Sorry to disturb,the problem is resolved.I had to change the dns ip in centos. thanks

i haven't tried modsecurity in months..

Sounds like the first thing I should do is upgrade to 2.0 as it also includes some other features I like the look of.  I could then have the SPA3000 on its own interface and Untangle on its own. Reasons for this config: In the past I've found pfSense to be the best I could get in terms of QOS for VOIP when downloading via torrents and the like. Other QOS works okay but to my mind really struggles with the high jitter that torrent downloading seems to cause. With 3 kids I wanted something that would filter websites. We're actually Untangle partners so have a full license for all their products. So makes more sense to use their web filter than pay extra for Net Nanny or something like that.  I also really like their version of OpenVPN and the absolute ease of installing clients. (I believe this is now also the case with pfSense v2 but haven't tested).  I also use the Anti-virus on Untangle. So I've been running Untangle with high success, but finding my VOIP is suffering. I'm not sure if this is the dodgy RIM my Internet hangs off or not, but I do know that Untangle suffers when I'm downloading via uTorrent.

Yeah if it's going to stay broken it should probably be disabled.

2.0 (RC3 now) should be just fine for the vast majority of people to use in production. There are still a few open issues, but less every day, and many of those are things that only affect a small number of people.

Why is it just for this topology? Clients connecting via the WAN interface show up with their normal IP.

1. Update to a current snapshot, not RC1 2. ntop works fine, you just have to select the interface (Diagnostics > ntop settings) and save the settings before it will work the first time. Also it runs on tcp port 3000 not the same port as the webgui so you may need to adjust your firewall rules to see it if you're coming in remotely.

Well it's a matter of matching your hardware with your bandwith requirements. There is a page documenting this here though it's a bit dated now. Adding virus scanning will increase the hardware requirement considerably. I don't have any figures for you unfortunately.  :( Steve

Hi, I've the same problem too. the only difference is that LAN is bridged network in order to allow wi-fi connections. In my case if i go through WLAN then i can reach the samba server in dmz but i'm unable from eth0. no rules in the WLAN/ETH interfaces. in wireshark i can see dmz traffic in reply to lan requests but service always ask for a password. samba server has its own dns server, no dhcp. no problem trough openvpn too. I'm able to connect on the same server via ssh, vnc, http… pfsense ver is the yesterday's build. thank you for the help. [image: interfaces.png] [image: interfaces.png_thumb] [image: rules_dmz.png] [image: rules_dmz.png_thumb] [image: rules_lan.png] [image: rules_lan.png_thumb]

@alchemyst: What I would to know is, through pfsense can I setup rules per user or per group as definined in active directory? Also can pfsense report internet usage, data sent/received, sites visited, etc per user in active directory rather than IP based? No to both. You're looking for more of a proxy server than a firewall. The Squid package can do some of that, offhand I'm not sure how much.

Yeah, it just seems odd. Why am I getting a "Destination Host Unreachable" message though?  It seems like it's reachable but I would expect the switch web interface to just not respond.

Do you have 'block private networks' checked? I take it there's nothing in the firewall logs? You have checked the network settings received by the laptop are correct? What is the wifi card you are using? Can you see the laptop associating and being issued an IP in the system log? Steve

Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).

In general, yes that's doable. How depends on specifics, in typical Internet load balancer scenarios the original source IP is retained and passed onto the internal server, but that may break routing in a LAN environment depending on the location of clients and servers, requiring a different type of config or outbound NAT to translate the source IP (as with the original source IP, the server will probably reply direct back to the client, which will break the TCP connection).

That's normal NTP traffic to pool.ntp.org hosts, which are all over the place. Your outbound spikes aren't the NTP though, get a packet capture and use Wireshark's analysis to see what that is.

@jimp: Are you sure that was "top -SH"? It should have shown you the kernel threads using that cpu. Next you could try: systat -vmstat See what is firing off those interrupts. Think the last post was just top    

On the console, choose the option to reset the LAN IP. When doing that, it offers to reset the webgui port/protocol.