So it's most likely a certificate issue then, Would certificate issue causes packets to not being sent or received as expected by the server application ?

You can't hack in PAM like that. Using LDAP for authentication is how nearly all our PCI-certified customers do things. Some use local accounts on the firewall instead. The local admin account will still have to exist, but you just need a policy to manage it accordingly. Basically no firewall (or router, or switch) has forced password complexity requirements nor forced password changes, it's adequate to manually manage those things via your general security practices and policies.

Perfect, this sounds fair enough…  ;D Thanks a lot

Actually, top -SH is the most accurate, since it also splits off threads for more detail.

@dhatz: @GruensFroeschli: There was very recently a thread about exactly this. The solution was basically to configure the dhcp client to decline rfc1918 ips. Check http://redmine.pfsense.org/issues/2704 http://forum.pfsense.org/index.php/topic,56330.0.html Thanks this looks great. I already have an alias on the interface to access the modem webpage whilst the connection is up and running. So rejecting the bad IP is I think the perfect solution.

Thanks!

@cdavis: Hello, Sorry was out of town with the family and just got back in today. Maybe I should not have mentioned transparent bridge thats just what was tested first before different ip ranges and a dhcp server were chosen for that remote location. There are no firewalls between the remote location and the main office lan except the pfsense box in question. The the vpn links are the metro ethernet connections  which are routed through cisco hardware endpoints and are not configurable by us it is transparent to the system end to end no config options to make and is managed by centurylink. I will draw a diagram out but basically it is bridging 2 separate lans with one lan (Main office) on IP range 128.x.x.x and the Remote office at 10.4.100.x   Both Offices have dhcp. The pfsense box is routing between the 2 lans and each server at the main office is routed to the 10.4.100.0 range through the 128.x.x.x ip address of the pfsense wan named ethernet card. "Internet" –---<-> Gateway/Netscreen (Cox Optical Internet) ----<->--- Main Office (DHCP,DNS,File Servers) --------- <->Transparent Metro Ethernet  (Centurylink)<-> ---------- (Wan) Pfsense Box (Lan) ------- Remote Lan/Workstations The remote LAN can access the internet just fine but is having issues with connecting to windows shares on the Main office LAN. I did add all of the main office server machines to the pfsense DNS Forwarder Host Overrides section and can ping and connect to the main office servers just fine. The issue arises when someone opens a windows file shared from a main office server it shows up lists the files and directories then the files/directories disappear as if the connection has been disconnected and then a few seconds later the shares/files reappear and then the same thing happens again over and over. Internet connections as well as remote desktop/citrix connections do not seem to be affected. I will post pfsens config screenshots in the next part. Basically I am trying to set it up so that I can have DHCP on the new remote lan ip range, Firewall capability, Squid Proxying, and Bandwidth traffic shaping at the remote location. Ok.  So you basically have a Metro Ethernet link. For all intents and purposes, this would be considered a 'network cable' that links your 2 offices. In this case, I presume you use up a public IP for the pfSense WAN link?  i.e. The servers subnet at the main office is actually a routed public IP subnet. In that case, you shouldn't need to actually block any services on WAN. You probably need to adjust the office firewall/ router to add a static route to direct all traffic bound for the 10.4.100.x subnet to the pfSense WAN IP (128.x.x.x address) as the next-hop gateway. Adding a rule on the WAN interface of pfSense to allow any traffic with source subnet of the main office (128.x.x.x subnet) and destination as LAN subnet should do the trick. Depending on how the VPN is configured by comcast, you might want to enable 'Clear DF bit' and disable 'Scrubbing' to see if the issue persists.

hi, cmd. ok, i have placed my directories(css,fonts,i,js) to /usr/local/captiveportal like there: [2.0.2-RELEASE][root@pfsense.localdomain]/root(3): ls -lh /usr/local/captiveportal/ total 58 drwxrwxr-x  2 root  wheel   512B Dec 25 06:35 css drwxrwxr-x  2 root  wheel   1.0K Dec 25 06:36 fonts drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 i -rwxr-xr-x  1 root  wheel   8.5K Dec 12  2011 index.php drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 js -rw-r--r--  1 root  wheel    11K Dec 12  2011 radius_accounting.inc -rw-r--r--  1 root  wheel   6.2K Dec 12  2011 radius_authentication.inc How can i use this directories in html file? some rows from main.html: is this correct path to css and fonts folders?

It's not possible to configure VLANs with an unmanaged switch, unmanaged switches don't support 802.1Q. You'll have to get a managed switch and configure its VLANs accordingly to match the firewall (and don't use 1). Explained in depth on firewall and switch side in http://pfsense.org/book.

There is some watchdog functionality in freebsd you could use if you need it. You can just rename the title of your first post in this thread to have [solved] at the beginning if you like. You have a limited time from the post date to to that. 7 days?  :-\ Steve

@brcisna: Just a thought. Try running memtest86 from any linux distro bootup disk on your pfSense machine. This will take just several minutes to do,and will at least eliminate the possibility of having a/some diffective memory sticks Tried that, twice actually last week, No problems. @brcisna: .2) When the pfSense machine  is booted and run for just 15 minutes try running top from the shell and see if anything looks wonky in the printout here. Maybe you will see some oddity. Nothing odd in the syslog at all nor anything in the running processes. Even when it locked up, it just locked and stopped everything including syslog.  To make sure the system wasn't hacked, I even did a full wipe and reload of the system. @brcisna: Also,,in your initial post did you say you are running 5 pfSense machines,and all 5 are experiencing these lockups ina similar fashion? Only on one, the other 4 are perfect. @brcisna: Take Care, Barry Thanks for the Idea's  since putting the switch in, there hasn't been a single lockup and it is going on 5 days now.  So maybe a flaky comcast modem?? and the switch is dealing with it better than running directly to the nic…maybe????  oh and btw,  on the nic interfaces before and after the switch install, there were never any errors shown. always 0 Thanks Dickie  :-) Happy Holidays

Hi jimp, Thank You for the reply. I am fairly certain the reason the machine failed to boot off the 'first drive' / highest number bios sata port, that i disconnected,, on purpose,was due to the fact the first drive was marked as off line,as you said,,in the fstab. I should have booted the machine with booth drives connected,,  let the mirror array reubild then shut down and then disconnected the 'second drive" then booted on the first drive i disconnected , i am fairly certain the machine would have booted with no probs.. This scenario is hard to explain the sequence?:).. After I rebooted the pfSense machine , after having reconnected both drives,,i looked every few minutes and had solid HD activity for about 20-30 mins until what i guessing the raid array was done 'rebuilding'(on 80gb sata drives). In the dashbord geomirror widget i am seeing 'complete' in the raid setting. yeah! Take Care, Barry

Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.

can i restore my 32 bit config to a new 64 bit build?

Hmm, Ok. My own box is not hidden behind NAT the WAN interface has my public IP. Thus it does not have to use a service like checkip.dyndns.org to discover the public address. The address doesn't change so it it does nothing and after about 18 days I get emails. After 25 days it will send the update information even it's still the same but it seems that interval is now too long, for No-IP at least. Steve

You can also try adjusting the timecounter on pfSense, search around the forum for "kern.timecounter.hardware" you should find some info on changing it. (It's also covered in the book)

The server in .nl is back up, there was an AC issue at the colo and that box didn't get powered back on. Should be OK now.