2.3.2 is released now, you should be upgrading to the stable release not a snapshot (what this board is for). Post in https://forum.pfsense.org/index.php?board=4.0 if you have question about upgrading to 2.3.2-RELEASE

https://forum.pfsense.org/index.php?topic=115396.msg640607#msg640607 https://forum.pfsense.org/index.php?topic=114877.msg638304#msg638304 use the search function maybe?

Well, after the update to 2.3.2 works perfectly

Just find the bug ticket: https://redmine.pfsense.org/issues/6634 Great!

Yes, I only show the rules on the floating and interface group called Internet. The floating rule show a rule that say ICPM from any, any port, to this firewall accept. Why you say that my floating rule is for deny all my other addresses? If when you put THIS FIREWALL on the destination option it apply for ALL THE INTERFACES. If you see the rules (some ones that are not in use) it show also for each interfaces the same rule. I tested all the variants. I use the same rules in a firewall that have 3 WANs with static IP address and works fine. I  use the same rules in a firewall that have 4 WANs with 2 static IP address and 2 DHCP address, and if I put as default gateway one of the DHCP WAN, i can ping to 3 of 4 WANs, if I put as default Gateway one of the 2 static WAN i just can ping to the 2 static WANs. The order to apply the rules if Im not wrong is from UP to Down (on the screen, pfSense do not show a rule number order) and first apply the floating rules, then the interface groups and then the interfaces. I tested too to delete the rules on the floating, and the interface groups, delete the interface group, and apply the rules in each WAN interfaces, same thing, I only can ping and attend request on a interface that is the default gateway (when it has a DHCP ip address) i doing it in a virtual LAB and is the same thing). What other information is needed to perform an analysis? John Poz if you want i can give you access to the virtual lab to put hand on. Regards and thanks for you invaluable time John [image: interface_group.png] [image: interface_group.png_thumb] [image: interface_inet-telecentro.png] [image: interface_inet-telecentro.png_thumb] [image: interface_inet-fibertel.png] [image: interface_inet-fibertel.png_thumb] [image: interface_inet-free.png] [image: interface_inet-free.png_thumb] [image: interface_inet-vpnht.png] [image: interface_inet-vpnht.png_thumb]

@Derelict: Bonjour is multicast DNS (mDNS). It needs to be forwarded between network segments by something. Thank you man Have the package installed and everything is running now,

@pan_2: Just curious - why not chmod -x ? That should work, too. I prefer to rename though.

@slu: Maybe somebody now the AT command to set that flag with the pfSense? Don't try it yet, maybe this works: https://forum.pfsense.org/index.php?topic=50734.msg270569#msg270569

yes it does domain overrides.  Pfsense runs either unbound which is the default resolver, or you can use the forwarder which is dnsmasq or if you want you can install bind via a package.  Then whatever these applications do is what pfsense can do with them.

TFTP helper work. Thanks. I have one additional questions. TFTP helper bind to IP 127.0.0.1. My public network is /24. IPv4 interface XXX.XXX.XXX.2. Server use tftp boot XXX.XXX.XXX.111 I would like that outgoing IP tftp is XXX.XXX.XXX.111, but IP is XXX.XXX.XXX.2. Outbound NAT rula 127.0.0.0.8 is set to XXX.XXX.XXX.111, bit not work. How can I set outgoing IP to XXX.XXX.XXX.111. IP is added to IP Alias.

I think I may have found my issue: https://doc.pfsense.org/index.php/VirtIO_Driver_Support I am using KVM as my hypervisor, and I an running VirtIO NIC's. I ticked that one freaking check box to disable hardware checksum offloading, and rebooted my pfSense machine and BLAM! Everything is working now. I spent the weekend dicking around with this. HAHA! And it came down to that.

You might try putting this into google: T05.0 3-Critical Comcast Seems to be pertinent results to me.

So i made a fresh install and tested it with 2 other hosts. My results: host1->pfsense 930 Mb/s 75-80% CPU pfsense->host1 940Mb/s  60% CPU host1->host2 (via pfsense as router/NAT) 720Mb/s ~25% CPU on pfsense This looks somewhat better. So, i guess pfsense handles handles forwarding packets not the same way as passing to user space app. The only thing to figure out is cpu usage when using PPP WAN (my test setup had static IP), but i think it should not be much worse. I consider my issue resolved. Thank you all.

MAC spoofing should work fine. Their switch can't tell the difference. Diagnostics > Packet Capture on WAN and set the level of detail to full and check the MAC and IP addresses being sent.

after a week trying i finally made a script to change the wifi password on my SG-2440 from the command line i know its a dirty script but it does do the job its syncs the pfsense graphical interface and its making a html file where the current password is stored. this script runs in the crontab every 23:59 and logs all command to my syslog machine (splunk) the code #!/bin/sh currconfigpwd="`/bin/cat /cf/conf/config.xml |/usr/bin/grep passphrase | /usr/bin/cut -f 2 -d\">\" | /usr/bin/cut -f 1 -d\"<\"`" newpwd="`/bin/cat /dev/urandom | /usr/bin/tr -dc 'a-zA-Z0-9' | /usr/bin/fold -w 8 | /usr/bin/head -n 1`" currwlanconfpwd="`/bin/cat /var/etc/hostapd_ath0_wlan0.conf |/usr/bin/grep wpa_passphrase |/usr/bin/cut -f 2 -d\"=\"`" /bin/echo "change-wifi-password : This script will update the wifi password with 6 random chars." /bin/echo "change-wifi-password : --------------------------------------------------------------" /bin/echo "change-wifi-password : Current wifi password in /cf/conf/config.xml : $currconfigpwd " /bin/echo "change-wifi-password : Current wifi password in /var/etc/hostapd_ath0_wlan0.conf : $currwlanconfpwd " if [ "$currconfigpwd" != "$currwlanconfpwd" ] then /bin/echo "change-wifi-password : Passwords are not equal ... exiting " /bin/echo "-- $currconfigpwd -- $currwlanconfpwd --" exit 1 fi /bin/echo -n "change-wifi-password : Removing old /var/run/hostapd_ath0_wlan0.pid file ..." /bin/rm /var/run/hostapd_ath0_wlan0.pid /bin/echo "Done!" /bin/echo -n "change-wifi-password : Seting new password ($newpwd) in /var/etc/hostapd_ath0_wlan0.conf ..." /bin/cat /var/etc/hostapd_ath0_wlan0.conf | /usr/bin/sed "s/$currwlanconfpwd/$newpwd/" > /var/etc/hostapd_ath0_wlan0.conf.NEW /bin/mv /var/etc/hostapd_ath0_wlan0.conf.NEW /var/etc/hostapd_ath0_wlan0.conf /bin/echo "Done!" /bin/echo -n "change-wifi-password : Killing old hostapd_ath0_wlan0 daemon ..." #psnum="`/bin/ps aux |/usr/bin/grep \"/usr/sbin/hostapd -B -P /var/run/hostapd_ath0_wlan0.pid\" |/usr/bin/grep -v /usr/bin/grep | /usr/bin/awk '{print $2}'`" psnum="`/bin/ps -auxw |/usr/bin/grep hostapd_ath0_wlan0.pid|/usr/bin/grep -v /usr/bin/grep | /usr/bin/awk '{print $2}'`" /bin/echo -n "$psnum " /bin/kill $psnum /bin/echo "Done!" /bin/echo -n "change-wifi-password : Starting hostapd_ath0_wlan0 daemon ..." /usr/sbin/hostapd -B -P /var/run/hostapd_ath0_wlan0.pid /var/etc/hostapd_ath0_wlan0.conf >/dev/null /bin/echo "Done!" /bin/echo -n "change-wifi-password : Seting new password ($newpwd) in /cf/conf/config.xml ..." /bin/rm /cf/conf/config.xml.NEW /usr/bin/sed "s|$currconfigpwd|$newpwd|" /cf/conf/config.xml >/cf/conf/config.xml.NEW /bin/cp /cf/conf/config.xml.NEW /cf/conf/config.xml /bin/rm /tmp/config.cache /bin/sleep 1 /usr/local/bin/php -f /root/write-apply.php /bin/echo "Done!" /bin/echo -n "change-wifi-password : Making intranet webpage passwordoftheday.html in /usr/local/www ..." /bin/echo " <center>" >/usr/local/www/passwordoftheday.html /bin/echo " **PASSWORD OF THE DAY WILL BE ACTIVE FOR 24 HOURS** ##### Generated on : `date` " >>/usr/local/www/passwordoftheday.html /bin/echo " **PASSWORD : $newpwd** " >>/usr/local/www/passwordoftheday.html /bin/echo "Done!" and the write-apply.php file #!/usr/local/bin/php -q require_once('/etc/inc/pkg-utils.inc'); require_once('/etc/inc/config.lib.inc'); write_config(); ?> have fun with it ;-) m </center>

You're right. Selecting the interface and logging out did it for me. After relogin and browsing through the menus it still kept my interface. Thank you!

Hi again, my Problem is still there. I found out now, that the Problem is the Slave-System! Exactly after five days the second Server does something with the Carp and the Routing failes. I don't know what happen there but after reboot from the Slave-System everything is fine again - till the next five days. The Master-Hardware is changed, the slave not. Should i? What should i Test next? I have no ideas anymore and it's not so nice to get sunday a wake up call from the company that the problem is back again. Thanks!

It is far easier to allow PoS, VPN and allow access to a particular (scout) site than it is to block just things that are hosted all over the world, on CDNs, etc. •  Block video from playing in facebook (not necessarily block facebook though) Good luck with that since facebook is pretty much all HTTPS. Might as well try to allow whatsapp but block whatsapp messages containing curse words. I believe what you are trying to do is pretty much impossible and you would be better spending your time blocking everything and passing only what they need access to.