@razzfazz: @gravyface: Perhaps taking the opportunity to actual read through the request before responding with a hostile tone and we'd be that much farther ahead. That works both ways; your initial description wasn't exactly crystal clear. In any case, the way VLANs work in FreeBSD (and hence, pfSense) is that you have a parent virtual interface that will receive all untagged traffic (and only that), and then a separate child interface for each VLAN. In your scenario, you'd have vr2 as the physical parent interface; this will be your OPT1. This parent interface sends/receives untagged traffic only. You'd then create a child VLAN interface on vr2 (via interfaces -> assign -> vlan) for VLAN 20; this will create a new vr2_vlan20 network device that sends/receives only traffic with that particular tag. You will than have to create an OPT2 interface for this network device via interfaces -> assign -> interface assignments (the newly created VLAN interface should show up in the drop-down list) and set up DHCP, etc. as you want. If you want your LAN and OPT1 ports (i.e., untagged traffic on vr2) to be on the same L2 domain, you'll have to bridge them (interfaces -> assign -> bridge); in theory, you should be able to either create vr2_vlan20 and then bridge vr0 and vr2, or to create the bridge first and then create the VLAN with the bridge device as the parent; I'm not sure if the pfSense GUI will actually let you do the latter, but the former should work for your particular use case. Yes, I realized that I wasn't clear, which is why I clarified that in reply #9. I believe I'll need to do the latter, and thank you for replying (and actually reading the post!).

Triple nat? Oh dear, I'd buy you a beer if I could. Yes, tear everything out, and replace it w/ a pfSense. Make sure you document everything and fully understand all the firewall rules, port forwards etc. I'd like to say that although convenient, exposing 3389 to the world although convenient is not considered best practice. Try to push for a VPN tech (OpenVPN or L2TP, NOT PPTP!) which will put them on the internal network, they can then RDP into their machines. For an added layer of security, check out DuoSec as well for people RDP'ing into machines on your network. It's 2factor auth that's free for up to 10 users (basically it sends push notifications to your smartphone which you then approve/deny so even if the password is compromised it offers some additional security). With a bit of work DuoSec can be adapted for people dialling in via VPN as well – so when they hit 'connect', a SMS/Push Notification is sent to their device which must be approved before connection.

When you setup your new OPT1 interface, it will likely come with the standard Anti-Lockout rules (unless you have disabled these). Asides from that, all traffic will be blocked unless rules are explicity set to pass it (as is the default configuration of just about any firewall on the market – default block all). To allow traffic to host(s) behind the OPT1 interface, you will have to add rules manually. So say you setup a FTP server and you want it to be accessible, you will need to add a rule to allow this host. The parameters you'd use would be: Interface: OPT1 (packets must come in on this interface to match this rule) Source: Any Destination: Single host or Alias <ip address="" of="" the="" ftp="" server="">- Source Port Range: FTP Save & Apply. So you won't have to worry about firewalling off the bat.</ip>

I got it working – the issue was the firmware I was running on my modem (3.7.5.2) has a bug with PPPoE. Using firmware version 3.7.5 I was able to get it to work.

Thanks, but I don't have access into the GUI at all.  Thats why I wanted to know if there was another way to disable the REFFER check. UPDATE: I got this solved by going by using the following command:  pfSsh.php playback disablereferercheck The info was from here:  https://forum.pfsense.org/index.php?topic=56956.0

did you put gateway on your lan - this seems to be common issue.. Why users do this have no idea, but it seems to come up quite often.. Can you client on the lan ping pfsense lan IP?  Did you alter the default lan rules?

Hi, disabling "State Killing on Gateway Failure" , doesn't change this behaviour. Even more.. it seems that not apinger is reloading anything hourly. as far as i can see , also apinger IS restarted hourly. Currently i'm investigating radvd logs (routing.log) As i'm running ipv6 prefix delegation. Jul 26 09:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:25 pfsense radvd[40496]: resuming normal operation is it possible that this has someting to do with this BSD option : net.inet6.ip6.rtexpire: 3600 Any help would be appreciated Kind regards, Roel

Yeah not sure how these questions are related to pfsense.  Is pfsense going to be gateway of every vlan?  Are you asking how to do that?  And its not really a cisco EA6300, is a linksys home wireless router that can be had for like $100.  I don't even think it supports vlans.  And don't even see dd-wrt support for it. So not sure how you expect to put different wireless users on different vlans?

What is before that part of the sniff.  I have to assume it resolved something to that IP..  What exactly are you doing to generate that traffic?  BTW that is not an error,  that is just some info about the packet - if your thinking chksum bad is an error that would prevent communication or your error? So fix your issue on why the box is trying to go to to 10.0.1.1 if that is the not correct IP for where your trying to go.  What IP are you trying to go to?

1.  From the definitive guide, it says that Quick is enabled by default on all rules except floating rules.  I don't know if that means it doesn't work or if Quick is not desirable.  And., honestly, I can't even dream up a scenario where I create rules and then want them last-matched.  Who does this, and what good is it?  I tend to stick with hat's originally suggested.  If the wizard-created rules use MATCH, I use MATCH. You mean that quick option should work with match action otherwise it doesn't make sense or this makes settings very confusing. I always try and test my configuration after i set new rules because funny things could always happen. I tested match action with quick option. I doubled ("add a new rule based on this one" button) an existing rule and i changed second rule's queue with another queue. I set both rule's action to "match". Then i've found out that traffic goes to second rule's queue. Then,for second test, i set first rule's action to "pass" then i tested again, traffic goes to first rule's queue. In my opinion, this trial and error method proves that match action doesn't work with quick option or there is a major bug in there. I use 2.1.4 version-p16 which seems to be latest as for today

Ok then! Then you will have to filter out the traffic. Did you try with the ports specified on the Apple document? You can also monitor the state table while on a call. Or better, assign a fixed IP address to your iOS devices and deny them access to the remote networks (unless you need that access for other reasons, of course)

@spiritfly: I never realized that the nanoBSD is a different version. I thought that guide is taking me to the same mirror links for the same image. Oh well.. I've already installed it to my USB flash disk using another USB flash drive to put the installation on it. Then booted from it and chose to install on the first (empty flash disk) and it installed correctly. I would caution you that the nano version has optimizations for flash that will preserve the life of the USB stick. Otherwise you might find it dying in less than a year since the standard version will write to it as though it were a hard disk. https://www.pfsense.org/about-pfsense/versions.html Flash memory can only handle a limited number of writes, so the embedded version runs read only from flash, with read/write file systems as RAM disks. Switching versions is actually quite painless. Save your configuration to your computer from Diagnostics: Backup/restore: Download Configuration, install the nano version to the USB stick, then upload your configuration back to it. Another alternative is that you can manually configure the full version to behave mostly like the nano version. @spiritfly: One question about this though. I've noticed that when booting from the USB flash when it is connected on some of the USB ports on the back of my PC, an error showed up just before pfSense was supposed to boot and the following command line came up: db> If I take and connect the same USB thumb on the front it runs perfectly. Weird.. I think all USB ports are USB 2.0 front and back. The MB is Asus M2N-MX if it means anything. My guess would be that the drive numbers are changed when you move it to a different port. The simplest solution is to have it in it's final port when it's installed although you can reconfigure if moving is necessary.

@Cmellons: " [Snort] Server returned error code 422…" Nothing to worry about. They are just updating on their end. It should be back to normal when they are finished. What about Squid and Snort rapidly stopping and starting and pfBlocker reporting "no… action during boot process"? I haven't seen these logs before and it seems unrelated to the Snort update process.

the destination is always 80, that is http, so i need to leave it. and it was my fault to block it :)

You could do it easily with Squid. http://blog.wains.be/2007/06/07/blocking-internet-explorer-with-the-squid-web-proxy/ Don't edit directly the Squid config file. Use the Custom Options text area on Services / Proxy Server menu on pfSense.

i have the luck that the average age here is 50+ most off them only know how to turn on the computer and do some surfing :) i keep it in mind. and are going to try pfsense 2.2 when it is released

If you have all that then use it.  :D I bet it cost a fortune when it was new! It should work fine. Steve