Thanks for pointing this out. I had seen the syn-ack packet coming directly to the client and the RST packet send by the client because of the wrong IP… but did not think to modify the packets with the outbound nat. Surely works now... To me the loss of the source IP is not a problem (until I'll need to debug stuff), as it's from a pool of  my own servers, and the load balancer is required to prevent a single point of failure :) Thanks again :)

OK, maybe it's not related :-) We're doing more testing at the moment, and hope to get some more info up on out status page about it later today. The problem isn't tunnel specific, we're sending UDP packets and can reproduce the problem of packets not getting through.

@Gertjan: This: Cron spam (a couple of threads lower in the same forum) didn't answer your question ? Thanks for pointing it out. Completely missed that post. Again. Thanks!

"  If my pfsense box had been installed right after the cable companies modem so that the pfsense WAN address had been set by DHCP (76.26.XXX.YYY), would my default route have been the 192.168.3.1 address?" Yeah with stephen only speculation - you clearly were dicking around to get a gateway set to your own address…  In a typical setup where you were directly connected to your ISP.. bing bang zoom you would of been dhcp on your wan and default 192.168 address on your lan and not have had to touch anything and would of been working out of the box. You playing around with static on wan and changing the IP on your lan interface is where you prob got messed up. There is RARELY a good reason, and I mean RARE!! to double nat - its pointless, it is a performance hit, and yes somethings are going to have issues working with it, and is just a PITA all the way around. I would suggest you want to use pfsense as you firewall/gateway then use it as intended - if you need more than 1 network segment/vlan on your lan side then add nics to pfsense to allow for that vs using routers that nat as your way of creating isolated segments.

@charliem: Yes, there are lots of ways to plant back-doors on a system before it's delivered to your customer; any system, not just pfSense.  But this is the wrong place to come for such advice I'm afraid. ;D

No that wouldn't have any effect on the firewall states. To oversimplify it a bit: pf doesn't care about layer 2 (e.g. MACs) only layer 3 (IPs) That would only be a factor if you had captive portal enabled on that interface, which would be unusual since it has a web server. Seeing that ARP message is normal when NIC teaming is involved.

I did see that article but the wild card seems to apply first eg  *.google.com Whereas I want  google.* For example which will cover google.com google,co.uk google.ie google.fr etc Is this possible, have a misunderstood the article?

Hi, based on Online documentation, you have to change netmask to /32 too… To have all theses settings saved on reboot, you will have to change the /conf/config.xml file of your pfsense VM. You can change the netmask in the interface definition :<interfaces><wan></wan></interfaces> You have to add the two following lines just before <shellcmd>route add -net 62.210.207.1/32 -iface em0</shellcmd> <shellcmd>route add default 62.210.207.1</shellcmd> Hope this helps…

Well reading what JimP said in the linked thread it's caused by the shutdown scripts running in the wrong order so you'd have to re-arrange them. There should be some clues in the code changes to 2.0.x that fixed it. Or just ignore it, it's doing no harm. I would imagine it will be fixed in a future update anyway. Steve

If a patch is warranted then pfsense team will install and then release an update to pfsense. If you want to follow along with what freebsd releases - then you should be running native freebsd install and not pfsense.

Thank you very much. I did find under System->Firmware, Updater Settings tab, a check box for " Disable the automatic dashboard auto-update check.".  In my mind, I would rather see this as a submit button ala "Check for Updates" and then I could just hit it whenever.  I'm sure others will prefer the automated check. Good software lets users make choices and that is exactly what pfSense does in this case. me

http://www.freebsd.org/releases/8.3R/hardware.html

Do you know by any chance how can I accomplish this, what is the configuration in siproxd.

It is covered in the docs: https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Serial_Port_Quirk Your instructions are good though. Are you booting from a hard drive? There isn't normally a menu that gives you an option to boot to a prompt if you're booting nanobsd from a cf card. The reboot option should work but you will never be able to shutdown the box from software because the power supply is not atx compatible, it's not software controllable. Steve

[image: hKwiRek.png]