remember to enable trim

Anyone ? Need to Monitor and have access to the WebGui for the Pf-sense firewall on the 3rd Built in NIC as I am running Dual Nics for the Firewall without a whisper of me being between the PF-Sense firewall and the first Linksys E1200 v2 Running DD-WRT Mega, if I log into this E1200 Named FIrewall even with Kali Linux 2.o GUFW running I just get bombed, Who am I, A Man who Believes in the Constitution. my config works so each router is in a different location, Basically the routers don't talk to each other execpt for the OPENVPN TUNNEL, there not going to with Firewall Magic and ip tables, if I thought this was I firewall issue i would have been in there, if i am not on my openvpns, its not worth being on the internet, I know PFsense is Good, and Tinkered with is Powerful, but is like butter for the Workers…but Encryption Works, I am running 64bit, the Latest Version Snort and PFblockerNG and More, going to move to suricata in 3 days, I Don't need help with that but someone must Know......How to Access from the OPT1

It's not removing the old hostname from the old logs, that only applies to the current hostname. It never shows the current hostname there.

WTF does what connected behind your router have to do with their network not giving you the speed you paid for?? The implication being that my own router is causing the problem, so get it out of series and test directly between PC and cablemodem. The person tell you to do that is some level 1 reading off a script. And that's exactly what I expect when dealing with a consumer service.

why did it work in 2.1, because 2.1 had a helper for ftp that changed IPs in the commands and opened up firewall rules.. As to why the package wouldn't work - pretty sure that is for clients to talk to a active ftp server, not for the active ftp server behind pfsense. There really should not be an issue with pfsense active ftp server behind it..  in that mode the client says hey ftp server come talk to me on IP:port from your source port 20.. So your server is the one making the data connection..  So unless you have rules on your segment your ftp server is on that blocks traffic?  I would just sniff the traffic and see what the client is actually sending you for data channel, you sure client is wanting to do a active connection where the server talks to the IP and port given by the client..  You sure its not a passive connection??  That would be broken since pfsense would have to forward ports into the server, which the helper use to do which is now gone. First step is actually understanding how active/passive differ - this I find is normally #1 reason its not working because they don't really know what is being used active or passive and don't understand the difference anyway. This is a GREAT write up on active vs passive http://slacksite.com/other/ftp.html Once you understand how the protocol works, then creating the proper firewall rules is really straight forward..

@Sher: Suggest, do i need improvements in this? Yes. Change your WAN and/or LAN address ranges so that they aren't on the same network. (eg: try 192.168.0.x/24 on the WAN and 172.16.0.x/16 on your LAN). As has been mentioned twice already. Then perhaps you can explain how the routers (modems?) are set up - are they set to route traffic from different internal networks? Are they meant for load-balancing? Or is only one of them being used for your internal clients?

I suspect there is a problem with the cisco router. 1 - I connect the router directly to my PC to edit the settings like 'router mode' 'dhcp off' 'wifi password'. 2 - I then connect it to the pfsense server and I try to connect to it but am never able to do so. 3 - I remove the router from the pfsense server and try connecting directly to my PC again and am unable to do so.  Even after unplugging for 1 minute+  and restarting my computer.  I have to reset the router with a needle in the back and then all the settings are erased and I can connect again. [image: PB052260.JPG] [image: PB052260.JPG_thumb]

I have no idea what's PABX in the first place. If it's supposed to hang on WAN, then it needs to plugged in front of your pfSense.

If you're willing to go round and install certs on all devices, why not just set their proxy settings instead and run squid in explicit mode?  If you implement WPAD, you wouldn't even have to do that much for the most part.  WPAD is a simple standard that allows most devices to auto-detect the proxy on their own.  You can then process their HTTPS traffic without MitM warnings.  Pretty much everything either supports WPAD or manual proxy.  Android specifically does NOT support WPAD for some bizarre reason, but you can set the proxy per hotspot.  I really don't see any reason to use a commercial service when you could achieve similar results with squid, squidguard and a blacklist.  Another layer would be to configure their DNS to use OpenDNS Family Shield or Norton ConnectSafe.

No, I'm not missing the problem. Any PBI clusterfuck is unusable for similar tasks. (Why are you writing bash-specific scripts for system that has no bash by default still goes beyond me.)

@muswellhillbilly: @MakOwner: Obviously the ELK system wasn't working as it should have been – pfSense simply shows the remote logging host as down. Before you trash the ELK server, may I ask if you either have a firewall operating between your ELK server and your pfSense machine, or whether you have the firewall service running on your ELK server? From the command-prompt you can run 'iptables -l' to get a list of all the firewall rules running on the ELK system. If you do, try running 'service iptables stop' and see if that solves the issue. I don't know what your network is like - whether your ELK server is running on the same internal network as your PFS, for instance - but assuming the ELK is on the same network as the LAN side of your PFS you ought to be ok disabling the firewall on the ELK. I thought I had disabled the firewall on the ELK setup, but it won't hurt to double check. Network between pfSense and the ELK VM is a flat class B.  Network adapter in the VM is bridged.

Yeah reading about this.. It phones home and you control from their server.. Or you could access it via http to actual IP on your network.. So if you wanted to do that remotely you would need to vpn into your network or port forward 80.. But I could find no special ports need to be forwarded that is for sure to have it phone home and access it.. https://my.radiothermostat.com/rtcoa/

@jimmy_1969: True. However, in this case I have ran mtr with TCP SYN/SYN-ACK test in parallel with pfsense gateway monitoring, and there is a clear discrepancy. The SYN/SYN-ACK maintains low jitter and reports acceptance packet response time, whilst ICMP packages in the Status: RDD Graphs goes from ~100 ms range to to >1000 ms in packet response time. I can run my connection to 70-80% of the link speed without any package drops, and observe this ICMP behavior. So it's clearly load- and package priority related. Add a floating rule with interface WAN, Direction: Out, Protocol: ICMP, Pipe into qAck to allow pings to be prioritized just like ack packets.

^ exactly or use of autodiscovery like wpad if your clients support that..  Its much better to do explicit pointing to your proxy then redirect from the gateway to the proxy just for the proxy to send the traffic back to the gateway.. That is a horrific hairpin setup..

So, this is the part where I have egg on my face. We have a script on these APU1Cs that activates the LEDs on the front.  I have a few dozen units out and for whatever reason this only randomly occurs every now and then.  I still can't find my post about this from some months back but it's essentially the same thing.  It's happened twice now with all the units I have out.  It confuses me since it shows in different ways. The script is called blinkled.sh but it doesn't show up in top or ps.  I would expect if that script was the problem I would see it listed but it never is.  In top it seems to show up as this netstat command since that is how it polls the interfaces and in ps it shows up as tcsh (I guess because that's the shell we had to use as bash wouldn't work).  The script is started at the top of each hour and updates every 5 seconds.  When called, it runs the /usr/bin/kilall tcsh command to clear out any running instances.  For whatever reason, the killall command will stop killing the tcsh process and these just keep getting called over and over again and they all run concurrently and eventually take up all processing power.  It may work for days, weeks, or months just fine before the killall tcsh command doesn't do anything anymore when called from the scripts.  We have units that have been out over a year and still don't have this problem.  The only solution so far is just to put the killall tcsh command somewhere else in the script.  No idea why that solves it as it still gets processed at essentially the same time (right at the start to kill the previous process before calling the new one.) tl'dr - A script we created was out of control.  pfSense and its packages are just fine. The reason we are on the older version is that we send out very specific builds of the routers to incorporate the features we want to all of our clients.  For instance, via a series of scripts we are able to run snort, squid, and havp perfectly fine on these units.  The process only writes about 250MB each month to the cards, or about 75% of the provisioned space each year (4GB provisioned using 8GB and 16GB cards).  That should give them over 10 years of life.  While packages such as snort may not get updates since the OS was EoL on the 2.1.4 back in August, they still load up with slightly older rule sets and still offer strong protection until they get the new 2.2.4 image we are rolling out. Thanks everyone for your contributions.  Let me know if you have anything else to add (like why it works on some and craps out after a few months on others).