Yes, two ways at least.  I assume the pfSense machine has a serial port and connects to the switch.  One way is to set up pfSense to enable ssh logins from WAN, then ssh in and use cu to connect to the switch. Another more secure way would be to set up a VPN; once connected via VPN, then ssh in to pfSense and do the same. Any particular reason you want to use a serial line rather than ssh'ing to the switch directly? (you'd need to set up a VPN for this too).

@abadonna: It is set to block both. Remember that anything that causes pfSense to execute the filter_reload process will wipe out the block table. Try this if you want to see if Snort is blocking.  Go to https://www.grc.com/shieldsup and let it scan your IP.  Open two browser tabs:  one to your firewall interface with the Snort ALERTS tab, and one to the link I provided.  As the scan is in progress, periodically refresh the ALERTS tab page.  Look at the BLOCKED tab as well.  You should see the GRC site listed there. Bill

If you run a captive portal you can redirect clients to a web page of your choosing, usually hosted locally, so you can have whatever message you want but obviously users will only see it the first time the try to open a web page. If you want to have messages spontaneously appear on clients devices as they connect to your wifi I think you're out of luck. You would have to send it to some service already running on the clients like netsend for example. That may be possible but it would vary between devices/OSs. It would be very involved to get multiple things working and it would rendered completely ineffective by anyone running any sort of firewall like Windows Firewall, so almost everyone!  ;) Steve

It will get selected as default because it's the most recently defined gateway. However you almost certainly should't have a gateway defined on LAN at all. Steve

Be sure you're not dealing with software firewalls on the devices (like windows firewall, symantec, etc). Check the firewall logs to see if subject traffic is being rejected. (Status->System Logs->Firewall) For more than that we'll need more details.

I couldn't get it to work no matter what settings so I jumped over to OpenVPN and good to go. Impressed with the UserExport package that packages the User Cert and OpenVPN into one installation package.  Worked perfect first time.

That helps. Thanks.

There is not a cert creation script for the CLI at this time. The certs are held in config.xml with the other configuration data.

@j90785859: Thx, it works after i turned on the NAT Reflection. I had the same problem with my mail server, NAT reflection fixed it perfect. -Jamie M.

It was fixed the same day. It's not a vulnerability in the base system, just that one package. Since it was a package, it was simple to fix and people can update their packages and not worry. It's a non-issue anyhow for most, as it only matters if you have untrusted users logging into your GUI and you have given them access to the snort package.

Yep you will see significantly faster throughput in transparent mode. There are a lot less processing steps when you disable NAT, even less when you are bridging. However that still doesn't explain why you are seeing reduced upload speeds. You would normally see no significant reduction in throughput until you hit the limits of the hardware. Steve

A rather strange development with regards to this issue. We had another site go onto Fibre this year and when it went online all 3 of it's Ipsec tunnels were online and well. I compared it side by side with another site that only had 2/3 tunnels up and as far as I could tell they were identical apart from the fact that one of it's redundant Ipsec tunnels (were used for failover in the past but are since redundant) that is disabled had SHA1 and MD5 as authentication methods as well as on the recieving end of the Ipsec the exchange was set to Automatic. I tried replicating that since on the 2/3 firewall but still the same result. Now, even stranger. After about a week or 2 of those 3 tunnels being up it has now only got 2/3 tunnels up itself! Anybody got any suggestions on this strangeness? Oh and I have tried this on 2.1-RELEASE (i386) as well as 2.0-BETA5 (i386

The configuration needs to be managed from the webGUI so that the config is correctly save and applied. Some basic configuration is done from the console menu, to get a system installed to get get yourself out of a hole if you are locked out of the webGUI or… When you login over SSH, you can start the console menu with: /etc/rc.initial The command line is just a FreeBSD TCSH prompt. There is nothing to manage there, but you can monitor FreeBSD, the packet filter state etc if you want to use command line rather than webGUI. It is sometimes useful when tracking down real bugs - but there aren't any of those left in pfSense  ;) The FreeBSD variant of Unix is documented at http://www.freebsd.org/docs.html WARNING: Do not mess around at the command line - you will soon break your system if you don't know what you are doing.

In case you didn't realize the pfSense packages that you load up through the webgui are different to the FreeBSD packages loaded via pkg_add. Loading FreeBSD packages is not really recommended. Mostly they work, especially small stand-alone stuff, but it's also possible to completely break pfSense by accidentally overwriting some component due to a dependency. The command line shell in pfSense, TCSH, is basically a complete FreeBSD shell. Unlike many other *BSD or Linux based firewalls there is no restricted environment with limited ability. This also means there is no easy to work with set of custom commands, though there are some. As such start reading the FreeBSD user guide!  ;) http://www.freebsd.org/doc/en/articles/new-users/index.html Others have made some lists of useful CLI commands in pfSense, for example: https://www.linuxnet.ch/pfsense-important-cli-commands/ I don't recommend using viconfig as listed there unless you're already familiar with vi and it's weirdness!  ;) The ee editor in included for mortals. You can download things directly from the CLI using the fetch command. E.g. fetch -o /tmp http://www.someurl.com/somefile.txt Downloads the file somefile.txt to the /tmp directory. I don't think that's going to help you though. Steve