Yeah if it's going to stay broken it should probably be disabled.

2.0 (RC3 now) should be just fine for the vast majority of people to use in production. There are still a few open issues, but less every day, and many of those are things that only affect a small number of people.

Why is it just for this topology? Clients connecting via the WAN interface show up with their normal IP.

1. Update to a current snapshot, not RC1 2. ntop works fine, you just have to select the interface (Diagnostics > ntop settings) and save the settings before it will work the first time. Also it runs on tcp port 3000 not the same port as the webgui so you may need to adjust your firewall rules to see it if you're coming in remotely.

Well it's a matter of matching your hardware with your bandwith requirements. There is a page documenting this here though it's a bit dated now. Adding virus scanning will increase the hardware requirement considerably. I don't have any figures for you unfortunately.  :( Steve

Hi, I've the same problem too. the only difference is that LAN is bridged network in order to allow wi-fi connections. In my case if i go through WLAN then i can reach the samba server in dmz but i'm unable from eth0. no rules in the WLAN/ETH interfaces. in wireshark i can see dmz traffic in reply to lan requests but service always ask for a password. samba server has its own dns server, no dhcp. no problem trough openvpn too. I'm able to connect on the same server via ssh, vnc, http… pfsense ver is the yesterday's build. thank you for the help. [image: interfaces.png] [image: interfaces.png_thumb] [image: rules_dmz.png] [image: rules_dmz.png_thumb] [image: rules_lan.png] [image: rules_lan.png_thumb]

@alchemyst: What I would to know is, through pfsense can I setup rules per user or per group as definined in active directory? Also can pfsense report internet usage, data sent/received, sites visited, etc per user in active directory rather than IP based? No to both. You're looking for more of a proxy server than a firewall. The Squid package can do some of that, offhand I'm not sure how much.

Yeah, it just seems odd. Why am I getting a "Destination Host Unreachable" message though?  It seems like it's reachable but I would expect the switch web interface to just not respond.

Do you have 'block private networks' checked? I take it there's nothing in the firewall logs? You have checked the network settings received by the laptop are correct? What is the wifi card you are using? Can you see the laptop associating and being issued an IP in the system log? Steve

Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).

In general, yes that's doable. How depends on specifics, in typical Internet load balancer scenarios the original source IP is retained and passed onto the internal server, but that may break routing in a LAN environment depending on the location of clients and servers, requiring a different type of config or outbound NAT to translate the source IP (as with the original source IP, the server will probably reply direct back to the client, which will break the TCP connection).

That's normal NTP traffic to pool.ntp.org hosts, which are all over the place. Your outbound spikes aren't the NTP though, get a packet capture and use Wireshark's analysis to see what that is.

@jimp: Are you sure that was "top -SH"? It should have shown you the kernel threads using that cpu. Next you could try: systat -vmstat See what is firing off those interrupts. Think the last post was just top    

On the console, choose the option to reset the LAN IP. When doing that, it offers to reset the webgui port/protocol.

We're working on a book for 2.0 but we need to get 2.0 out first. Lots of things changing, hard to document a moving target. The closer we get to a release, the less things change, the easier it gets to document. So there will be a new 2.0 book, we just need time to write it! :-)

Solved it. I forgot to rename the driver. It was named as rr26xx-8.0.ko and it have to be named as rr26xx.ko Thanks for everyone. Shutdown problem was fixed when I updated to the latest BETA version. RC1 -> 2011-06-15 RC2

Well, the physical interfaces on the switch that you are using need to reference the vlans you're using otherwise it will junk the traffic.  If you had access point one (upper left corner on the diagram) plugged into port 1 on your switch, port 1 would have to be set to understand tagged vlan 1 and 20 (since you're using them as muti-access points). All the other access points will be pretty much configured the same. When you get to the firewalls through, since it will be easier not referencing vlan traffic on the interfaces going to the firewall, it will assume all traffic in or out of that interface is meant to be stripped of all headers of vlan. If you had the "corporate" firewall on port 10, all traffic on that port would just be unagged for vlan 1. The "perimeter firewall", if it were attached to port 11, would have a similar setup to the internal firewall.  You're looking at having port 11 referenced as untagged for the vlan 20.  That way everything going in and out of the switch will be naturally understood as being meant for vlan 20. Easiest way to remember tagged is that all traffic will leave that interface with a vlan header (so if the device doesn't understand vlan headers you won't have any valid traffic for the device to understand) and all traffic coming in on that interface MUST be tagged (otherwise the traffic will get junked by the router/switch device). Untagged is easily referenced as, ANY AND ALL TRAFFIC, regardless of where its destination is, will be converted into tagged traffic for that vlan.  If you use a computer and have crappy hardware, but would like to isolate that client on a vlan, you would have all traffic untagged (so the client computer that doesn't understand vlan tags on the computer can keep working like nothing is there).

You should still be fine. You may want to consider 1 GB of RAM, or more, just because Squid will work better with more memory to play with. If you've got a 32 bit build then you're limited to 4 GB of RAM (from memory).