@Perry:

Just to be sure. Did you add a rule on lan2 like the default rule on lan

There is no smiley hitting his head with his hand ;-)

That was the point, that solved the problem, thank you!

Buffers are smaller on 10 megabit.  100 or gigabit will show better performance.

Check duplex as well.

@dear arno:
you success to  use pfsense pptp sever + windows IAS (radius server), plain windows xp vpn client - it works perfect since installed .

but I got problem:pptp server with radius
1.enable pptp server with local aaa,that's all ok!
2.only change aaa from local to radius server(such as evolynx radius server),success to in ,and get subnet ip,it seems all ok,but problem comes:can not ping any ip ,public ip(such DNS ,gateway of wan) and LAN ip of pfsense.(Tips:that's can ping when AAA with local,firewall peimit any IP any protocol).
3.return aaa to local,all become ok.
only change just local or radius server. Pfsense exist bugs on working with radius server or I wrong configuration? I NO IDEAR ?WHAT'S WRONG?can you help me?
thanks
yours yasian
my email: yasian@163.com

Yeah, if you're dealing with fibre then you won't want to be trying to cut corners on costs - it will come back and bite you later (from experience).

If you go wireless then you may want to look at a UK company http://www.solwise.co.uk/.  They have a page all about kit for linking buildings and have a PDF document about setting it up.

I have the following in /etc/rc.initial, just before the line /etc/rc.banner:

REMOTE_IP=`echo ${SSH_CLIENT} | awk '{ print $1 }'` if [ "${REMOTE_IP}" = "10.11.12.13" ]; then            /bin/tcsh         exit && exit && logout fi

Replace 10.11.12.13 wit h the IP of the system you want to be able to bypass the menu.

Hello,

You right , pftop is the right tool :)

thanks,
B.

yes, I did (using the web interface): <disablechecksumoffloading>yes</disablechecksumoffloading>

For my system it seems that the options doesn't have to be explicitly activated (as the original code does), but deactivated (what the code did not). At least this was my observation, ymmv of course :)

imwondering if i can use the traffic prioritizer to set priority based on IP range.  then i could set the DHCP scope to be less priority, and the servers and SAP workstatsions to have higher priority (and well, the bosses laptop too).

i was playing with the traffic shaper, and even tho it wasnt listed, when i turn on the catch-all-p2p, ftp is limited as well.  the penalty box feature is kinda cool… is there a way to add more than one computer (or, is just copying the rule and putting in another IP the way to do it) ?

No and this has to be one of the worst security practices ideas I have heard yet.  It's a firewall, leave it be and deploy another server for this task.  No offense.

It's an easy mistake to make, from personal experience :)

you could do it by dns, by adding a entry to 127.0.0.1, se when people try to access www.eviladdress.com they will be redirected to 127.0.0.1, but no logging features support this and it's pretty easy to bypass

These things are not supported.  Have fun :)

AFAIC this is supposed to be done by the switch (if its able to do so) where's pfsense is plugged.

Regards from Rio de Janeiro.

I guess it's possible that the clock was way off to begin with and just hasn't been able to sync with a time server yet.

Usually NTP protocol don't do big jumps in time.  It has some limit to the automatic time change.  If the time shift is greater than XXX seconds / minutes, it will not update.

Have you tried to config the clock manually to the closest as possible and then asked pfsense to then, sincronize ?

Also, sometimes time settings is not change on the fly on some process.  Sometimes it is necessary to restart the service.  If it is something related to kernel, usually a reboot will make the time to be correct (if the hardware clock is correct at boot time).

Regards from Rio de Janeiro.

use the Squid package?

Enable traffic shaping then :)

Please test Your local time server (pfsense) from windows machine. Is it synchronized to upstream servers at all? Stop windows time service, install ntpdate, and do test:

ntpdate -d yourlocalpfsenseserver

I think - better way for company's local time source - to use BSD "stock" ntpd from www.ntp.org, not OpenNTPD. Configure 3-5 reliable stratum1 or stratum2 time servers and keep Your windows machines always happy.

Arnis

My personal take would be to leave the Sonicwall as a standard firewall, put the web and mail servers on non-internet IPs and forward the relevant ports only.