Hmm, I think I did something stupid like deleting the user from User Manager that I was logged in as.  It should never let you do that, but it did.  I'll try to log it once I can reproduce it.

If the machine running the game (or server) is behind pfSense you can look in the webgui at Diagnostics: States: and then filter by the IP of the gaming machine. That will show you the ports of any connections. Steve

I can confirm also that 2.1.1 prerelease fixes the cycling issue after 3 days of running no issues. 2.1.1 also fixed snort clearing it's block table. Firewall logs also seemed to stay in sync after rule changes.

@zohaib: Hi all, I am planing to deploy pfSesne 2.1 for 4 WAN link 500Mbps Shared and 4LAN links. kindly suggest me Best hardware for that. Recently i had a very BAD experience, for almost similar needs i purchase Dell PowerEdge r720 with 2 NIC card (8 port gb) but facing issue in installation. Kindly suggest me best Hardware model. I setup a very similar configuration a few weeks ago: 4 x 300mbps download/10mbps upload WAN connections (on an Intel four port gigabit card) 4 x 1000mbps (gigabit) LAN connections (on the same model card as above, Intel four port gigabit card) It's running on this system: http://www.ebay.com/itm/DELL-PRECISION-T5400-WORKSTATION-2x-2-66GHz-QC-16GB-2x-73GB-/380831423599 (the seller upgraded it to 32GB of ram for $60, not sure if it would make any difference or not). With two of these: http://www.ebay.com/itm/Intel-4-port-Network-card-PCIe-Pro-1000-PT-Quad-Port-LP-SVR-Adapter-EXP1940PTL-/121265781963 The performance is absolutely mind blowing :) -Jamie M.

We've started all over again and were able to get LDAP CLI authentication working :-) We now have it on both the webcfg as well as the CLI, which was getting increasingly needed, as we are getting close to 100 virtual pfsense firewalls and local user accounts were getting unmanageable. Some rough notes: ###login with ssh & std admin user 1) /etc/nsswitch.conf group: files ldap # group_compat: nis hosts: files dns networks: files passwd: files ldap # passwd_compat: nis shells: files services: files # services_compat: nis protocols: files rpc: files 2) pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/net/openldap-client-2.4.26.tbz pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/nss-pam-ldapd.tbz 3) /usr/local/etc/nslcd.conf # The underprivileged user and group used for running the daemon. uid nslcd gid nslcd uri ldaps://ldap1.local.domain ldaps://ldap2.local.domain ldap_version 3 base ou=somedepartment,dc=local,dc=domain bind_timelimit 30 tls_reqcert allow ssl on 4) /etc/pam.d/sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "sshd" service # # auth auth          sufficient    /usr/local/lib/pam_ldap.so  no_warn md5 auth            sufficient      pam_opie.so            no_warn no_fake_prompts auth            requisite      pam_opieaccess.so      no_warn allow_local #auth          sufficient      pam_krb5.so            no_warn try_first_pass #auth          sufficient      pam_ssh.so              no_warn try_first_pass auth            required        pam_unix.so            no_warn try_first_pass # account account        required        pam_nologin.so #account        required        pam_krb5.so account        required        pam_login_access.so account        required        pam_unix.so # session #session        optional        pam_ssh.so session        required        pam_permit.so # password #password      sufficient      pam_krb5.so            no_warn try_first_pass password        required        pam_unix.so            no_warn try_first_pass 5) /etc/pam.d/system    # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # System-wide defaults # # auth auth            sufficient      pam_opie.so            no_warn no_fake_prompts auth            requisite      pam_opieaccess.so      no_warn allow_local #auth          sufficient      pam_krb5.so            no_warn try_first_pass #auth          sufficient      pam_ssh.so              no_warn try_first_pass auth            sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass md5 auth            required        pam_unix.so            no_warn try_first_pass nullok # account #account        required        pam_krb5.so account        required        pam_login_access.so account        required    /usr/local/lib/pam_ldap.so  ignore_unknown_user ignore_authinfo_unavail account        required        pam_unix.so # session #session        optional        pam_ssh.so session        required        pam_lastlog.so          no_fail # password #password      sufficient      pam_krb5.so            no_warn try_first_pass password        required        pam_unix.so            no_warn try_first_pass 6) install sudo package in webgui 7) install shellcmds in webgui 8) add shellcmd via webgui -> services -> shellcmd: nslcd    shellcmd 9) hack the sudo.inc file, because we can not add the sysadmins group manually, because the sudoers file is reset on boot AND we can not add it in webgui, because the sysadmins group isn't allowed: /usr/local/pkg/sudo.inc ...         foreach ($sudocfg as $sudo_commands) {                 // (user|group) ALL=(ALL|user spec) ALL|command list                 list($etype, $ename) = explode(":", $sudo_commands['username']);                 $user = ($etype == "group") ? "%{$ename}" : $ename;                 list($rtype, $rname) = explode(":", $sudo_commands['runas']);                 $runas = ($rtype == "group") ? ":{$rname}" : $rname;                 $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : "";                 $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist'];                 $commands = ($commands == "all") ? "ALL" : $commands;                 $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}n";         }         $sudoers .= "%sysadmins ALL=(ALL) ALLn";         /* Check validity of the sudoers data created above. */         $tmpsudoers = tempnam("/tmp", "sudoers"); ... 10) let's make su work as non-root user: /etc/pam.d/su : # # $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "su" service # # auth auth            sufficient      pam_rootok.so          no_warn auth            sufficient      pam_self.so            no_warn #auth          requisite      pam_group.so            no_warn group=wheel root_only fail_safe auth            include        system # account account        include        system # session session        required        pam_permit.so 11) cp /usr/pbi/sudo-amd64/etc/pam.d/sudo /etc/pam.d 12) /etc/ssh/sshd_config PermitRootLogin yes Compression yes ClientAliveInterval 30 UseDNS no X11Forwarding no # Login via Key and Password PasswordAuthentication yes ChallengeResponseAuthentication yes PubkeyAuthentication yes # override default of no subsystems Subsystem      sftp    /usr/libexec/sftp-server Protocol 2 Port 22 Allowgroups sysadmins ###login with ssh & ldap user sudo su

It seems to be an issue of apinger that has troubles in this version of pfSense. I've configured cron to reset the apinger every 5 minutes and it seems to work. It's not the solution but at least a workaround. Here is the script that I execute with cron: #!/bin/sh killall apinger sleep 3 /usr/local/sbin/apinger -c /var/etc/apinger.conf

Yes, two ways at least.  I assume the pfSense machine has a serial port and connects to the switch.  One way is to set up pfSense to enable ssh logins from WAN, then ssh in and use cu to connect to the switch. Another more secure way would be to set up a VPN; once connected via VPN, then ssh in to pfSense and do the same. Any particular reason you want to use a serial line rather than ssh'ing to the switch directly? (you'd need to set up a VPN for this too).

@abadonna: It is set to block both. Remember that anything that causes pfSense to execute the filter_reload process will wipe out the block table. Try this if you want to see if Snort is blocking.  Go to https://www.grc.com/shieldsup and let it scan your IP.  Open two browser tabs:  one to your firewall interface with the Snort ALERTS tab, and one to the link I provided.  As the scan is in progress, periodically refresh the ALERTS tab page.  Look at the BLOCKED tab as well.  You should see the GRC site listed there. Bill

If you run a captive portal you can redirect clients to a web page of your choosing, usually hosted locally, so you can have whatever message you want but obviously users will only see it the first time the try to open a web page. If you want to have messages spontaneously appear on clients devices as they connect to your wifi I think you're out of luck. You would have to send it to some service already running on the clients like netsend for example. That may be possible but it would vary between devices/OSs. It would be very involved to get multiple things working and it would rendered completely ineffective by anyone running any sort of firewall like Windows Firewall, so almost everyone!  ;) Steve

It will get selected as default because it's the most recently defined gateway. However you almost certainly should't have a gateway defined on LAN at all. Steve

Be sure you're not dealing with software firewalls on the devices (like windows firewall, symantec, etc). Check the firewall logs to see if subject traffic is being rejected. (Status->System Logs->Firewall) For more than that we'll need more details.

I couldn't get it to work no matter what settings so I jumped over to OpenVPN and good to go. Impressed with the UserExport package that packages the User Cert and OpenVPN into one installation package.  Worked perfect first time.

That helps. Thanks.

There is not a cert creation script for the CLI at this time. The certs are held in config.xml with the other configuration data.

@j90785859: Thx, it works after i turned on the NAT Reflection. I had the same problem with my mail server, NAT reflection fixed it perfect. -Jamie M.

It was fixed the same day. It's not a vulnerability in the base system, just that one package. Since it was a package, it was simple to fix and people can update their packages and not worry. It's a non-issue anyhow for most, as it only matters if you have untrusted users logging into your GUI and you have given them access to the snort package.