Check the BIOS as mentioned in the posts above. Make CD/DVD boot BEFORE HDD or use F12 to select boot options and choose boot from CD/DVD. Reboot into the Hiren's Disc, on screen one, hit enter on the MORE line in options, on the SECOND DOS screen select MBR Tools, on the next screen select option 1 MBR Work 1.04b. Click enter on all options CHANGE NOTHING including swap files and it will open. When it opens, select option 3, then enter then Y then enter, then select option 4 click Y and then enter, then select option 5 click Y then select number 2 click Y then enter. This makes the HDD read as NEW (RAW) and any data that was once on it is unrecoverable. This method is like a level 9 DOD wipe, and any previous data on it is gone forever, i have tried this many times, and NO DATA RECOVERY SOFTWARE available has ever found anything on any HDD i have wiped this way, so you should have no trouble installing anything new. Click E to exit MBRWork the screen will come up to R:// with a blinking cursor. Remove the Hiren's disc from the CD/DVD drive, and replace it with your Windows,Ubuntu or other O/S disc. Type reboot and it should start into the install of the O/S you have chosen, then just follow the prompts to install your new system. Overall this is not a bad PC, would be fine for most user's not into games Specs : Processor Processor type Athlon 64 X2 4400+ Processor speed 2300.0 MHz Memory Memory size 3072.0 MB Display Included monitor No Graphics Primary Graphics Chipset Nvidia GeForce 6150SE Video Bus Integrated Video Memory Type Using main memory Storage Raid type none Drive size 320.0 GB Expansion slots Open PCI Express X16 Slots 2.0 Open PCI Express X1 Slots 1.0 Number of PCI slots 3.0 Number of PCI-Express Slots 1.0 Green Energy Star compliant 0.0 Optical Drive Optical Drive Type DVD±RW Included Software Operating System Microsoft Windows Vista Home Premium (32 bit) Ports and Connections Ethernet Type Ethernet (10/100 Mbps) Available Interfaces USB - Universal Serial Bus (rear) (x4)     USB - Universal Serial Bus (front) (x2) Slots 3 Parallel Port No Case Chassis style Tower (Mini) Internal Drive Bays 2 External Drive Bays 3 As a general use, or student PC this would be fine. Would make an excellent Office PC as was wanted aswell. Drivers for Windows are here : http://support.gateway.com/us/en/emac/product/default.aspx?modelId=1299 I would install Vista Ultimate as the O/S, to make use of the shared memory and easier security control. If you need a copy let me know by PM.

Your pfSense box gets 1 of your 5 IPs, the other 4 are added as VIPs and can be used for NAT.

See - Its good to be intellectually limited like me.  I know exactly 2 tricks that usually works. 1.  Reinstall and reboot several times 2.  Reboot some more.

OK - what does your configuration look like?