@dmad: …they put the sim card in backwards... Ha.  ::) Doesn't make it easier when you're dealing with that level of competence! Steve

FYI I just updated to the latest alpha 2.2 built on Mon Jul 28 12:22:20 CDT 2014 and I still have the problem. I remember reading something about the apinger in the forums a while back.  I just did a search for "apinger" and see that lots of people are having problems with this. I'll disable apinger for now and watch the forums for a fix. Thank you very much for your time, KOM!  And thank you, developers, for pfSense! –EDIT I renamed this forum thread to attract less attention now that I believe we've found the problem.

There are numerous posts from Bill Meeks (Snort/Suricata Package Maintainer) and others  which will help setup Snort. https://forum.pfsense.org/index.php?topic=61018.0 https://forum.pfsense.org/index.php?topic=64674.0 (and this one for Suricata) https://forum.pfsense.org/index.php?topic=78062.0 You can start Snort in "non-blocking" mode and weed out the False Positives. Then turn Blocking Mode on after that process. Snort/Suricata is not something you turn on and walk away. Also before you suppress, you need to determine what the Alert means. If the Rule is something that you never want to see, its best to "Disable" the Rule. If you want to still have the Rule Active but Suppress it for a certain website for example, that is when you should use a "Suppression". This makes the Performance better as Rules are Disabled instead of having the Alert and suppressing the output. Maxmind has a free GeoIP Database for Countries that is Updates each month and is 98% accurate. It needs to be formated so it can be incorporated into pfBlocker thou.

@razzfazz: @gravyface: Perhaps taking the opportunity to actual read through the request before responding with a hostile tone and we'd be that much farther ahead. That works both ways; your initial description wasn't exactly crystal clear. In any case, the way VLANs work in FreeBSD (and hence, pfSense) is that you have a parent virtual interface that will receive all untagged traffic (and only that), and then a separate child interface for each VLAN. In your scenario, you'd have vr2 as the physical parent interface; this will be your OPT1. This parent interface sends/receives untagged traffic only. You'd then create a child VLAN interface on vr2 (via interfaces -> assign -> vlan) for VLAN 20; this will create a new vr2_vlan20 network device that sends/receives only traffic with that particular tag. You will than have to create an OPT2 interface for this network device via interfaces -> assign -> interface assignments (the newly created VLAN interface should show up in the drop-down list) and set up DHCP, etc. as you want. If you want your LAN and OPT1 ports (i.e., untagged traffic on vr2) to be on the same L2 domain, you'll have to bridge them (interfaces -> assign -> bridge); in theory, you should be able to either create vr2_vlan20 and then bridge vr0 and vr2, or to create the bridge first and then create the VLAN with the bridge device as the parent; I'm not sure if the pfSense GUI will actually let you do the latter, but the former should work for your particular use case. Yes, I realized that I wasn't clear, which is why I clarified that in reply #9. I believe I'll need to do the latter, and thank you for replying (and actually reading the post!).

Triple nat? Oh dear, I'd buy you a beer if I could. Yes, tear everything out, and replace it w/ a pfSense. Make sure you document everything and fully understand all the firewall rules, port forwards etc. I'd like to say that although convenient, exposing 3389 to the world although convenient is not considered best practice. Try to push for a VPN tech (OpenVPN or L2TP, NOT PPTP!) which will put them on the internal network, they can then RDP into their machines. For an added layer of security, check out DuoSec as well for people RDP'ing into machines on your network. It's 2factor auth that's free for up to 10 users (basically it sends push notifications to your smartphone which you then approve/deny so even if the password is compromised it offers some additional security). With a bit of work DuoSec can be adapted for people dialling in via VPN as well – so when they hit 'connect', a SMS/Push Notification is sent to their device which must be approved before connection.

When you setup your new OPT1 interface, it will likely come with the standard Anti-Lockout rules (unless you have disabled these). Asides from that, all traffic will be blocked unless rules are explicity set to pass it (as is the default configuration of just about any firewall on the market – default block all). To allow traffic to host(s) behind the OPT1 interface, you will have to add rules manually. So say you setup a FTP server and you want it to be accessible, you will need to add a rule to allow this host. The parameters you'd use would be: Interface: OPT1 (packets must come in on this interface to match this rule) Source: Any Destination: Single host or Alias <ip address="" of="" the="" ftp="" server="">- Source Port Range: FTP Save & Apply. So you won't have to worry about firewalling off the bat.</ip>

I got it working – the issue was the firmware I was running on my modem (3.7.5.2) has a bug with PPPoE. Using firmware version 3.7.5 I was able to get it to work.

Thanks, but I don't have access into the GUI at all.  Thats why I wanted to know if there was another way to disable the REFFER check. UPDATE: I got this solved by going by using the following command:  pfSsh.php playback disablereferercheck The info was from here:  https://forum.pfsense.org/index.php?topic=56956.0

did you put gateway on your lan - this seems to be common issue.. Why users do this have no idea, but it seems to come up quite often.. Can you client on the lan ping pfsense lan IP?  Did you alter the default lan rules?

Hi, disabling "State Killing on Gateway Failure" , doesn't change this behaviour. Even more.. it seems that not apinger is reloading anything hourly. as far as i can see , also apinger IS restarted hourly. Currently i'm investigating radvd logs (routing.log) As i'm running ipv6 prefix delegation. Jul 26 09:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:25 pfsense radvd[40496]: resuming normal operation is it possible that this has someting to do with this BSD option : net.inet6.ip6.rtexpire: 3600 Any help would be appreciated Kind regards, Roel

Yeah not sure how these questions are related to pfsense.  Is pfsense going to be gateway of every vlan?  Are you asking how to do that?  And its not really a cisco EA6300, is a linksys home wireless router that can be had for like $100.  I don't even think it supports vlans.  And don't even see dd-wrt support for it. So not sure how you expect to put different wireless users on different vlans?

What is before that part of the sniff.  I have to assume it resolved something to that IP..  What exactly are you doing to generate that traffic?  BTW that is not an error,  that is just some info about the packet - if your thinking chksum bad is an error that would prevent communication or your error? So fix your issue on why the box is trying to go to to 10.0.1.1 if that is the not correct IP for where your trying to go.  What IP are you trying to go to?

1.  From the definitive guide, it says that Quick is enabled by default on all rules except floating rules.  I don't know if that means it doesn't work or if Quick is not desirable.  And., honestly, I can't even dream up a scenario where I create rules and then want them last-matched.  Who does this, and what good is it?  I tend to stick with hat's originally suggested.  If the wizard-created rules use MATCH, I use MATCH. You mean that quick option should work with match action otherwise it doesn't make sense or this makes settings very confusing. I always try and test my configuration after i set new rules because funny things could always happen. I tested match action with quick option. I doubled ("add a new rule based on this one" button) an existing rule and i changed second rule's queue with another queue. I set both rule's action to "match". Then i've found out that traffic goes to second rule's queue. Then,for second test, i set first rule's action to "pass" then i tested again, traffic goes to first rule's queue. In my opinion, this trial and error method proves that match action doesn't work with quick option or there is a major bug in there. I use 2.1.4 version-p16 which seems to be latest as for today

Ok then! Then you will have to filter out the traffic. Did you try with the ports specified on the Apple document? You can also monitor the state table while on a call. Or better, assign a fixed IP address to your iOS devices and deny them access to the remote networks (unless you need that access for other reasons, of course)

@spiritfly: I never realized that the nanoBSD is a different version. I thought that guide is taking me to the same mirror links for the same image. Oh well.. I've already installed it to my USB flash disk using another USB flash drive to put the installation on it. Then booted from it and chose to install on the first (empty flash disk) and it installed correctly. I would caution you that the nano version has optimizations for flash that will preserve the life of the USB stick. Otherwise you might find it dying in less than a year since the standard version will write to it as though it were a hard disk. https://www.pfsense.org/about-pfsense/versions.html Flash memory can only handle a limited number of writes, so the embedded version runs read only from flash, with read/write file systems as RAM disks. Switching versions is actually quite painless. Save your configuration to your computer from Diagnostics: Backup/restore: Download Configuration, install the nano version to the USB stick, then upload your configuration back to it. Another alternative is that you can manually configure the full version to behave mostly like the nano version. @spiritfly: One question about this though. I've noticed that when booting from the USB flash when it is connected on some of the USB ports on the back of my PC, an error showed up just before pfSense was supposed to boot and the following command line came up: db> If I take and connect the same USB thumb on the front it runs perfectly. Weird.. I think all USB ports are USB 2.0 front and back. The MB is Asus M2N-MX if it means anything. My guess would be that the drive numbers are changed when you move it to a different port. The simplest solution is to have it in it's final port when it's installed although you can reconfigure if moving is necessary.

@Cmellons: " [Snort] Server returned error code 422…" Nothing to worry about. They are just updating on their end. It should be back to normal when they are finished. What about Squid and Snort rapidly stopping and starting and pfBlocker reporting "no… action during boot process"? I haven't seen these logs before and it seems unrelated to the Snort update process.

the destination is always 80, that is http, so i need to leave it. and it was my fault to block it :)