Well here is reboot timed pinging to outside pfsense 2014-07-04 05:52:50.311: From 4.2.2.2: bytes=60 seq=0033 TTL=57 ID=51e8 time=10.075ms 2014-07-04 05:52:54.320: Timeout waiting for seq=0034 so offline  05:52:54 for reboot 2014-07-04 05:53:58.327: Timeout waiting for seq=0075 2014-07-04 05:53:58.327: From 4.2.2.2: bytes=60 SEQ=0077 TTL=57 ID=51e9 time=11.180ms pinging outside again at 05:53:58, so 1 minute But that is counting shutdown time..  And the 3 second wait until it boots.  So yup under 1 minute.  Now I am on SSD for my datastore, maybe the others with 1 minute boots are as well.. Do you have other freebsd vms that boot faster? Also - as already stated its a router, why are you rebooting it?  Mine runs for weeks if not months without reboot.  Only time would be upgrade or power outage, etc.

The numbers you see on the forum are often just the maximum download speeds through the box as seen from a client behind it. A single http conection. Sometimes they are a result from a speedtest website which might be 3-3 TCP connections. Some people who have gone to some trouble might post a result from an iperf test using a server and client on each side of the box on test. Even that is often not directly comparible because the iperf server/client do not always have the same default settings. It is also not a real world test and doesn't help guage Snort or Squid perfomance The numbers you see given for commercial 'hardware' firewalls are usually from a test that has been tweaked to give the highest possible numbers for better marketing value. Usually a sum of many connections through ther box at large TCP window sizes. It's hard to compare anything directly.  ;) Steve

I agree with heper, unless you have a good reason to need the Cisco box in place just let pfsense handle the whole setup. VLans under pfSense work well and it sounds like you already have a switch in place (already configured? ) to handle the client side. Can you describe a little more about your environment and what you're try to accomplish?

@elementalwindx: what about adding a line in the advanced section of the openvpn -> client "route 192.168.16.0/24" on the opposite client pfsense box? and vice versa on the other opposite one? (or according to documentation "route 192.168.16.0 255.255.255.0" Yes, that is the preferred  solution over a static route. Edit: If that doesn't work as expected, the book mentions some caveats to pushing routes.

Yes bridged interfaces is correct. If you move the bridge filtering from the bridge members to the bridge itself, as you have done, then firewall rules you have on the bridged interfaces no longer do anything. Instead you need to add firewall rules to the bridge interface. However if your bridge0 interface is assigned as LAN then the default allow all rule should be in effect. If you haven't rebooted since you moved the filtering you should. The sysctl changed only apply when the bridge is created, as it is at boot. Steve

Just the defaults that came with pfsense (at the time). I have since changed my modem to act as a bridge and it's working fine. I didn't even realise that it had the option to do that. So all is well. I have a new weird problem where ssh port forwarding doesn't seem to work for one ip address, but I'm not concerned about this now.

Ha! That's a funny blog.  ::) If that guy wants anyone to pay attention to that he needs to include at least few pro posts. Nothing but anti posts like that just looks like obvious trolling. Steve

@cirkit: How do I ensure SWAP turns ON on every reboot How do I change size of swap from 2048mb to 4096mb Make swap permanent by adding it to /etc/fstab. Something like: #/dev/label/swap0              none            swap    sw              0      0 Ref. https://www.freebsd.org/doc/handbook/adding-swap-space.html To increase the size of the swap you will need to repartition the disk or create a "swap file" (see link above) and add it to fstab as above. https://forum.pfsense.org/index.php?topic=78519.msg429186#msg429186

Yes, that should work. You may want to lock it down further. For example devices on OPT1 will have access to the webgui (though it's password protected) and any other services running on the pfSense box. Steve

@cmb: At least part of your problem is trying to use a base OS pre-Microsoft supporting FreeBSD. If you try 2.2, I suspect your apparent NIC issues will go away. It's not practical to run 2.1x versions in Hyper-V. Thank you for the input. I've always wanted to use Hyper-V myself and I never knew that 2.2 would solve my problems. But, to me, Hyper-V is way more complex than it needs to be. I think it's just that the terminology is a little different. How is 2.2 coming along now? I have tried that version a couple times. I don't remember what happened though but I couldn't do some things. Oh, I remember now and it's probably fixed. I had some problems with making suppression lists in Snort. Most likely that was with a previous version of snort though. There were other problems as well because it just wasn't ready yet which is understandable. Each version of Pfsense comes out at an incredibly fast rate so I am more than satisfied.  So , anyway do what CMB says and try version 2.2. Here is a direct link for 2.2 . https://snapshots.pfsense.org/ To find that I went here. https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes

@Skar78: I seem to have a related issue. However I am a beginner user and might simply miss something trival or missjudge my case. Once in a while my ISP shuts my connection down (they do this automatic here (Taiwan) upon late payment - and my wife frequently "forgets" do transfer the money. In this case it seems like they switch off the port on their side - the DSL modem can simply not sync the DSL line. However pfsense behaves very strangely. Apinger service basically shutsdown and cannot be restartet and also the wan port is disabled. If i manually enable the wan port it has no effect (stays disabled) and apinger basically never recovers and cannot be restarted (apply changes -> reloads and no change). If i re-create the wan interface it worked last time, meaning i deleted the interface and created it again. As i have the opportunity to face the same issue again today I plan to try a re-boot first. Ok i tested this again. Reboot and disable/enable did not work. What I noticed is that i need to assign the interface from its pppoe1(cuau0) to the vr1 again and re-enter login/password - only than it would work. Why i have to do that i dont know. Everytime this happens it looks like pfsense would increase the index of the pppoe interface and add one bound to cuau0, why pppoe would be assigned to the serial port, no clue. However this issue is different from OP, so sorry my bad.

@abinjacob: Team, I'm using ADSL internet link connected to pfsense for our clients. The problem is if the ADSL link goes down due to an issue from the ISP end, i wont be aware, the users will be the first to report, which makes my manager to stare on me. Is there a way by which we can monitor the link via pfsense and to get alerts if the link goes down? If the internet link is down, you probably won't be able to get an alert.  you'll probably want to monitor externally.

Thank you for the info, it's greatly appreciated!

Clever but hard to exploit in reality. The command part of the command line is already set and can not be changed by the glob expansion so it's limited to changing the behaviour of known commands. Many times you're better off by not using wildcards at all, people tend to write silly commands likegrep -r foobar *etc. where it's better to replace the wildcard with a dot (.) and let grep(1) do the expansion and recursion itself. Also if you want to protect against such tricks you can use the end of arguments list -argument``` alias rm='/bin/rm -i --' That would no longer try to interpret file names like '-rf' as options if run as 'rm *'

@G.D.: You could still create the VLANs on the pfSense, and you do not have to route them anywhere, you can point the interface to a custom Gateway, right? I guess I could, but I'm not 100% sure what you're getting at. You mean create multiple vlans with different gateways, assign dhcp per vlan, and point IP-helper or DHCP w/e on juniper to each individual gateway? I guess this could work, and just NAT the primary VLAN and point default route on the switch to that pfsense gateway right?

@mbrossar: I want to set up a central CA that signs for a set of Intermediate Certificate Authorities (ICAs). @mbrossar: My CA should not sign individual certificates.  It should only vouch for my ICAs. @mbrossar: All of my certificates are signed by an appropriate ICA. @mbrossar: I have a few sites that I am working on connecting via site to site VPNs using pfSense boxes.  I am thinking about leveraging the CA functionality within pfSense.  My question is, can I create an ICA on a site that refers to a CA that's on another site, at the end of a tunnel or does an ICA need to be on the same box as its CA?

Yep, this is the wrong section. A non pfSense related question should be in General Discussion. You haven't given the exact model number but it looks like the only way to reset the switch is to upload the factory firmware from the bootloader prompt at the serial console. Good luck!  ;) Steve

cant find exact wireless chipset compatible available on the pfsense wireless supported drivers how about this one. http://www.cdrking.com/index.php?mod=products&type=view&sid=10540&main=50#.U7DLqZSSxfg  ralink rt3060 thanks