Ok thank you for your help

Kind regards

Looks like it has an RJ45 console port, presumably serial.

Edit: Yep, 9K6 serial connection.

Steve

Also, whichever end is the OpenVPN server will need to have a known public IP address so the client can connect. If one of you already has a static IP, then use that for the server end. Otherwise you will have to sign up to a dynamic DNS service. pfSense can keep the dynamic DNS name up-to-date with the current IP address of your OpenVPN server end - Services->Dynamic DNS.

Nothing changed with scheduling cron jobs since 2006. (You can install cron package to do this via GUI.)

Ah, yes you're right. Traffic between two hosts in the same subnet will not pass through the pfSense box. However you may want to, for example, separate your wifi clients from wired using an additional interface in which traffic would have to be routed.

Steve

I got some more issues now.

I changed the system network cards around, and i wanted to reset the RRD data.

now that i did that. under quality tab and then graph i dont see LAN, LAN2, WAN.. i just see allgraphs, and outbound, i did a restart now i see LAN2, but LAN and WAN is missing.

Any ideas. i checked. the /var/db/rrd folder i do see WAN-qaulity.rrd

i went to the interfaces and completely disabled LAN2. stoped RRD, cleared data, started RRD. and now same thing i see the wan-quality.rrd file and in the graphs i see LAN2, i think at one point the current LAN2 was my WAN2, and now my current lan2 is my wan, and my current wan is my old wan2.

if that makes any sense?

so i think its grabbing the old names.. how can i fix this?

What you want is absolutely not a job for DNS server. You need some webserver with a proxy which will look at the HTTP headers and redirect the requests to appropriate internal servers according to the requested hostname. Simple Apache example:

<virtualhost *:80="">ServerName server1.example.com    ProxyPreserveHost On    ProxyRequests off    ProxyPass / http://192.168.1.1/    ProxyPassReverse / http://192.168.1.1/</virtualhost> <virtualhost *:80="">ServerName server2.example.com    ProxyPreserveHost On    ProxyRequests off    ProxyPass / http://192.168.1.2/    ProxyPassReverse / http://192.168.1.2/</virtualhost> <virtualhost *:80="">ServerName server3.example.com    ProxyPreserveHost On    ProxyRequests off    ProxyPass / http://192.168.1.3/    ProxyPassReverse / http://192.168.1.3/</virtualhost>

You forward all requests to port 80 to this server, which deals with the rest.

Reading: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

What I have done in some cases is this:

1. Make sure there is enough space on the slice to hold the upgrade image
2. Go to the shell prompt and run:

fetch -o /root/update.img.gz http://wherevertheupdateimageisonthewebsites/pfSense-blah-blah-512m-blah.img.gz

3. Wait for that to finish, that's just downloading the image to your CF.

4. When that is done, back up to the console menu and use the console update function, then by file, and give it /root/update.img.gz

It's normal to see the router's real IP in traceroute rather than a CARP VIP.

It won't help because they won't have the privileges to actually use the menu.

If you install the sudo package and allow them to run /etc/rc.initial without a password, you could then add "sudo /etc/rc.initial" to their .tcshrc or .profile and it may have the intended effect.

I strongly discourage anyone from using Acronis products for anything. Esp. since it (almost irreversibly) damages the host system.. (This is still valid even with 2013 versions of their products.)

Nice.  :)
Surprised it didn't cause a flood of complaints.

Steve

Hi wallabybob,

unfortunately with mounting pressure from the users I needed a solution for "now" rather than a solution that was "right", so I have restored a backup from 2 weeks ago which seems to have fixed things for the most part. It irks me that I don't know what the actual problem was and printing is still slow from the other subnet. Looks like I'm going to solve that in a different way now.

To answer your questions:

How do users in LAN D attempt to access the printer in LAN O?

Printer drivers were installed on each PC in LAN D. At the time of installation the driver setup was able to communicate with the printer which configured an appropriate printer port on the client PC.

What happens when they attempt such access?

The print job sits in the print queue on the client PC indefinitely

Does the access attempt get reported in the firewall log?

I enabled appropriate logging and saw PASSes noted in the firewall log, however running a packet capture on the LAN O interface of pfSense I did not see any matching packets.

Does the printer allow access from LAN D?

Yes.

Does the printer respond to pings from LAN O?

Pinging from a client on LAN O to the printer was successful. Pinging from the firewall interface LAN O to the printer was NOT successful.

Does the printer respond to pings from LAN D?

No. Firewall Logs show PASSes but again, nothing in a packet capture from LAN O interface

Please post a screen shot or other full specification of the firewall rules on the LAN D interface.

Sorry, as I've restored from backup the rule is the now the same as when it was failing. What i have now is:

I've highlighted the rule that should allow access to the printer (and the file server) on LAN O

The OfficeResources alias contains the IP addresses of the printer and the file server only.

However when the firewall was allowing nothing out its LAN interfaces I had removed all the rules but the last one, which was copied from the LAN O (the "LAN" inferface asopposed to the "OPTn" interfaces) rule and then modified to relate to LAN D.

I hope that's clear, reading back there's a lot in there and it may be moot given I have restored to a backup.

I'm also looking at dropping LAN D and combining the clients with the LAN O. Just need to convince management that the separate LANs are causing more problems than they are solving.

Thanks,
Lee.

Check the "mailreport" package:

Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.

You probably need to do a packet capture to be sure, but rsyslog would have to be the suspect.

I do the same for firewall on CentOS.
Maybe the dev team can take this into consideration and create a fail-safe button that restores settings after a specified time if user doesn't acknowledge by clicking on fail-safe button.

1- Fail-safe can be ENABLED or DISABLED when needed - so the admin can use it ONLY when needed. Maybe OFF by default
2- Fail-safe allows for time setting as in 1 minute, 3 minutes, 5 minutes, 10 minutes….
3- Fail-safe Restore DOES NOT apply or roll back the settings if user presses "ALL GOOD" button after the change is done within the kick-off time.

Any other suggestions?

Thanks everyone for input - I hope this gets picked up by Dev team! Vote here please

since I'm under a tight deadline, and it is out of business hours here and I have a relatively small amount of machines here, I have refreshed all the PC's and they are all using the new gateway, 192.168.1.2.

This is a hotfix that has worked for me, hopefully I this will not be an issue anymore, but it is an odd one at least.

@mastry0da:

could you point me at a reference for reading the log format?

if not could you possibly break down this example packet for me?

pf: 00:00:00.306610 rule 1/0(match): block in on msk1: (tos 0x20, ttl 40, id 33721, offset 0, flags [none], proto UDP (17), length 58)

They are standard pf logs, so OpenBSD may have some documentation.

Or: Use the source - https://github.com/pfsense/pfsense/blob/master/etc/inc/filter_log.inc#L136

The pfTop shell command can give a display of current top users of bandwidth through the firewall.