I don't think you can, but you can always try it and see. Post the results in here.

@Gi4usa: I am new to PFSense. I did not see anything in the documentation section on web hosting.  I need information on how to securely host a web server, Win Server 2008 with IIS 7.0 using PFSense.  Can anybody point me in the right direction? Hello Gi4usa, Here is a link to the screenshots that I looked at, I have the same concern however, I did look at the firewall screenshots and it is good fit for what I need to do. I am not sure if these will help you but they helped me. http://www.pfsense.org/screenshots/ If you need help just send me a private message and I think I can help ya. Good Luck, Michael

I agree with asterix. While the Aironet APs are not the most admin-friendly on the market (I vaguely remember issues with setting up roaming correctly), they work reliably. Unlike the "Linksys by Cisco" AP stuff, which reliably fails. Concerning Layer7 filtering: it increases CPU usage, but does little to increase security. I prefer not to use it, but your bosses might have a different point of view. If management decides that they want Layer7 filtering, your hardware requirements will rise by order of magnitude. In my opinion, overly restrictive firewalls will only teach better "hacking skills". Especially in an school/university environment, where information about circumvention of restrictions are commnicated very efficiently (among the users, not towards the administration). Virus scanners on the firewall doesn't make sense if users are allowed to bring their own hardware into the network. If there has to be traffic between the Guest WiFi network and the "production network", you should concentrate you efforts on this interface. However, this access path doesn't really need to be more hack-proof than from the public internet.

I tried that, but I can't make unbound listen on any alias - they won't show up on unbound's configuration page and can't be selected as  "listening interface". Ideally we could configure aliases for the anycasted IPs on the loopback interface, but the loopback doesn't show up under "interfaces" either. The vNIC trick applies to virtualized environments, but obviously that won't work with a pfsense running on bare metal.

http://forum.pfsense.org/index.php/board,37.0.html

SSH has a serious design flaw so I have SSH disabled to the outsides world. Any known user can connect an infinite number of times. SSH leaves it up to the OS to manage this. SSH tunneling on a mac and windows both require administrative privileges to create the bridge interface as it's on-demand and not an OS level service. On top of that I need all the devices using the same VPN system and ssh tunneling can only be done with a jailbroken iOS device or with OpenVPN which is horrible on iOS and is not able to work on cellular for proxying. I may just have to resort to installing Server on the mini and just using pfsense for firewall/proxy. With OS X Server it's much easier to use profile management on apple devices and force settings but I would rather just have one border device.

@star_tiger5, basically every TP-Link switch that is not unmanaged supports vlans. (web smart, managed, jet-stream) Switching speeds and total capacity differs per product iteration. So, if you are looking for the best performance, get the switch with the highest switching capacity for the number of ports you need. tl;dr, get any tp-link switch in the jet-stream or web smart product lines.

Hey Guys It think this situation is related to another post I got resolved as per this post. http://forum.pfsense.org/index.php/topic,59608.msg321277.html Wasca

The first rule (except antilockout rule on LAN interface and block bogon networks) of every interface is : id   proto   source   port   destination   port   gateway   queue   schedule       *           *             *         *                    *        *             none When I set up the HTTPS port on a different port, WebUI is still unavailable. nc -t -l 443 on the pfsense box and nc -t 192.168.1.1 443 on the LAN1 works in both ways.

@S(y)nack: All my VMWare ESXi interfaces are "flexible". I added one more interface with the "E1000" type and put it on the same network as my web UI interface. I've been able to access the web ui with this second interface, although it was crashed (again) on the first one. So could this possibly be a problem linked to the type of interface within ESXi ? I'll wait and see if this second interface crashes too… Interesting. I remember having serious issues with the e1000 interface; a change to flexible solved my problems. However, this was with FreeBSD 6.4 under VMWare Server 2.0. Maybe it's the other way around with the FreeBSD 8.1 and ESXi 5.1?

If your clients use DHCP, you can also communicate a specific SHCP server via the "NTP servers" option. Of course, this is not as bulletproof as the "sneaky approach". It's also less geeky ;)

I got it to work :D As it turns out, there was no problem with PAP. So the information in the thread linked above is probably outdated and no longer true - it certainly had me confused. The actual problem was much simpler: The shared secrets on PPPoE server and FreeRADIUS didn't match. Other then that, PAP works out of the box.

Thanks for a quick reply.We will give it a try

@cmb: There's nothing unstable about OpenVPN client, it's one of the most widely used things. You have some kind of problem that isn't a bug, but no telling from that description what that might be. cmb, I had the WAN disconnected for 24 hours and now that I reconnected WAN the OpenVPN client didn't come up. I think I have nailed the problem to be with OpenVPN exiting when there is no WAN connection - This shouldn't happen and OpeVPN client should keep trying or it should be smart enough to come up the moment there is a WAN connection detected again. So, something is failing here. Following is the log: [b]Mar 3 22:43:48 openvpn[39786]: SIGTERM[hard,] received, process exiting Mar 3 22:43:48 openvpn[62930]: UDPv4 link local (bound): [AF_INET]192.168.254.10:47383 Mar 3 22:43:48 openvpn[62930]: UDPv4 link remote: [undef] Mar 3 22:43:48 openvpn[63453]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 6 2012 Mar 3 22:43:48 openvpn[63453]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 3 22:43:48 openvpn[63453]: LZO compression initialized Mar 3 22:43:48 openvpn[63453]: TUN/TAP device /dev/tun1 opened Mar 3 22:43:48 openvpn[63453]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 3 22:43:48 openvpn[63453]: /sbin/ifconfig ovpnc1 172.18.18.2 172.18.18.1 mtu 1500 netmask 255.255.255.255 up Mar 3 22:43:48 openvpn[63453]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 172.18.18.2 172.18.18.1 init Mar 3 22:43:48 openvpn[4443]: UDPv4 link local (bound): [AF_INET]192.168.254.10 Mar 3 22:43:48 openvpn[4443]: UDPv4 link remote: [AF_INET]65.64.64.64:54344 Mar 3 22:43:48 openvpn[4443]: Peer Connection Initiated with [AF_INET]65.64.64.64:54344 Mar 3 22:43:49 openvpn[4443]: Initialization Sequence Completed Mar 4 09:32:24 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:25 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:26 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:27 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:28 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:29 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:30 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:31 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:32 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:33 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:34 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:35 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:36 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:37 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:38 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:39 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:40 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:41 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:42 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:43 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:44 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:45 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:46 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:47 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:48 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:49 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:50 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:51 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:52 openvpn[4443]: Inactivity timeout (--ping-restart), restarting Mar 4 09:32:52 openvpn[4443]: SIGUSR1[soft,ping-restart] received, process restarting Mar 4 09:32:54 openvpn[4443]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 4 09:32:54 openvpn[4443]: Re-using pre-shared static key Mar 4 09:32:54 openvpn[4443]: LZO compression initialized Mar 4 09:32:54 openvpn[4443]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.254.10: Can't assign requested address Mar 4 09:32:54 openvpn[4443]: Exiting Mar 4 09:32:54 openvpn[4443]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1561 172.18.18.2 172.18.18.1 init[/b] List of process running at this moment as it might be relevant per this link =  https://forums.openvpn.net/topic8933.html  : $ top last pid: 25694;  load averages:  0.00,  0.00,  0.00  up 0+22:43:15    19:40:08 34 processes:  1 running, 33 sleeping Mem: 39M Active, 24M Inact, 41M Wired, 8K Cache, 34M Buf, 130M Free Swap:  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND 24839 root        1  46    0 36564K 24408K piperd   0:49  1.95% php  262 root        1  76   20  3408K  1208K kqread   3:25  0.00% check_reload_status  466 root        1  76   20  3656K  1460K wait     1:06  0.00% sh 48841 root        1  64   20  6080K  6104K select   0:15  0.00% ntpd 24156 root        1  44    0  8764K  6628K kqread   0:08  0.00% lighttpd 32953 dhcpd       1  44    0  8436K  5688K select   0:07  0.00% dhcpd 62930 root        1  64   20  5116K  3304K select   0:05  0.00% openvpn 33857 nobody      1  44    0  5564K  2552K select   0:02  0.00% dnsmasq 16616 root        1  44    0  5912K  2368K bpf      0:02  0.00% tcpdump 24408 root        1  46    0 35540K 19848K accept   0:02  0.00% php 16411 root        1  44    0  4956K  2436K select   0:01  0.00% syslogd 48534 root        1  64   20  3316K  1352K select   0:01  0.00% apinger 16778 root        1  44    0  3316K   904K piperd   0:00  0.00% logger 49678 root        1  44    0  3408K  1388K nanslp   0:00  0.00% cron 54249 root        1  71    0  3316K  1040K nanslp   0:00  0.00% minicron 17024 root        1  44    0  3436K  1444K select   0:00  0.00% inetd 63848 root        1  76    0  3688K  1576K wait     0:00  0.00% login  282 root        1  44    0  1888K   532K select   0:00  0.00% devd ***The only other VPN process on this pfSense is a VPN server. It seems like once WAN is connected some script is not notifying OpenVPN tunnel to restart so it just stays stopped. ***I think this issue is closely related to this issue: http://forum.pfsense.org/index.php/topic,2785.30.html Thanks

Sadly, AV companies can't take a joke…  :P

Hi again and thanks for the reply's. No it's not hosted by our self. The problem was apparently our dns server on the win2003 server. a friend of mine fixed the problem and showed me how to add sites outside our lan. thanks again for your support. Kenneth

I believe I may have found what was causing this issue. When I have IPSec enabled I seem to have issues connecting to the company website. With IPSec disabled things seem to be normal. Has anyone encountered something like this?

Well I did what you said But before I did that on the primary system I did that to secondary system that installed on a virtual machine in the file I downloaded from the virtual machine Specified line was there I changed and it worked in the file of the main machine It was not there

It doesn't for me: If I ssh into pfSense, select option 8 (Shell) , start a ping then type Ctrl-C the ping terminates and I get a shell prompt. If your ssh sessions behave differently, please provide more details such as the system you ssh'd from and exactly what you are doing. Screen capture would probably be helpful. I test what you say,yeah, I can type ctrl+C terminate ping in local shell. but I mean's in the pfsense menu selected option 7 to ping host. ok,get in the shell and then ctrl+D is a good way to redispay the menu. thanks.