You need to isolate them with your vlans on your switch.

Max, Yes I have tuned the igb card per the recommendations.  I did not have time this weekend to secure erase my drive.  I will let you know if doing that fixes my problems. Thanks, northfaceseen

So, I have /dev/gps0 device. Who is using it, when I am trying to set it as serial GPS? Is it possible to configure it with serial GPS? In order to avoid talks about USB speed, please imagine, that my computer has no internet. Then any slow USB is better than nothing.

My intention was to have what would normally sit on the hard disk, on the network share. This way I can have another program monitor the changes made to the file system sat on the network share which would give me the ability to find changes made which are otherwise unaccountable. It doesnt solve the problem of stuff running in memory only though, but frequent reboots help counter that problem as a new pattern would develop as the (re)infection process takes place again, but its related to my other post about the Arp table showing the wrong info, latest example of my observations being here. https://forum.pfsense.org/index.php?action=post;quote=563341;topic=100968.0;last_msg=563341 Based on the malware I have got here which isnt being detected entirely by AV software, people/businesses need to start thinking about isolating their internet facing services, like web and/or email servers from their private networks and start to go physical machines. In a way virtualisation puts all your eggs in one basket, which is no different to MS Small Business Server or Linux LAMP servers in a way, so by having an individual machine for each public facing service, you need to automate the installation and setup process as quickly as possible by spinning up a new server whilst also treating it as a disposable pawn. Breaking all encryption at the firewall even for browsers is a must or have separate machines used exclusively for encrypted online access like for online banking in order to reduce risks across a LAN, business data getting compromised and so on. Whats interesting about DuQu2.0 only spotted by Kaspersky labs, is it steals MS SQL databases and email contacts from MS Exchange amongst other things, which is commercially advantageous in many ways especially as the global economy contracted by $13 trillion since June this year. The planets total GDP is only around $74 trillion if the investment websites quoting this info is correct, if not ignore the financial bit. Its also possible DuQu2.0 targets opensource software as well as a delivery conduit and might be whats buggering up my systems here, teh catch 22 is no AV has hard facts only traces of something. Edit. My catch 22 is, my email servers are down (have been for months as they keep getting hacked) so I only have the ability to post here my observations at the moment as all forum registrations need email to register aka a catch22.

Managed to get at the console, finally. Spurred on by your thoughts, I decided to go all out, so I got my server off the wall (to make room for the vga cable), got a spare monitor and stuff. Managed to revert to a previous configuration. thanks!

After some diagnostics I found out I did not have the allow options selected on all WAN rules. Funny is that the old igmpproxy worked without this settings (what should be a problem, because the reports from the host won't reach the igmpproxy) It seems everything is running fine now.

You would pass the necessary traffic on the originating interface (the one initially receiving the connection request, thus allowing the traffic into the firewall) to the appropriate destinations.

Well again look in the resolver log..  This is where errors in the resolver starting up would be listed.. Increasing the verbosity would log more info.. How is this NOT answering your question?? [image: resolverlog.png] [image: resolverlog.png_thumb]

We have this running for years now. Keep in mind that you need a subnet on both the cable and DSL (only 1 IP will not work with CARP, you need at least 3) Our cable is faster than the DSL, so I have set up just a gateway switch, when cable is down it switch to DSL (gateway groups) So if your cable and DSL have a subnet, you can connect them both to both pfsense

@dbennett: We have a wild card cert purchased from Godaddy for our company.  I would to create an intermediate CA off of that so certs I create within my company will validate back to Godaddy essentially adding us to the chain. So  Godaddy -> my company -> my certs.  Essentially our own internal intermediate CA We are creating OpenVPN users with certs and the boss would like those certs authenticated back through us to godaddy. I'm assuming it can't be done but thought I would ask. As johnpoz says, you won't be able to do this. There will be a flag in the Godaddy certificate that says 'cannot act as a CA'. Even if you forcibly sign your CA certificate with the Godaddy certificate, the signature will not act as part of a valid CA chain. It is sometimes possible to get a CA certificate signed by a CA certificate in the public roots, but they come with considerable security requirements (typically including storage in an HSM), are for a limited range of uses and are extremely expensive. Most CAs never issued these certificates and those that do issue them may well insist on retaining physical control of the certificate and using it to sign objects at your request so that they can ensure the security and usage limitations are respected. Issuing user certificates would almost certainly be outside the usage scenarios for a CA certificate signed by a public root even if you did possess one. Typically, you cannot use an intermediate certificate to do anything other than issue server certificates for DNS names. As you can get server certificates chaining to a public root for addresses in the public DNS for free thanks to StartSSL and most people never look at the contents of a certificate, having your own CA that chains to a public root is of limited value. Your boss needs to understand what is being asserted and by whom. In the case of a VPN user certificate (or user certificate for a Windows domain), the assertion is that user X is a member of your organisation and is potentially entitled to use its resources, which is rightly made by a CA controlled by user X. There is no need for the CA making that assertion to chain to a public root as no member of the public will be relying on the assertion in the user certificate.

"Wired and WiFi connections are part of same LAN network." Huh??  Thought you said wifi was vlan 10?  I think your not understanding what a vlan actually is.. Or for sure not explaining what your wanting to accomplish that is for sure.

Despite the lack of details, it sounds like there is a link that is ending up in half-duplex mode somewhere in the setup. Check that all links are correctly negotiating at full duplex. –A.

My FTTC connection is with Zen, who don't support YouView, so I never got deeply into this. You need an IGMP proxy running on the parent of your PPPoE interface for the YouView premium channels to work. https://forum.openwrt.org/viewtopic.php?id=52406 will probably give you some clues, though I have no idea whether the information is still current and it will obviously have to be adapted to pfSense. https://community.bt.com/t5/YouView-Boxes/Using-a-3rd-party-router-for-Multicast/td-p/1048582 may also help. Unfortunately I can't do any testing for you, as my connection is on the Zen LLU customer VLAN, not the BT Wholesale customer VLAN, so I won't have access to the multicast networks you are trying to access.

You can monitor the states that are made. All clients should connect to whatever is the default gateway on pfSense. You can control which gateway is used for what traffic / which host with policy routing and/or using gateway groups.

ADSL (at least here in South Africa ;) ) is provisioned using PPPoE to setup the connection via Telkom (the big monopoly on copper last mile) to the chosen ISP's IPC (The ISP's data centre from where they provide the internet data) So that is the part that is a constant for all the users and ISPs, and Telkom issues a random IP for the duration of your connection from the network block the ISP have provided Telkom for their users in a certain region. The L2TP is then a separate tunnel (as would've been any other VPN/tunnel over OpenVPN/IPSEC/L2TP/PPTP/etc.) over the internet (though in the case in point it's using the ADSL line  with PPPoE) to then  provide a fixed IP address for the user of that ISP. The issues is specifically the authentication/shared secret part of the L2TP over IPSEC that is not usually implemented by pfSense and other opensource L2TP codes, but typically only by the closed source "pricey" routers the ISPs then dish out for these static IP solutions.

really the problem was the limiters. i disable the limiters and the backup firewall not failed again. Hopefully this problem will be resolved in the release 2.3 thanks for the efforts

Thanks guys. I had used smokeping for years set up on a raspberry pi, but i just gave it away to someone to use as a media center. Im going to get a raspberry pi 2 here soon. I will then demote my other pi to smokeping duty.

I think you will have better luck in forum with your native language..  You see a good product where? pfsense will pretty much run on anything here is some min requirements https://www.pfsense.org/hardware/

Normally you just change the static IP of the LAN interface. Once that's done the DHCP server will serve up addresses in the subnet defined by the LAN interface.