Whats the hw involved (wif & laptop nic) and OS's involved? Like Dok, I assume pfsense is somewhere in the mix?

so nobody has an idea since i posted the results of the requested command?

It's never idle long enough for state timeouts to matter. Its general unpredictability in problem circumstances makes it hard to say whether changing something actually had any impact.

The way ISA handled it was you have to restart the service, just like killing all states achieves in pfsense, but you couldnt do schedules in ISA and I dont know about the latest ones either as I've not looked at those. Today I've been testing pfsense 2.1/freebsd 8 and pfsense2.2/freebsd 10, its more difficult testing with FF on windows because even when you dont use Google as the search provider in the FF toolbar, your web activity is still sent back to Google and the cloud servers they hire like from Amazon, which then further "compliments" their search business a trick MS seems to have missed but the way FF & Google works makes it harder to keep track of the states as its opens up so many to do a distributed download from youtube amongst other things. I'll be hooking into FF & Windows at some point to examine the memory and thus just what exactly is being sent back to Google as we have a concept called privacy over here in Europe. So I will have to repeat the tests again with some other webbrowsers tomorrow but there is at least one minor change in behaviour in PF/pfctl between freebsd 8 & 10, but until I can come up with a test which can be repeated by others with more detailed steps its hard to prove the states killing isnt working properly using Windows or Linux with the technology most people have access to. @cmb: @Derelict: If I have a pass rule that passes, say, source 192.168.1.0/24 to an ssh server.  Then I change the rule to pass 192.168.1.0/25 and Apply Changes.  Should the firewall kill all states for source addresses 192.168.1.128-255 but not sources 192.168.1.0-127?  Are YOU going to write that code? That's just one example of many. It's impossible to do in a bug-free way. It's a hell of a lot of work to do in a way that would ultimately be buggy for a range of edge cases. Nothing ventured nothing gained, but a problem shared is a problem halved, I'm sure there's plenty of people who would like to chip in with their views as to what would be ideal or the best way to handle the different situations to kill off states. Even taking votes and having a discussion on what should happen and why is at least a democratic way to resolve & expedite some of the thought processes that will be involved in deciding how to handle some situations, which leaves the job of coding it an easier one as no one person can come up with all the ideas. Can the forum do votes? @Supermule: :D Its just because we are questioning basic design in pfsense. s/pfsense/basically every firewall in the world/ Feature suggestions are always welcome. This wouldn't be an unreasonable feature request. But acting like it's the end of the world and everything is shit because things work the way basically every firewall works isn't going to get you far. When its your business that keeps getting hacked, anyone who runs their own business knows its their baby and thus it can be for some the end of the world when you baby goes bust for reasons that are in other peoples or industry's hands. Whether the industry is right or wrong about allowing or even accepting dangling states and dangling sockets in Linux is a debate for another day, but finding a solution to dangling states will certainly elevate ESF above the rest if the problem is to be tackled and users want it to be tackled.

yup looks exactly what you were after - let us know how it works out.

You need help with your stuck Caps Lock and screaming in general.

Yeah, better to do a diff and use System Patches package to keep track of things.

Excellent. I'm glad I could help.

DO you have any packet captures to go back over when the problem occurred, that might be telling.

Enable log phys, phys2 and phys3 to get more verbose output, please

@bearda: This is REALLY common for sites with multiple pieces of Apple gear, but not terribly well understood.  From what I can tell it's related to the Bonjour Sleep Proxy feature: http://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy Some pieces of Apple gear that go into a low power mode can ask another device on the network to remember what services it provides, and wake it up when someone asks for them.  The low power device goes to sleep, and then the device that stays awake (probably your router in this case) assumes the identity of the other device.  Since your router is seeing the IP used by the AppleTV change from the MAC address of the AppleTV to the MAC address of your AirPort its a little confused. I recommend setting the System->Advanced->Networking->Suppress ARP messages option in these cases to void your logged getting spammed. Thank you. This would seem to explain it.

Check the time and date on your pfSense box.

What version are you using of pfsense? I've just discovered something which might affect you, more details here https://forum.pfsense.org/index.php?topic=94619.0 If they do affect you, remember to Reset all states (Reset Button in Diagnostics:Show States, Reset States tab) and/or reboot pfsense before testing. I have tried setting the nic to static, DHCP. Maybe it has something to do with the mac address? You set the OPT2/NetDuma to static and optionally run a DHCP server if you want to hand out IP addresses to anything connected to it, but remember OPTx nics will all have default block, so you need to create rules which let things through. LAN by default lets anything out which ius why you may have been seeing things work differently. If you run the DHCP service the devices connected to OPT2 will get an IP address but you then need to create a rule to allow access to the DNS service on the FW (and possibly other services like Netbios it depends on how by the rules other devices work). and add a rule to let anything out. Rules work top to bottom and if you want to stop OPT2/Netduma from gaining access to your other networks, add a rule to block access to your other lans before the allow everything rule. See the image in this post for an example. https://forum.pfsense.org/index.php?topic=94566.msg525350#msg525350 In the first rule of the image leave your gateway as default ie so its showing as a *, although it will still work if you chose a gateway and you only have one internet connection and thus one gateway. If you have two or more internet connections then you could control what OPT2/Netduma went out on if you were into gateway groups and other things like load balancing etc etc. Ignore the two rules showing block WAN net & address these were for tests I've been doing at my end, but overall those rules will help you gain net access for any device connected to OPT2/NEtduma whilst stopping anything from talking to anything else on your other networks like your LAN & PS. the fw ie SSH, http & https gui but allows access to thethe time server (NTP) and the DNS on the fw. hth.

I use the Swiss company www.joker.com who provide a free dynamic dns service when you buy domain names through them. Services: Dynamic DNS client Service type: Custom Interface to Monitor: WAN (unless you have a different setup with multiple connections to the net) Interface to Send update from: WAN (unless as above) Verbose Logging: Up to you CURL options: Up to you Username: Leave Blank Password: Leave Blank Update URL: https://svc.joker.com/nic/update?username=[Enter your Joker Dynamic DNS Username here]&password=[Enter your Joker Dynamic DNS password here]&hostname=[Enter your Joker Domainname or subdomain here]&myip=%IP% Result Match: Leave blank. You can also use additional settings in the update URL like Update URL: https://svc.joker.com/nic/update?username=[Enter your Joker Dynamic DNS Username here]&password=[Enter your Joker Dynamic DNS password here]&hostname=[Enter your Joker Domainname or subdomain here]&myip=%IP%&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG You can do MX with Joker.com for email hosting as some other dynamic DNS services dont allow it, but if you plan to host your own personal email server, some ISP's add their residential IP addresses to various black lists & spam lists to discourage you from hosting your own email, but most mail servers will send email direct so will accept the email others wont either for spam list reasons and/or the reverse DNS for you ISP doesnt match your DNS settings, or for things like DKIM is not set up. You can get around this by using your ISP email server or another commercial email server but again YMMV. Exclude the square brackets for the tokens used in the Update URL example: [Enter your Joker Dynamic DNS Username here] [Enter your Joker Dynamic DNS password here] And note your Dynamic DNS username and password is different to your account username and password if its not obvious, incidentally the dynamic dns username and password would typically by a 16 character alphanumeric string like gv66gyubgg876fn1 or hhbd7d45bned890f or jhbs623vyid987fb Customer service has been very prompt when emailing them and helpful with a god FAQ database. FWIW.

@divsys: Just a thought, but what's wrong with setting up the remote site's pfSense with an OpenVPN client back to "home". Thanks for the input both Almabes and divsys OpenVPN is great but it's the last option I will consider for few reasons: Service can go down and not re-spawn (I have seen this happening in different versions of pfSense) I am assuming the setup would be very complicated given you have to script for different types of hardware due to naming convention in WAN interface names and simply keys etc… OpenVPN needs directives like local lan IPs and etc...that can not be dynamic and must be pushed through tunnel to otherside to allow other side to reach it so when a factory default is done it can be rendered useless. So, many reasons above that I can see this get very complicated. I was hoping for something really really simple that would open a tunnel to SSH or WebUI for quick access even if it's something I have to script or get my programmers to program.

Yes. Another NIC, another LAN. You could manage with pfSense how LAN's communicate or not.

https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD Dude that version came out in 2009..  Update to current and people more than willing to help you setup a dual wan that is a very common, click click setup. [image: version.png_thumb] [image: version.png]