Are you running a bunch of packages, have you customized something? A backup and restore of the config is usually the best way to do this, and it fits on a usb key. I like to have spare pfsense boxes around with enough interfaces, so I can grab one, restore the config and swap it in case of disaster. Much easier (IMHO) than trying to restore an image. Again the circumstances might be different if you had to re-create some customization/hacking, or had complex packages installed.

Thanks a lot… Ntop is what i was looking for... cheers! Pedreter!

@podilarius: Well, to me if the real purpose is to use the 2.x network, then I would drop the 85.x network. Setup the WAN ip you use in pfSense to also allow a VPN, so that you can connect a VPN and RDP to any host. Then setup NAT or routing/firewall to pin hole the traffic you want to pass. You could keep the second as a failover, but that would be only for outbound traffic. It might be possible to do what you want with just the 2 networks. thanks for your reply, after a bit of work i tried your suggestion but it started getitng messy, and totally lost where i was and what i was trying to do.. instead now i wanna just keep it simple i.e. : 1 pfsense 2.0 vm with 2 NIC (1 getting DHCP ip from a network with internet access 10.170.85.x ) and (another on a network {private} that requires static IP 10.170.2.x) i think it would be easier for me to config it so that pfsense appliance accepts pptp and ipsec connections from Internet wan (10.170.85.x) and then forwards the connection to the private Lan's wan (10.170.2.x) kindly please guide me in this, and many thanks for your initial idea. regards

Thanks for your help.  I was looking at the pfsense pages, wiki, etc., and not at github.

Hello, I need this to run from a script connecting to pfSense box through ssh via sshkeys, so yes :) I need it unattended! My config is currently: <aliases><alias><name>mx1</name> <address>192.168.241.21</address> <type>host</type> <detail></detail></alias> <alias><name>mx2</name> <address>192.168.241.22</address> <type>host</type> <detail></detail></alias></aliases> I thought to try a search and replace / regular expression solution: <address>192.168.241.21</address> becomes <address>192.168.241.28</address> Would a modification be promptly applied? Or keep several copies of config.xml files to be substituted to the operative one. Will exchanging files trigger the system to read and act accordingly to the new settings? Cumbersome I guess, but could do for my scenario. Definitely I hope that pfSense will have a full CLI interface. It's greatness, the web gui, can't be a weakness too :) At the moment the only important cli feature I can think of is the one of aliases, since I read that pass and block are already active http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule http://www.linuxnet.ch/pfsense-important-cli-commands/ Also, what if i have CARP? (not the case but it is in program), would config.xml editing via regular expressions or if overwritten by other file trigger a sync to the other boxes? Thanks!

This should work with the tap fix pkg + OpenVPN in tap mode (get the VPN connected, then assign the VPN interface, then make a bridge from LAN+VPN on both sides) Also works with IPsec in transport mode + GIF tunnel  + bridge w/GIF interface+LAN. Though I'd never recommend actually doing that in production… you will have far more headaches trying to maintain a common layer 2 in two locations than you'd expect (and not because of pfSense... it's just a bad idea in general)

For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like: Source address: IP/s of the clients Source port: any Destination address: IP/s of the server Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI) and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.

There is a similar discussion here: http://forum.pfsense.org/index.php/topic,50444.0.html In that case it's setting MTU rather than connection speed. It ended in a horrible hack.  ;) Also here: http://forum.pfsense.org/index.php/topic,50563.0.html Steve

Here's a second opinion from a few years ago: http://freebsd.1045724.n5.nabble.com/Maximum-ARP-Entries-td4017394.html Steve

@wallabybob: Ask your ISP. It is the DHCP server that assigns the DHCP lease time. This. If you're renewing every 150 seconds, you're getting a 300 second lease. Our dhclient follows the RFC the same as every DHCP client, renewing at half the lease length.

@kishore: text Did you check the cables, switches, and other external stuff such as routers, repeaters etc? Maybe something is running in half duplex or a swith has limitations, uses 10Mb or is overloaded etc? I would look outside your firewall first since your hardware is clearly capable. Also If you are using old network cards or brands such as realtek (not Intel) you may want to check that these work correctly and that you have a good and working driver. Some network cards use other manufacturers circuits (typically realtek) and may have problems, I am not saying that no other NICs than Intel work or work good (they do!) but I have ran into wierd problems a couple of times when the cards did not "work" properly. There are some threats about some of these issues I believe. If you can, try to replace a card for an Intel card (the cheapest desktop pci-cards for example, these work good and have a long life time) and see if the problem is still there. Sometimes you need to fiddle with the drivers and parameters. Did you google the card name? /E

Its 112.0.0.0/5  to  ..*.0/29 actually its my mistake that the subnet mask i put was wrong  ;) I don't know how its happened but now the problem is solved. Hemant

Well for example a minimum set of rules to allow clients on OPT1 to have web access: Source OPT1 subnet, port any, destination any, port 80. This will allow traffic out to port 80, HTTP. You also need to allow access to the pfSense DNS forwarder: Source. Opt1 signet, port any, destination OPT1 address, port 53. Steve