Thats funny…    :P

I guess "working" is an improvement.

Considering fiber, managed switchs and VLANs?  Smart.  You will be glad you did that over wireless.

Interesting point here. Whilst it may be true that in this case the device details were not relevant I would always encourage people to give as much detail as possible. In many cases people come to the forum with a problem after having tried for hours or days to solve it themselves. During that time they will have decided what may or magnitude be relevant. Unfortunately it's often the decision that something isn't relevant that has prevented them solving the problem.

Steve

@elementalwindx:

Any possibility there might be a walkthru?

Any possibility you can be more specific on how you want to charge?

Perhaps you would be happy to sell vouchers, the vouchers containing a code unique to each voucher. The code allows the purchaser to access the internet for an interval of time that is specified when a "roll" of vouchers is generated. The interval starts on first use of the voucher code. This can be pretty much accommodated by a pfSense system on its own EXCEPT you would probably want the help of another system with word processor having "mail merge" capability (e.g. OpenOffice, LibreOffice, Microsoft WORD) to print the vouchers.

You also need to worry about the number of concurrent connections, which is roughly based on the number of users but matters more with what they run than how many you have.

One user with bittorrent will need a lot more states than a user who casually surfs the web.

The ALIX only has 256MB RAM (in most configurations, some have 128MB but they are much more rare to see) so you can't allocate a ton of RAM to handling connections. By default it will take 10% of the RAM for that, so 25000 states. Each user connection takes two states (one into the firewall, one out of it), so that's really 12,500 user connections.

If everyone's web browsers use ~100 connections (random wild guess) at a time, then you could have 125 users at a time. If they only take 10 connections at a time, you can get away with 1250 users.

If you have asymmetric routing happening, it would explain that (traffic entering and exiting different interfaces) - or if you have made a layer 2 loop, STP on the bridge would shut off a port.

It can also be from the driver if it ran out of buffer space to process a packet or some other error condition that resulted in a dropped packet.

Some drivers are nice and report the actual condition of the failure in sysctl output. For example if you have an em nic, run "sysctl -a | grep .em." and see what you get. Substitute the driver name as needed (bce, bge, igb, etc) but make sure not to put the number on the end, as in the sysctl tree it would be em.0 and not em0 or it may only have a general list of things.

Thanks Phil.  That all makes sense.

I do notice something going to a site in Italy, I think it's possibly from Ntop.  I'd like to check into that.

It's not a terribly urgent concern, but I do think we should know these things.

-F

FAQ: Why can't I view view log files with cat/grep/etc? (clog)

How is the pfSense VM configured? Other hosts would not be able connect to it's WAN interface by default.

Steve

My old board I'm using has an option I've never wanted or needed before anywhere except on pfsense.  It has an internal VGA graphics adapter and at BIOS it can be set to off. The effect is nice.  It will boot and run but there is no video at all of any kind.  The only way to change that is to clear the CMOS with a jumper.  I considered using this because I felt if the case is locked, and there is no console access going to be damn hard for someone to reset my password even with keyboard access because I've also turned off all boot options except that one drive in BIOS.

Anyway, guess that also saves power - But its otherwise a crap board.  I'm surprised its working so well, but it does.

No idea if you can do this with your board.

Excellent..that helped me sort it :-)

Meaning most likely your clamd has died… probably due to lack of memory. Other than that, this HAVP thing is a huge headache and simply not worth the trouble at all.

P.S. This is an English-speaking forum. Why are you multiposting here? http://forum.pfsense.org/index.php/topic,65286.0.html

Cmb, sorry for the late reply but that did the trick. how do i mark it as answer?

"but I am the only person at the moment who is using this exchange server.
PLUS these ACKs are coming from just 3 IPs 24/7!"

So the only traffic outbound from pfsense is this exchange server, there is NO clients behind pfsense?

Also the ips your seeing are NOT on the list from godaddy for their CRLs  - but yes crl is a FQDN, and its served up from a CDN so its IP will change I would assume.

;; QUESTION SECTION:
;crl.godaddy.com.              IN      A

;; ANSWER SECTION:
crl.godaddy.com.        855    IN      CNAME  gdcrl.godaddy.com.akadns.net.
gdcrl.godaddy.com.akadns.net. 12 IN    A      50.63.243.228

So its quite possible that IP changes..

As to the oscp

;; QUESTION SECTION:
;ocsp.godaddy.com.              IN      A

;; ANSWER SECTION:
ocsp.godaddy.com.      1647    IN      CNAME  ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net. 31 IN      A      72.167.18.239

I really would watch a full sniff to see if your sending out traffic to these IPs - which don't really seem to be CRL or OSCP.

Depends what you mean by safer. From a security point of view there is probably very little to choose between the two correctly configured devices. It then comes down to the speed at which new exploits/bugs are patched and updates released. The pfSense team have a good track record there and needless to say Cisco have whole departments of programmers doing that! However if, as you say, it's not possible to apply the patches for whatever reason it doesn't really matter how quickly they are released. An important measure of security is how many hours/days your router is running code with known exploits. My opinion.  :)

Steve

PPPoE relay is not bridged mode. That's for half-bridge mode I believe. You need to change the device mode to "Modem Only".

http://kb.netgear.com/app/answers/detail/a_id/20310/~/setting-the-dm111pspv2-to-modem-mode-%28bridge-mode%29