Ask in the Traffic Shaper Bounty.  http://forum.pfsense.org/index.php/topic,2718.0.html If it is then make a contribution and you can get the shaper.

You can also use sftp and schedule it to backup the files that way.

http://forum.pfsense.org/index.php/topic,8485.0.html

I don't know if that would be a good idea.  having each allowed outbound port listed in the rules in beneficial.  If you ever wanted to temporarily disable a rule say deny 443 temporarily or 3389 or better yet 25 you would only have to disable the individual rule.  By grouping them under 1 aliase, if you wanted to disable 1 port listed you would have to modify and then delete that port from the aliase.  Also if you were to need to troubleshoot looking at the raw filters it might group everything together.

You might want to put this in as a bounty.

Falcon4, I suggest you open your eyes and at least do a bit of research before claiming that Unix is only good for networking.

I am typing this message from a Unix box and the vast majority of my time spent using or developing for computers is on Unix type machines. I've got a room full of servers running Unix doing things other than networking.

If you're so worried about "wasting" a computer on Unix to do some networking, go buy a little embedded Alix box for less than $200 and install pfSense on that.

Bashing Unix here is not going to make you any friends or encourage anyone to help you.

I think ManageEngines Netflow Analyzer offers 2 free collectors and includes free billing feature's

I would go with 4 interfaces (3 NICs)…two WANs, one LAN, one VLAN.  Disable the internal DHCP on the APs.  Use the DHCP from pfSense for BOTH VLAN and LAN, install captive portal and enable it on the VLAN.  Make sure that the two interfaces are on disjoint subnets, you can also set the default rule on both interfaces to prevent traffic from going from VLAN-LAN and vice versa.  LAN becomes VLAN1 (the default VLAN) in a setup like this.

We only have one WAN here, but use the same VLAN for wireless setup.  If your APs can support it, setup two SSIDs; one on the LAN for your employees to connect to the Citrix servers, and a second on the VLAN for guests to hit the captive portal for web access.

The full setup would be like this:  WAN1/WAN2 (NIC1/NIC2)-> LAN(VLAN1, NIC3, 10.1.1.1) or guest VLAN (VLAN2, NIC3, 192.168.1.1)

its easy change ISP

hello Cry Havok,

thx for the answer, i'm now looking for old PC with my large hdd to build freeNAS  ;)

@Cry:

I run pfSense on a network with a Windows domain (not Active Directory) and I don't get any lockups.  I doubt that pfSense is the cause, though it may be the catalyst.

Question - what is your DHCP lease - 24 hours?  The interval would point to to a DHCP lease refresh issue (refresh is at 50% of the lease).  Make sure that you've specified the correct DNS servers in the DHCP configuration, or switch to doing DHCP on the domain controller.  Check your other DHCP options too.

This is an active directory domain.  I like using the firewall for DHCP since they support Static DHCP.  Also I want to use the PXE boot server options of PFSense which are not supported by Windows DHCP.  Wouldn't the DHCP lease time be different on almost all PCs?  I thought lease time was specific to individual PCs.  DNS servers are correct, primary server as DNS1 and ISP DNS server as DNS2.  The same as it is on my monowall box.

Hrm…

Hi

Thanks for your idea, but have managed to download Vista Business the other day (2.1Gb) with no problem at all (This was from MS, using webbrowser not download manager, and we dont allow Torrents in the office). Have to say I have moved over to other hardware and since that poin haven't had any lock ups at all, but saying that, didn't have any problems with the oroginal hardware for 30days so can't be sure that this may not happen again.

J

It seems you are looking for a "transparent firewall" or "filtering bridge"
Take a look at the howto's and search the forum for these keywords.

I'm not sure about the trafficshaping part.
I think in 1.2 it's not possible to shape on bridges. Not sure about the 1.3_alpha_alpha with the new shaper.

It's already possible to create a static arp-table so only devices on the list are able to communicate with the device.

I did put it on our switch and tried that way … no dice. I'll check to make sure what I thought was a crossover, really was. I've always swapped the OPT1/WAN assignments (and physically), and it worked exactly in reverse- DSL was fine on the card that can't see the router, T1 no carrier.