Thanks hoba. I always keep a copy of the original "last known good" config file just in case I screw up the config file. Of course worst case scenario is a short truck roll, reinstall from scratch, upload last know good config, and we are back in business. I am really enjoying working with pfSense. Next project is going to be another NIC with auto-failover to our secondary WAN. If I can get that figured out properly, then it will be time to go redundant… Another pfSense box next to our existing gateway catching automatic backup of the existing, and CARP failover to it. I am sure I will have a question or two once I get into that, lol. You guys are doing a great job! I have recommended pfSense to quite a few other operators out there. Please keep up the support.

You could use the captive portal with radius accounting for this. Other option is to use the bandwidthd package or something external that receives information from the pfflowd-package. Search the forum, this has actually been discussed a lot and solutions are around.

finally now it is working .  with this config : <pfsense><version>3.0</version>   <lastchange><theme>nervecenter</theme> <system><optimization>normal</optimization>   <hostname>pfSense</hostname>   <domain>local</domain>   <dnsallowoverride><username>admin</username>   <password>$1$GCmX2tUH$tublAsTINLcuehl9l6AJ9.</password>   <timezone>Etc/UTC</timezone>   <time-update-interval>300</time-update-interval>   <timeservers>0.pfsense.pool.ntp.org</timeservers> <webgui><protocol>http</protocol></webgui>   <disablenatreflection>yes</disablenatreflection>   <dnsserver>196.192.x.x</dnsserver>   <dnsserver>213.200.xx.xx</dnsserver></dnsallowoverride></system> <interfaces>- <lan><if>rl0</if>   <ipaddr>192.168.1.1</ipaddr>   <subnet>24</subnet>   <media><mediaopt><bandwidth>100</bandwidth>   <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> <wan><if>vr1</if>   <mtu><media><mediaopt><bandwidth>100</bandwidth>   <bandwidthtype>Mb</bandwidthtype>   <spoofmac>00:1d:60:25:30:72</spoofmac>   <disableftpproxy><ipaddr>172.30.x.86</ipaddr>   <subnet>30</subnet>   <gateway>172.30.x.85</gateway>   <blockpriv>on</blockpriv>   <dhcphostname></dhcphostname></disableftpproxy></mediaopt></media></mtu></wan> <opt1><if>vr0</if>   <descr>OPT1</descr></opt1></interfaces>   <staticroutes>- <pppoe><username><password></password></username></pppoe> <pptp><username><password><local></local></password></username></pptp> <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond> <dyndns><type>dyndns</type>   <username><password></password></username></dyndns> <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>   <to>192.168.1.245</to></range></enable></lan></dhcpd> <pptpd><mode><redir><localip></localip></redir></mode></pptpd>   <ovpn>- <dnsmasq><enable></enable></dnsmasq> <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>   <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound>- <rule>- <source>   <network>any</network>     <sourceport><descr><target>196.192.xx.x</target>   <interface>lan</interface> <destination><any></any></destination>   <natport></natport></descr></sourceport></rule> <rule>- <source>   <network>any</network>     <sourceport><descr><target>196.192.xx.x</target>   <interface>wan</interface> <destination><any></any></destination>   <natport></natport></descr></sourceport></rule> <rule>- <source>   <network>192.168.1.0/24</network>     <sourceport><descr>Auto created rule for LAN</descr>   <target><interface>wan</interface> <destination><any></any></destination>   <natport></natport></target></sourceport></rule>   <enable></enable></advancedoutbound></ipsecpassthru></nat> <filter>- <rule><type>pass</type>   <interface>wan</interface>   <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>   <os><protocol>tcp</protocol> <source>   <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type>   <descr>Default LAN -> any</descr>   <interface>lan</interface> <source>   <network>lan</network> <destination><any></any></destination></rule> <rule><type>pass</type>   <interface>lan</interface>   <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>   <os><protocol>tcp</protocol> <source>   <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>   <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec>   <aliases><proxyarp>- <cron>- <minute>0</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday></wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute>   <hour>0-5</hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute>   <hour>3</hour>   <mday>1</mday>   <month></month>   <wday></wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>/60</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute>   <hour>1</hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>/60</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>/60</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c <minute>/5</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/local/bin/checkreload.sh <minute>/5</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/etc/ping_hosts.sh <minute>/140</minute>   <hour></hour>   <mday></mday>   <month></month>   <wday>*</wday>   <who>root</who>   <command></command>/usr/local/sbin/reset_slbd.sh</cron>   <wol><installedpackages>- <revision><description>/firewall_nat_out.php made unknown change</description>   <time>1207288229</time></revision> <rrd><enable></enable></rrd> <virtualip>- <vip><mode>proxyarp</mode>   <interface>wan</interface>   <descr><type>single</type>   <subnet_bits>32</subnet_bits>   <subnet>196.192.xx.x</subnet></descr></vip></virtualip></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense> tried a lot on NAT outbound + virtual ip then worked .  thanks for helping .

Good to hear it's working now  :D

Hi fredde, Thanks for the tip.  No - I hadn't looked at that because it seems like there is already a database within pfSense which tracks this information… the RRD graphs must be getting their data from somewhere. Your suggestion does allow one to see daily summaries which is cool, but all I really want to do is to define a custom period to view the existing RRD traffic graph output - ie. Feb 21 - March 21... possible? -- Phob

What a great pice of software ! I move last night to pfsense, and no problems at all. Everything is  working perfectly I could solve my "routing" problems OpenVpn works like a champ …. ManyThanks to frewald Hardware Asus P5M2-M Intel Core2Duo 6320 1,86GHz 2GB DDR2 667 ECC 3ware 9650 SATA Raid 2 Samsung 250GB Raid1 2 Broadcom Gigabit Nic's 2 Intel Gigabit Nic's Can't wait to get my 10Mbit fibre line....

Not sure if your provider offers IAX instead of SIP. IAX is much more likely to work behind firewalls/NAT (are you absolutely sure that you only have these 2 ports open? that really sucks). Maybe just download a softclient using IAX to test if they offer it. If that works you might be able to setup an asterisk server that is linked to the other server through IAX and register your hardphones with SIP at your local asterisk.

diagnostics>states in the gui or for a more dynamic view like already pointed out by ermal pftop from the shellmenu.

I changed a simple home router (speedtouch) to pfsense just because i wanted lower ping on gaming and i did get it from 40~50 to 20~30 ms. I a have one box runnig 24/7/365 (had a 1.0.1 version with 117 days of uptime) i am using the new release now. Its more flexible and if the hardware fails you can have it running in less than an hour again with the same config

Btw, PPTP is encrypted whereas PPPoE is not. FWIW it's more secure using PPTP.

Maybe just resetting the modem would have helped?

Since your router can't do DHCP spoofing/Half-Bridge mode, I'd change the router's LAN IP to 192.168.0.1/24 and make the Pfsense Wan Interface 192.168.0.2/24.  Then set the DMZ on the router to route all traffic to the pfsense wan interface.  It's not pretty, but I have to use this solution; and I haven't had any problems with the double NAT translation–even with SIP (Voip) which is a pain when it comes to NAT.

Ah, found the "half-bridge" mode it in the ADSL router – it was called "PPP IP Pass"  as opposed to "NAT". I hear it is also called DHCP spoofing. Now if I could only find a cable modem using PPTP that does the same thing.  My biggest problem with these SOHO routers is their poor handling of large amount of states due to memory and cpu limitations.  Heavy, continuous loads cause them to slow down and need periodic rebooting, so I want to avoid their routing engines altogether. Cheers, Z

Then do a double nat. Set the modem in router/nat mode and search for an option called "dmz" or "expedited host" in the modems webgui. Assign the pfSense WAN IP there and everythig will be forwarded to the pfSense. The only things that don't work nice with such a config is the integrated dyndns client (as pfSense doesn't see it's real WAN IP anymore) and maybe IPSEC (unless you configure a different identifiers than "my ip address").

Hm, I also noticed by accident, thanks to the arse-backwards filesystem (bangs head against desk), that there are two php.ini files - the in-use one actually being in /usr/local/lib/php.ini, and another one in /usr/local/etc/php.ini. Not sure what the purpose of that is, but I'm going to guess that if I reboot after having mistakenly made my boot-time edit to ./etc/php.ini, I may now have my problem sort-of solved. Not one to reboot my gateway on a whim though, so I guess it'll have to wait til the next reboot. =P

Good to hear :) Some devices need a reboot or manual arp cache reset when IPs change to new macadresses.