Possibly, I have heard of a circumstance once where way too many nc instances get launched and makes that happen. No idea what circumstance that is, i haven't personally seen it.

I'm not experienced with those packages but it seems I heard you can tweak the configurations on Squid and maybe other packages to use less memory but by default they will just keep eating up resources. Maybe a search for configurations of Squid would be helpful.

If you just want to add a rule, check out easyrule.php in 2.0 or in the Dashboard package in 1.2.3. You could probably call that remotely with the right params and do what you need.

Much thanks to those that responded… Changed the networks and of course the routing now just works.. sigh..the bridging bit should have given me a hint... now time to play with the new setup :D strange that even with moderate loading (50% 6meg dsl line) the CPU ...core 2 duo 2.13Gig show 56% utilization... :O guess this is either an error in reporting or a function of beta software... time to head over to the 2.0 forum thanks again guys for the help I shall now be able to retain the small amount of hair left  :D Piers

In an Orange vs Nectarine kind of way, Yes.  Sort of.  Maybe.  Depends on what features you want. They both pass packets. They both do NAT. They both do routing. They "taste" different.

http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50

In the git repo, the hw.ata.wc=0 line is still there. Somehow, that isn't staying on a live system. It should have: $ cat loader.conf hw.ata.atapi_dma="0" hw.ata.ata_dma="0" loader_color="YES" hw.ata.wc="0" kern.ipc.nmbclusters="0" beastie_disable="NO" vm.kmem_size="435544320" vm.kmem_size_max="535544320"

Thought I'd reply to this because there was an extra caveat I ran into that might help others with the same problem. In my setup, my WAN interface gets its IP address via DHCP, not PPPoE.  That means that I NAT on the WAN interface, and by default NAT is round-robin.  Adding an ip alias to the WAN interface allowed me to access my DSL modem's web interface, but pfSense started to round-robin NAT on my alias and I started losing connectivity. It is possible to tell pf to NAT only on the main address and not aliases, but pfSense (1.2.x?) does not support the option.  Hopefully there will be GUI support for this option in the future.  Until then, here's how I did it and made it permanent (steps 1 and 4 are only needed on embedded installs): mount filesystem as read-write:  mount -w / vi /etc/inc/filter.inc find the function filter_nat_rules_generate_if and change $tgt = "($if)"; to $tgt = "($if:0)"; 3)save and exit vi 4)remount filesystem as read-only:  mount -r / That changes the NAT rule from something like nat on $wan from 192.168.1.0/24 to any -> (sis1) to nat on $wan from 192.168.1.0/24 to any -> (sis1:0) It's the addition of :0 to the interface name that will tell PF to ignore aliases on the interface and NAT only on the main address. Hopefully somebody else finds this useful. Also, instead of setting up a port redirection on the pfSense router, I configured advanced outbound NAT in a similar way as described in this m0n0wall tutorial: Accessing a DSL or cable modem IP from inside the firewall Seems to be working well.

Hello, more details for throughput: 1x Gb port connected to internet - 100 Mbps conenctivity 1x Gb port to DMZ (dns, email …) 2x Gb port with VLANs connected to internal LAN about 300 users Does anybody have expiriences with similar topology? thx

@rklopoto: I don't HAVE to use the embedded version.  I switched to CF because of a high rate of hard drive failures 3 or 4 years ago.  I'm running desktop hardware, so there is plenty of room for a disk if I wanted to put one in.  Is there a reason I shouldn't be? If you're fine with it, that's fine. Some people like to run packages that just can't be run from CF.

There will be no way to boot CD …. no CD drive .... or usb boot option ... all locked in BIOS. Only way is to get the HDD out ... and then noticeable downtime of the box. But you are right. I will think about grub for some time, but probably leave it in this way.

You're correct, there is no authentication system for authenticating WAN side connections in pfSense.

You are damn right.I can't speak english very well. :'( Thanks

you can still try V2.0 but as we all are stating 2.0 isn't ready for true production environments BUT its can be used but we STRONGLY suggest using 1.2.x, if your ok with taking it into a production environment and testing it and are willing to accept that there may be bugs and potential down time and want to use 2.0 we won't stp you, we just are trying to let you know if you do use 2.0 in a production environment just be ready for things to break and down time to happen with it. now if your looking for an actual firewall appliance perhaps something called endian may fit your needs, but again thats the same basic situation, if you are using a custom machine you run the risk of incompatibilities being there…and the actual appliance will run you from about $150+ depending on what you need...if you need other options there might be other linux based firewalls out there you might be able to try.