Bravo johnpoz for hanging in there. I like nothing more than to help people understand networking - so I sure hope this helps the light bulb turn on for you Indeed you must.  And I'm sure you helped someperson472034.  In enjoyed reading your networking explanation as well.

Yes you can do all of that. Q1. If you have firewall rules in place pfSense will route traffic between the subnets. You can access a server at, say, 192.168.3.10 from a machine at 192.168.2.20 by simply entering it's IP. No need to bridge the subnets which would effectively make one big subnet. If you want to access servers by name you can add DNS overide entries to allow that. One area that can cause problems here is if you want to browse network shares. Generally the client OS will only look for servers inside it's own subnet. If you are running Windows clients and you have a Windows server you can specify the address of that as the WINS server in the DHCP information which will allow clients to know where to look. Q2. Yep, port forwards are easy enough and well documented. https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F Q3. Yep, traffic shaping on a per IP basis can be done. A better configuration would be to bridge your router so that your public IP is on the pfSense WAN interface. That will, as you say, make port forwarding easier. Steve

I was having an issue where my WAN interface would not stay up.  I switched the WAN interface from em5 to em0 and found the problem was resolved.  Every other time I've plugged anything into em5, same result.  My issue seems to have been simply hardware related. Maybe swap interface assignments and see if you get the same result on the the same NIC.  If so, it's most likely hardware related.  If the problem moves to the WAN interface on the new NIC, the problem is probably generated by a conflict between the pf box and the router/modem, or some other ISP setting. At least, that sounds logical to me!  : )

I was able to figure it out. pgrep: invalid pid in file '/var/dhcpd/var/run/dhcpd.pid' I deleted the contents of this file and restarted DHCP and everything is working now! :)

not sure exactly what you are asking but I do know exchange activesync need ports 990,999 and 5678 - 5679  forwarded to work.  Of course you need ports for smtp(s) and perhaps pop3(s) and/or imap(s) opened.  Also a submission port if you use that. you will need port 443 forwarded if you use owa

Not sure if this will help but I had a similar issue on my Asus router. in the dnsmasq custom config I had to put these settings to make the error stop rebind-domain-ok=/yourdomain.com/ server=/yourdomain.com/xxx.xxx.xxx.xxx (this is your local dns server ip) server=//xxx.xxx.xxx.xxx (this is your local dns server ip) obviously make the correct changes and leave my comments out.

Normally the admin user is always locked into /etc/rc.initial as its shell. If it doesn't come up, then either someone manually edited the code or the passwd file to change the shell, or otherwise changed the .*rc files in /root, or maybe the passwd database has become corrupt in some way. Often just an edit/save action on the admin user in the GUI is enough to fix things up, assuming the pfSense code was not modified. In other cases the passwd database has to be manually rebuilt using "pwd_mkdb -p /etc/master.passwd" or similar.

What you're talking about sounds perfect. I don't have a development environment at home, but I'll see if this is something I can pull off. Thanks for your input.

thanks jim

I run vms at home - and I am against such a joining as well.  Don't see any reason that makes sense.  It makes more sense to just fire up a VM and use an OS/Distro geared towards being a NAS vs using my firewall to provide my storage. I just can not see a reason why anyone would do or want such a thing to be honest. If they want such a box maybe they should look to something like http://www.clearfoundation.com/Software/overview.html which is one of those Do everything Distros - acts as your gateway while also being your storage, LDAP, email server, etc.. etc.. Just because pfsense and freenas share a common core OS freebsd does not mean they need to join forces ;)

Someone was trying to run a SIP attack against you. The pf log parser gets enough data that can be parsed through tcpdump that the actual body of the packets was getting decoded. If you have a SIP server, you might want to make sure it's adequately protected in terms of rules, passwords, access, etc. If you don't have a SIP server, this may have been a random scan/attack that just happened to hit you. It's very common for such things to be seen sweeping the Internet looking for SIP servers to exploit. When they find an open one they'll burst a ton of pay calls through it. We've heard of people getting 5 and 6 digit dollar amount bills from improperly protected SIP services.

Well yeah when the sites are accessible its a given you must of been able to do a dns query for them - I would of been more interested when they were not working ;) So was snort blocking access to the site, or the dns query? Any sort of IPS/IDS is going to take loads of configuration and work to make is viable product - if you think you can just click click and install something like snort and not have to spend quite a bit of time adjusting the rules and working out false positives then no snort is not for you.

Any news on this?

I only show a 10gb hdd, cdrom drive.  Guess wipe and reload it is. $ dmesg Copyright (c) 1992-2010 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.1-RELEASE-p6 #1: Mon Dec 12 18:18:02 EST 2011     root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense.8 i386 link_elf: symbol HgfsDebugPrintVattr undefined KLD file vmhgfs.ko - could not finalize loading Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel Pentium III (701.60-MHz 686-class CPU)   Origin = "GenuineIntel"  Id = 0x683  Family = 6  Model = 8  Stepping = 3   Features=0x383f9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>real memory  = 167772160 (160 MB) avail memory = 140472320 (133 MB) netisr_init: forcing maxthreads to 1 and bindthreads to 0 for device polling wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/. wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (wpi_fw, 0xc0988300, 0) error 1 ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0789340, 0) error 1 ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc07893e0, 0) error 1 ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc0789480, 0) error 1 wlan: mac acl policy registered kbd1 at kbdmux0 ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support. cryptosoft0: <software crypto="">on motherboard padlock0: No ACE support. pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard pir0: <pci 9="" interrupt="" routing="" table:="" entries="">on motherboard pci0: <pci bus="">on pcib0 agp0: <via 82c691="" (apollo="" pro)="" host="" to="" pci="" bridge="">on hostb0 agp0: aperture size is 64M pcib1: <pci-pci bridge="">at device 1.0 on pci0 pci1: <pci bus="">on pcib1 vgapci0: <vga-compatible display="">port 0xc000-0xc0ff mem 0xd4000000-0xd4ffffff,0xd6000000-0xd6000fff irq 11 at device 0.0 on pci1 isab0: <pci-isa bridge="">at device 7.0 on pci0 isa0: <isa bus="">on isab0 atapci0: <via 82c596b="" udma66="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd000-0xd00f at device 7.1 on pci0 ata0: <ata 0="" channel="">on atapci0 ata0: [ITHREAD] ata1: <ata 1="" channel="">on atapci0 ata1: [ITHREAD] uhci0: <via 83c572="" usb="" controller="">port 0xd400-0xd41f irq 10 at device 7.2 on pci0 uhci0: [ITHREAD] usbus0: <via 83c572="" usb="" controller="">on uhci0 pci0: <bridge, host-pci="">at device 7.3 (no driver attached) dc0: <admtek 10="" an985="" 100basetx="">port 0xd800-0xd8ff mem 0xd9000000-0xd90003ff irq 11 at device 16.0 on pci0 miibus0: <mii bus="">on dc0 ukphy0: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus0 ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: [ITHREAD] dc1: <admtek 10="" an985="" 100basetx="">port 0xdc00-0xdcff mem 0xd9001000-0xd90013ff irq 12 at device 17.0 on pci0 miibus1: <mii bus="">on dc1 ukphy1: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus1 ukphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc1: [ITHREAD] dc2: <admtek 10="" an985="" 100basetx="">port 0xe000-0xe0ff mem 0xd9002000-0xd90023ff irq 5 at device 18.0 on pci0 miibus2: <mii bus="">on dc2 ukphy2: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus2 ukphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc2: [ITHREAD] cpu0 on motherboard pmtimer0 on isa0 atrtc0: <at realtime="" clock="">at port 0x70-0x71 irq 8 pnpid PNP0b00 on isa0 atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 irq 1 pnpid PNP0303 on isa0 atkbd0: <at keyboard="">irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] unknown: <pnp0c01>can't assign resources (memory) uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 pnpid PNP0501 on isa0 uart0: [FILTER] fdc0: <enhanced floppy="" controller="">at port 0x3f2-0x3f5,0x3f7 irq 6 drq 2 pnpid PNP0700 on isa0 fdc0: [FILTER] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: <ecp parallel="" printer="" port="">at port 0x378-0x37f,0x778-0x77a irq 7 drq 3 pnpid PNP0401 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/16 bytes threshold ppc0: [ITHREAD] ppbus0: <parallel port="" bus="">on ppc0 plip0: <plip network="" interface="">on ppbus0 plip0: [ITHREAD] lpt0: <printer>on ppbus0 lpt0: [ITHREAD] lpt0: Interrupt-driven port ppi0: <parallel i="" o="">on ppbus0 uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 pnpid PNP0501 on isa0 uart1: [FILTER] orm0: <isa option="" rom="">at iomem 0xc0000-0xc7fff pnpid ORM0000 on isa0 sc0: <system console="">at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 unknown: <pnp0c01>can't assign resources (memory) Timecounter "TSC" frequency 701596286 Hz quality 800 Timecounters tick every 1.000 msec IPsec: Initialized Security Association Processing. usbus0: 12Mbps Full Speed USB v1.0 ad0: 9541MB <seagate st310216a="" 3.01="">at ata0-master UDMA66 ugen0.1: <via>at usbus0 uhub0: <via 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0 uhub0: 2 ports with 2 removable, self powered acd0: CDROM <cd-rom 52x="" akh="" t5a="">at ata1-slave UDMA33 Trying to mount root from ufs:/dev/ad0s1a ovpns1: link state changed to UP pflog0: promiscuous mode enabled load_dn_sched dn_sched FIFO loaded load_dn_sched dn_sched QFQ loaded load_dn_sched dn_sched RR loaded load_dn_sched dn_sched WF2Q+ loaded load_dn_sched dn_sched PRIO loaded dc0: promiscuous mode enabled WARNING: pseudo-random number generator used for IPsec processing dc0: promiscuous mode disabled dc0: promiscuous mode enabled dc2: link state changed to UP</cd-rom></via></via></seagate></pnp0c01></generic></system></isa></parallel></printer></plip></parallel></ecp></enhanced></pnp0c01></at></keyboard></at></generic></mii></admtek></generic></mii></admtek></generic></mii></admtek></bridge,></via></via></ata></ata></via></isa></pci-isa></vga-compatible></pci></pci-pci></via></pci></pci></host></software></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse> and $ ls /dev ... ad0 ad0s1 ad0s1a ad0s1b ...