Just need to create a NAT rule from where you want to access your Server (WAN-OPT) to where the server resides (LAN) [image: natrule80.PNG] [image: natrule80.PNG_thumb]

yes…i noticed mine doing it again. i switched out NICs to make sure that wasnt it. i am going to update this weekend after i do a switch over

In a BSDCON conference a few years ago, one of the developers mentioned that pfsense is used by a major Dutch retail company for VPN (100s of VPN site2site links) Central remote management of pfsense nodes has been discussed for years (check threads in bounty sub-forum). It seems one called pfCenter is in the works by the core developers. [image: 353024071%2525281%252529.jpg]

Policy routing breaks this at times. Though it depends even on what snap you ar eon.

@Bill48105: Howdy, Did you set the time zone under System: General Setup? And when you say time stamps are you sure you aren't looking at when they expire? http://doc.pfsense.org/index.php/DHCP_Leases Bill Of course, it was set to "America/Phoenix"; I have tried setting it to "MST" to see if that makes any difference. (If you don't know, we don't do daylight savings here, so it's UTC-7 year-round.) And the times I quote are the start times, not the end times. Will post if setting to "MST" makes a difference, but I probably won't know until tomorrow night when I have some new users on the system. (This is the main NAT/firewall for a motel's wi-fi network.) Let me know if you have any other suggestions in the mean time, and thanks again! Mike

Just remember, when you run into problems in future and post looking for help, mention what you've done. It is entirely possible that your problems may be linked to the changes you've made doing this.

no idea ? ???

I have noticed the same thing using the 32 bit build (yesterday's date). It only happens with a multi-wan connection and an internal routing switch. Again with PPTP the only way I can get around this is by adding the pptp addresses as a proxy arp address in the pfsense box. Shouldn't have to do this IMO. Is this a bug?

Thanks!

A TCP connection (say to send an email) has a special sequence to establish a connection and a special sequence to teardown a connection. A flow is a data structure describing data transfer within a connection. It will normally have at least source IP, source port, destination IP and destination port. Thus a connection has two associated flows (because data can travel in both directions). Simplified firewall processing - packet arrival at firewall Is there a flow for this packet? Yes - forward the packet. No - Is this a connection setup?     No - discard packet     Yes - Does this connection setup match an ALLOW rule for this interface?         No - discard packet         Yes - create flow for this direction of data transfer,             create flow for reverse direction of data transfer,             forward connection setup @broncoBrad: His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access. Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct? The simplified firewall processing description says the firewall rules are consulted only on an attempt to setup a connection and if that attempt is allowed then the "back traffic" to the initiator of the connection is also allowed. The firewall rules apply to connection setup attempts. If my son wants to have a conversation with his games servers the firewall will see on the LAN interface a connection setup attempt FROM his computer TO a games server. If the firewall allows that connection attempt (and the target accepts it) then all traffic (both directions) on that connection is allowed.

Thank you, it works !

Use this to show valid engines: # openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support You probably want "cryptodev" as the engine. That's where the OS hooks into crypto devices generally.

ah ok, but where I save my wpa key if the secret share is for the client auth?

"…the wai-ait-ing...is the hardest part..." [image: Petty_Tom_1.jpg] [image: Petty_Tom_1.jpg_thumb]