@franci: when I looked at the system logs I get only a "Segmentation fault" message. How did you look at system logs? In "modern" versions of pfSense it is necessary to use the clog utility because the logs are kept in a special format (circular log) which is limited in size. Please post the output of the pfSense shell command``` du Perhaps your system has a very small file system.

Why not put the pfSense box out in front, give it the public IP, and then create two networks behind it, that can both access the internet but not each other. There must be a way to set the Huawei modem/router into bridge mode. So then you have WAN, LAN1, LAN2.

@Atomjax: Steve I guess that is the part I don't understand. Why would both be set to none and why does there need to be a third network involved? What I have done so far: 1. Configured the WAN interface with a public IP. We will say 111.111.111.19/29 with a gateway of 111.111.111.17 2. Turned off NAT 3. Enabled net.link.bridge.pfil_bridge 4.Enabled the OPT1 interface without any further configuration for the interface. 5. Configured with the Bridge with the WAN and OPT interface. No advanced settings were configured. What I want to accomplish is this. I have a public /29 subnet. I want to be able use and firewall the whole subnet with only one outside interface. Thanks for your help. J When you put interfaces into a bridge, you generally no-longer will set an IP to the interfaces directly. You will assign an ip to the bridge itself which is like a virtual nic that is present on the bridge. So essentially do not set any IP on WAN, set the IP on Bridge0 instead.

Thank you; I had actually followed that thread a bit over a week ago, but it seemed stalled - I'll check back in a few days.

Are you using VLANs on the WAN connection ? I read something that when using the parent interface and a VLAN member of this interface that the parent interface counts the child and itself in the traffic counter. Not sure if it is 100% correct what I said but there was something strange with that.

So no suggestions? How to stop the update script?

Run pfSense and, say, nas4free as vms under the hypervisor of your choice. Steve

Nice.  :) Steve

@cmb: Doesn't have any effect on anything we do or any of our users. Thanks just wanted to make sure.

http://doc.pfsense.org/index.php/How_can_I_edit_the_PF_ruleset I would assume you could edit them with pfctl if you wanted - but wouldn't survive reboot, etc.

You can do that, but we run so many things from the web server that it would be functionally no different to allow everything.

"If i was to deploy pfsense on my dedicated web server." What?  Do you mean putting your webserver "behind" pfsense box? I would not suggest running a webserver off of pfsense other than very minor sites if you had no other choice.

Ahh, interesting. Thank you very much!

Ah good to know and thanks for confirming.  :) What would be useful would be to be able use some of the system "aliases" in firewall rules. For example use Private_networks or Negate_networks. As it is I have an alias I setup myself, LOCAL, but I have to remember to update it if I change anything and it doesn't include the WAN IP (though could it?). Negate_networks does that automagically. Steve

Thanks Jimp, that did the trick nicely.

The ALIX can handle 150 devices generally. I'd be a bit more comfortable with the Netgate 7535 at that scale, or one of the slightly higher end options from Hacom or similar. My guess on why your DDWRT stops issuing leases is the lease file gets too big for the amount of RAM it has available, and the DHCP server crashes. You can't scale much with the kind of low end hardware DDWRT is generally used with, your average Linksys regardless of what it's running isn't suitable for a 150 device network.

Maybe the first description is not clear for anybody :-) So please see what I would like to do: [image: concept.jpg] [image: concept.jpg_thumb]

Ok, and what about outgoing frame, why this [2.0.1-RELEASE][admin@midgard.home]/(33): ping -s 2000 172.30.1.50 PING 172.30.1.50 (172.30.1.50): 2000 data bytes ^C --- 172.30.1.50 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss is not working? Shouldn't pfsense fragment the packet before sending it (like windows does)? 172.30.1.50 is a freebsd9 pc with 9K mtu on interface and frames are properly fragmented before they sent out. root@freebsd9-storage:/home/alximik# ping -S 172.30.1.50 -s 18000 172.30.1.20 PING 172.30.1.20 (172.30.1.20) from 172.30.1.50: 18000 data bytes 18008 bytes from 172.30.1.20: icmp_seq=0 ttl=128 time=1.270 ms 18008 bytes from 172.30.1.20: icmp_seq=1 ttl=128 time=1.318 ms 18008 bytes from 172.30.1.20: icmp_seq=2 ttl=128 time=1.248 ms 18008 bytes from 172.30.1.20: icmp_seq=3 ttl=128 time=1.309 ms 18008 bytes from 172.30.1.20: icmp_seq=4 ttl=128 time=1.237 ms ^C --- 172.30.1.20 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.237/1.276/1.318/0.032 ms ============================ Checked the capture, the cause is big echo reply. It was pretty stupid. Please close this topic =)

maybe the webConfiguratorlockout rule? (can someone verify) issue the following command and see if it returns anything. pfctl -T show -t webConfiguratorlockout For reference, if you run  "pfctl -T show -t bogons" you should return something similar to:   0.0.0.0/8   100.64.0.0/10   127.0.0.0/8   169.254.0.0/16   192.0.0.0/24   192.0.2.0/24   198.18.0.0/15   198.51.100.0/24   203.0.113.0/24   224.0.0.0/4   240.0.0.0/4 Brian

Configuration MIGHT be somewhat easier if your modem-router can operate in bridge mode. I have tried to setup two different ADSL modem routers in bridge mode and failed to get it to work so used a modem instead. If you can get your modem to work in bridge mode then pretty all subsequent configuration will be done on pfSense. However getting your modem to operate in bridge mode could be a frustrating learning experience. I'll assume you will stick with the modem acting as a router. If your modem-router supports dynamic DNS registration to no-ip set that up, otherwise configure dynamic DNS in pfSense through Services -> Dynamic DNS/ Dynamic DNS setup on your modem-router is preferred since it can more closely track changes to your public IP address than pfSense can. You will need to configure your modem router to forward the required TCP (and UDP?) ports to the virtual server IP address and add a static route to the modem-router so it knows to get to your virtual server IP address through the IP address of the pfSense WAN interface.