I agree it's sometimes more convenient to bridge interfaces.

Depending on your NIC type you may also need this patch: https://forum.pfsense.org/index.php/topic,66908.msg367991.html#msg367991

Steve

Actually, this is still an issue. Applying firewall rules, or almost any update will kill existing connections including my OpenVPN connection to the firewall requiring me to reconnect..

i try edit code like this
still ERROR  :(

// http://000.000.000.000 // usernamefld  admin // passwordfld  #00000@0# $form_vars = array(); $username = 'admin'; $password = '#00000@0#'; $loginUrl = 'http://172.30.34.254/index.php'; $postUrl='http://172.30.34.254/index.php'; $user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"; $form_data= 'login=Login&usernamefld=admin&passwordfld=#00000@0#'; $ckfile = "/tmp/Cookiefile.txt"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $loginUrl); curl_setopt($ch, CURLOPT_COOKIEJAR, $ckfile); //curl_setopt($ch, CURLOPT_COOKIEFILE, $ckfile); // curl_setopt($ch, CURLOPT_COOKIE, "A=01;B=02;C=03"); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_POSTFIELDS, 'login=Login&usernamefld=admin&passwordfld=#00000@0#'); //curl_setopt($ch, CURLOPT_POSTFIELDS, $form_data); //curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); //curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); //curl_setopt($ch, CURLOPT_REFERER, $postUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_exec($ch); curl_setopt($ch, CURLOPT_URL, $postUrl); curl_setopt($ch, CURLOPT_COOKIEFILE, $ckfile); $store = curl_exec($ch); //curl_exec($ch); echo $store; curl_close($ch); ?> CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies. Debug:

@zlyzwy:

Hi all,

First, I know this topic has been discussed serveal times, however I just can't find the answer here..

Basically I have a Voip server(Askozia) behind Pfsense(2.1), The clients comes from both intranet and Internet.
For the Intranet clients, they are all working fine.
For the Internet clients, they just can't connect to Askozia server. The error message shows timeout.

What I have tried :
1. Firewall Optimization Options –> Conservative
2. change NAT Outbound to AON, add a rule like :
WAN  192.168.1.0/24 5060 * 5060 WAN address * YES Askozia
3. forward ports (5060,10000-10200) to WAN

All these settings has been done but it seems no change.

Thanks for any reply in advance..
Zlyzwy

\

Forward ports to WAN?

You dont forward the ports to the WAN. You forward them to your server on the LAN

WAN UDP * * * 5060 - 5160 XXX.XXX.XXX.XXX 5060 - 5160 Asterisk PBX Server (SIP)

XXX.XXX.XXX.XXX = Server IP on your LAN.

The NAT rule should also auto generate an Firewall Rule.

The present AON auto generated rules should suffice and you dont need to add more rules.

@stephenw10:

Check for anything that appears. The fact that you said the link light comes up briefly suggests it's stuck in a loop. That should generate a repeating log pattern.

By what WAN type I meant dhcp, static IP, pppoe etc.

Are your nics using the em driver?

Steve

Okay, did some poking around:

WAN type: DHCP on a Cox Cable installation

NIC drivers: yes, using the em driver

I cleared the logs after the last link loss, so I don't have anything to go off of right now. I will have to check it next time it goes down.

Is the gateway set on the WAN connection? Is the gateway blank on the LAN?

Here's a free solution that works extremely well:  Recuva.

If you're willing to pay, try Zero Assumption Recovery.  You can run the demo mode to check if you have any chance of getting your files back before committing to a purchase.

Doesn't want to seem to give any info.

Debug patch gave following output:
dap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.20.0.100:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.20.0.100:389
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
connect errno: 65
ldap_close_socket: 15
ldap_err2string

sorry for the late reply and woow thanks for the response. Exactly what i've been looking for.

Actually, a little help with another rc-script and the 4th partition gets mounted, and the mkfs-tool shipped with the embedded img. So the embedded image deals very well with a classic 4-primary partition table. (and can mount FreeBSD (a5) and FAT (think 0c) partitions). Even DMA transfers seem to be supported by the alix-hardware (cranked up almost ~17MByte), though it will not run usb-disks too stable. :)

Oke, there's no partitioner tool inside then - maybe a good thing, agreed

And don't worry, just sometimes it's handy to have some extra space, like running a seldom-used-ftp or similar little abuses. Surely no caching with a lot of IO, this kind of storage is not made for this. (Though, the wrong thing to do here is to rely on this hardware and NOT having a spare card with a recent backup)

Yes I am aware that what i'm doing here is way beyond the purpose of pfSense, and i love it for as it can actually be done!
But I am aware as well, that it's the best non-commercial solution anyone can have, out of the box! (esp. soho environment where there's a lot of throw-away products!) :)

thanks a lot

can u share the list of updated facebook and vimeo ip and cidr list also the complete snapohsts of how to block https://www.facebook.com/ and https://www.vimeo.com/

You may be able to (it would no doubt require a lot of command line hackery) but I definitely recommend you don't.

You should install a syslog server on another machine and configure pfSense to send it's logs there.

If you really want to use only one machine there is a syslog-ng package for pfSense so you can store long term logs locally if you are running a full install. I've never tried that though.

Steve

You need to add an interface, then those tabs will show up under the interface.

snort_rules.jpg_thumb
snort_rules.jpg

OK. So if you want to have both interfaces appear on the same subnet and you don't want any filtering between them you need to move the filtering. Go to System: Advanced: System Tunables: In the table are two sysctls that control the bridge filtering behaviour net.link.bridge.pfil_member and net.link.bridge.pfil_bridge. As the description in the table says you have to edit those values setting net.link.bridge.pfil_member to 0 and net.link.bridge.pfil_bridge to 1.
You will need to reboot the box (or remake the bridge) at this point to get the values to take effect.

Also you probably want to re-arrange the interface assignments. You want to end up with:

LAN1 assigned as bridge0.

bridge0 with the two interfaces added. This means you will have to reassign whatever NIC you have as LAN1 currently.

You don't have to do that but LAN1 (assuming you renamed it from LAN) has the anit-lockout rules etc.

I wrote a post about doing this sometime ago that may be helpful to you: http://forum.pfsense.org/index.php/topic,48947.msg269592.html#msg269592

Steve

Yeah I think dynamic updating is not on by default because of security risks. But I'm glad your up and running.

Turns out it wasn't NRPE but something screwy along the way updating from 2.0.3 to 2.1. backed up the config, reinstalled from scratch and restored config and it's been running just fine (with NRPE) since. When in doubt, go with a fresh install.

It was my mistake…
I had an error in last row in the TXT with subnets for the alias. It did not mess up the 2.0.x boxes. Only the 2.1-release stopped working.