It's more about the security fixes than the extra features. Look at the release notes to see what applies to you. As JimP said recently it looks like there will be a further update relatively soon to deal with the pppoe DNS issue. You could wait for that if it applies to you. I have upgraded with no issues. Steve

Program UPDATE –-------------- Bug fixes. Check & create sub-directories by itself, no need to create directories manually Support for db file log of daily kwH using sqlite Now requires sqlite port It has now two parts that remains resident, owl.py which write the log files and:           responder.py which responds to email query. You can send an email (ID as defined in responder.py) with subject "OWL" and from and to dates in 1st & 2nd line of the mail body in the format yyyy-mm-dd as a query. The code will reply with an attached txt file containing statement of usage within dates, total kWH and avg kWH. Version 1.0.2 Installation Steps: 1. Download and UNzip owl.rar https://dl.dropbox.com/u/2185098/generic/owl.rar 2. You may place all files in /home and rename to .py 2. Edit all .py files, check the comment areas to modify. 3. #chmod +x /home/.py 4. Add Firewall>Virtual IP>IP Alias 224.192.32.20/24 to your local interface 5. Add Firewall Rules>local interface:   Allow UDP * * 224.192.32.19 * * note   Allow IGMP * * * * * none   Allow * 224.192.32.19/24 * * * default none 6. Pfsense>Diagnostic>Backup>Download Backup config.xml   find /system, and add just below:       <shellcmd>python /home/owl.py &</shellcmd>   save the file structure and restore. 7. Pfsense>System>general Setup>NTP time server> change to "pool.ntp.org" Notes: to INSTALL python with sqlite port ---- /etc/rc.conf_mount_rw mkdir /home/tmp setenv PKG_TMPDIR /home/tmp/ pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/8.1-RELEASE/packages/All/py26-sqlite3-2.6.5_1.tbz /etc/rc.conf_mount_ro I would be glad to know if you have used the code or taken any help from it. EDIT: It seems to be working now, I made responder.py a subprocess of the main scrip instead of trying to start both the scrips using shellcmd.

This is great stuff, thank you very much.

The current multi-pools code doesn't support different subnets but it shouldn't be too difficult to add in the future. It would just need a couple extra statements in the dhcpd config declaring the shared network, etc, etc.

@stephenw10: Exactly. Really the question you're asking is not how many clients but how many connections and that is very dependent on the type of client. I imagine that an IP connected thermometer is not going to be opening many connections, 1 or 2. However an internet cafe full of gamers is going to create a LOT of connections, as you have found!  ;) Back in the day I first switched to a Linux based firewall (Smoothwall) when my existing solution (some software running under Win2K) crapped out every time I tried to open the server list in Counter Strike. It opened connections to every server in the list which I seem to remember was ~30K at the time. Now I imagine they have streamlines that process significantly in the last 15(?) years but even so. That was just one client. Steve Right, it was about 8 years ago that I switched away from an original WRT54G (running Linksys firmware) for similar reasons, I'd lock it up with (legitimate) torrenting and gaming, so I switched to m0n0wall.  And that was just 3 PC's and a couple Tivos in the house. Even though m0n0wall does have a finite state table, I've still never hit it.

A few things you could try: 1. Packet capture on WAN interface of office pfSense, filter on (say) port=RDP. Do you see your outgoing RDP access? to the correct IP address? (local DNS might be wrong?) 2. Do you get any response at all? 3. Packet capture on WAN interface of of home pfSense, filter on (say) port=RDP. Do you see incoming RDP access from correct IP address? Does access attempt match port forward rule? 4. Packet capture on appropriate interface of home pfSense, filter on (say) port=RDP. Do you see outgoing access attempt to correct IP address and port? Does that access attempt appear in "RDP server" log on target? Does the RDP server log give any clues on how the access attempt was handled? (some servers have their own "firewall" capability such as "forbid access from specified IP subnets")

@stephenw10: Running services on your firewall that aren't required for it's operation is just opening up possible attack vectors unnecessarily. On top of that it's far more likely any exploitable security hole will go unnoticed since you will be the only person (or among very few) who are running it. It depends how familiar you are with patching security holes. Are you confident of keeping up to date with new FreeBSD exploits because the pfSense team won't be patching CUPS? In reality it's unlikely to be exploitable as long as you have your firewall rules set correctly. It's a trade off between security and functionality. Since the purpose of pfSense is security most people see that as a risk not worth taking, however small. Steve Thanks Steve. It does make sense. In as much as pfSense is serious business application, it has many enthusiastic die hard fans like me who use it at home. And, I have recommended pfSense (with subscription) over fortigate at work last year (not that fortigate is a poor product). Perhaps some enthusiastic developer can turn this type of feature into a CUPS package. That would be fun. Best Anil

After removing the scripts everything works fine. Thank you for your support! Happy New Year! Regards. Alper

I've done a fair amount of thinking and testing various configurations for exactly this type of usage scenario. If you want to serve ~1500 concurrent Wifi users, and assuming you've solved the Wifi engineering issues, then pfsense can provide several parts of the overall solution, acting as a DHCP server, router, firewall, traffic shaping and NAT device. You should also do some thinking ahead about how to best mitigate certain possible problems, because just a few virus-infected PCs among the ~1500 ones, can bring a network to its knees.

So it's most likely a certificate issue then, Would certificate issue causes packets to not being sent or received as expected by the server application ?

You can't hack in PAM like that. Using LDAP for authentication is how nearly all our PCI-certified customers do things. Some use local accounts on the firewall instead. The local admin account will still have to exist, but you just need a policy to manage it accordingly. Basically no firewall (or router, or switch) has forced password complexity requirements nor forced password changes, it's adequate to manually manage those things via your general security practices and policies.

Perfect, this sounds fair enough…  ;D Thanks a lot

Actually, top -SH is the most accurate, since it also splits off threads for more detail.

@dhatz: @GruensFroeschli: There was very recently a thread about exactly this. The solution was basically to configure the dhcp client to decline rfc1918 ips. Check http://redmine.pfsense.org/issues/2704 http://forum.pfsense.org/index.php/topic,56330.0.html Thanks this looks great. I already have an alias on the interface to access the modem webpage whilst the connection is up and running. So rejecting the bad IP is I think the perfect solution.

Thanks!

@cdavis: Hello, Sorry was out of town with the family and just got back in today. Maybe I should not have mentioned transparent bridge thats just what was tested first before different ip ranges and a dhcp server were chosen for that remote location. There are no firewalls between the remote location and the main office lan except the pfsense box in question. The the vpn links are the metro ethernet connections  which are routed through cisco hardware endpoints and are not configurable by us it is transparent to the system end to end no config options to make and is managed by centurylink. I will draw a diagram out but basically it is bridging 2 separate lans with one lan (Main office) on IP range 128.x.x.x and the Remote office at 10.4.100.x   Both Offices have dhcp. The pfsense box is routing between the 2 lans and each server at the main office is routed to the 10.4.100.0 range through the 128.x.x.x ip address of the pfsense wan named ethernet card. "Internet" –---<-> Gateway/Netscreen (Cox Optical Internet) ----<->--- Main Office (DHCP,DNS,File Servers) --------- <->Transparent Metro Ethernet  (Centurylink)<-> ---------- (Wan) Pfsense Box (Lan) ------- Remote Lan/Workstations The remote LAN can access the internet just fine but is having issues with connecting to windows shares on the Main office LAN. I did add all of the main office server machines to the pfsense DNS Forwarder Host Overrides section and can ping and connect to the main office servers just fine. The issue arises when someone opens a windows file shared from a main office server it shows up lists the files and directories then the files/directories disappear as if the connection has been disconnected and then a few seconds later the shares/files reappear and then the same thing happens again over and over. Internet connections as well as remote desktop/citrix connections do not seem to be affected. I will post pfsens config screenshots in the next part. Basically I am trying to set it up so that I can have DHCP on the new remote lan ip range, Firewall capability, Squid Proxying, and Bandwidth traffic shaping at the remote location. Ok.  So you basically have a Metro Ethernet link. For all intents and purposes, this would be considered a 'network cable' that links your 2 offices. In this case, I presume you use up a public IP for the pfSense WAN link?  i.e. The servers subnet at the main office is actually a routed public IP subnet. In that case, you shouldn't need to actually block any services on WAN. You probably need to adjust the office firewall/ router to add a static route to direct all traffic bound for the 10.4.100.x subnet to the pfSense WAN IP (128.x.x.x address) as the next-hop gateway. Adding a rule on the WAN interface of pfSense to allow any traffic with source subnet of the main office (128.x.x.x subnet) and destination as LAN subnet should do the trick. Depending on how the VPN is configured by comcast, you might want to enable 'Clear DF bit' and disable 'Scrubbing' to see if the issue persists.

hi, cmd. ok, i have placed my directories(css,fonts,i,js) to /usr/local/captiveportal like there: [2.0.2-RELEASE][root@pfsense.localdomain]/root(3): ls -lh /usr/local/captiveportal/ total 58 drwxrwxr-x  2 root  wheel   512B Dec 25 06:35 css drwxrwxr-x  2 root  wheel   1.0K Dec 25 06:36 fonts drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 i -rwxr-xr-x  1 root  wheel   8.5K Dec 12  2011 index.php drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 js -rw-r--r--  1 root  wheel    11K Dec 12  2011 radius_accounting.inc -rw-r--r--  1 root  wheel   6.2K Dec 12  2011 radius_authentication.inc How can i use this directories in html file? some rows from main.html: is this correct path to css and fonts folders?

It's not possible to configure VLANs with an unmanaged switch, unmanaged switches don't support 802.1Q. You'll have to get a managed switch and configure its VLANs accordingly to match the firewall (and don't use 1). Explained in depth on firewall and switch side in http://pfsense.org/book.