this is a windows issue i have lots of experiance with windows clients and pppoe so you have to believe this some clients will work fine and some don't
you really need to use a good pppoe dialer on any version of windows.
dr tcp will help you lower the mtu so you client does not have so many problems
i would also suggest you disable your ccp extension son the pppoe server on pfsense. i can't remember the config paramators for mpd daemon but the docs for it are on sourceforge
also another issue we see a lot is the defaults for windows pppoe auth are wrong for our setup and need to be manually adjusted.
my two cents worth i have a bit of development time at the moment so should be around on the forums for the next few days if you have other questions
It changes the IPs inside the ftp protocol to make it work with NAT and punches dynamically ports open that are needed for the ftp transfer. ftp doesn't happen on one port only (TCP 21 is only the controllsession).
Yes, you only can shape between 2 interfaces. However the problem with your setup is the following:
If you shape at the LAN side of the gatewaybox you can shape the overall bandwidth of all WANs of the gatewaybox only. So let's say each WAN has 1 mbit/s upd and down to keep it simple for calulation. This means your overall upstream isw 4 mbit/s. Now your shaper let's a single connection go out with 4 mibt/s. Now that single connection only can use 1 WAN at the same time, so it will max out the line at 1 mbit/s though it is allowed to use 4 mibt/s at the shaper box. This will overload 1 line whereas the other 3 lines are still idle. It won't work efficiently in that scenario. To make this work with multiple boxes you would need one gateway and 4 shapers at eah WAN of the gateway. This is an ugly setup and I agree to that, however it's the onyl way to do this right with multiple boxes. I have played around with custom shaperrules and a 2 WAN, 1 LAN setup but haven't managed to get it working the way I wanted it to work. However there are people reporting some kind of success with custom rules and multiple WANs. We'll hopefully have a multi interface shaper after 1.0 is out but trafficshaping gets pretty complex when using multiple interfaces so there is no timeframe for that feature yet.
Short question. Is it possible to save the configuration to a cf disk in the appliance? I know you can download the config, but that's not enough. Every change made to the firewall should be written directly to a cf disk. Or should we create a cronjob to do this??
We're planning to use a full installation on a hard disk in an appliance we put together. Those machines will replace a bunch of commercial firewalls (netasq) at our custumers sites. Why you might think? Great features (multi wan, failover, etc) without any extra costs. If you search the same functionality with a commercial product…
All you should need to do is disklabel, newfs, mount the CF over /cf and update /etc/fstab. Some FreeBSD administration experience is helpful here of course ;) You might be able to get away with the CF being FAT32 here and just mount that in /cf.
If im not totally wrong here it is not authpf that does the actual authentication, it's the SSH daemon, so you could configure the SSH daemon to authenticate against pam_ldap or similear i guess.
Correct, authpf doesn't do the authentication. It does require a TTY though and that requires more access than I'm willing to give my users. OpenBSD did the right thing as far as it being part of their core OS (and handling authentication), however I disagree with the implementation for pfSense. It needs a utility that can be deployed to the desktop and doesn't require anything more than an authentication prompt on the firewall (which can obviously be handed off to radius, ldap, whatever).
Please be a bit more specific. What kind of WAN do you have? What's in front of your pfSense WAN interface? What state is the NIC in if the connection is lost? Found a way to recover from this situation without rebooting? Anything in the systemlogs?
maybe something teel me what is going wrong with this…
$ netstat -m
412/488/900 mbufs in use (current/cache/total)
407/337/744/4800 mbuf clusters in use (current/cache/total/max)
401/239 mbuf+clusters out of packet secondary zone in use (current/cache)
0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/0 9k jumbo clusters in use (current/cache/total/max)
0/0/0/0 16k jumbo clusters in use (current/cache/total/max)
918K/796K/1714K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
1/19/1456 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines
Modem's IP is 192.168.1.254, sets all clients hooked to it to have an IP of 192.168.1.1 (By setting the DHCP range from 192.168.1.1 to 192.168.1.1, because the damn modem doesn't want to do anything BUT DHCP). Router's IP is 192.168.2.1, and sers all clients hooked to it to have an IP of 192.168.2.x. Firewall Rules allow everything, NAT is as suggested above. WLAN is bridged to LAN. WAN is set to Static with it's IP being 192.168.1.1 and gateway being 192.168.1.254.
Can't access the modem on 192.168.1.1 or 192.168.1.254. Can't ping, and can't get an internet connection.
I'm completely at lost as to what I'm not doing right.
Btw, check if you have 2 DHCP servers running. In that case a client requesting a lease will randomly get one from the one or the other (the one that answers the current request faster wins). In that case you might see clients hopping between IPs too.
LIVE CD. RC1. I will go to RC2 today but it's odd because this box wasn't doing this before and I have 3 other boxes with same config+hardware at same site. I wander if I delete the rrd file on the floppy?
Thanks for the great doc!
I think I successfully generated my keys and configured my PFsense box.
The other side is an IPcop box with OpenVPN installed. I've tried to create it as the client.
However, it just doesn't seem to ever open the VPN.
On PFsense do I need to create any rules or setup NAT for port 1194? Does OpenVPN run on the WAN NIC?
I've read everyone's suggestions, and i have tried them all, nothing seems to work for me. When i was using ip-cop i had no problems. I've got a linux box on one end and linux and windows at home. obviously the 2 on the same network can see each other, but not the one thats at my work. I've talked to my network guy, he says that all outbound is unregulated, so that shouldn't be the problem. Any other ideas why this would be failing?
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.