Hi Hell0s, If you edit the rule that you created to allow the Web access, scroll to the bottom of the rule and you will see a checkbox for logging. "Log packets that are handled by this rule Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server (see the Diagnostics: System logs: Settings page)."

Thanks kpa. Like most errors where you bang your head in the wall for hours w/out any progress, it turned out to be stupid simple: lack of gateway. It was that, combined with shitty consumer grade hardware with very poor configuration options.

After update pfSense always installs the latest versions of the packages, not the same versions that were installed before update, right?

Hi Yes I'm using BT, will checkout the link thanks. Andy

Run "ps uxawww" and then save that somewhere, come back in a couple days and run it again. See what is in the second list but not the first.

Yup, that's a better solution that just blocking things in the firewall. It seems likely that your previous router did support IPv6 and was doing so correctly, hence no errors on pfSense. Your new router is inferior!  ;) There might be more recent firmware available for it. Steve

My first instinct would be to suggest that you simply replace the SonicWall with pfsense….. 8) I understand that may be an ambitious start, and while I'm no expert at SonicWall, I seem to recall you can create a DMZ port in SonicWall. You should be able to present that port to the WAN port on pfsense much as you would to an internet facing Web server. That should let you create an IPSec tunnel to the pfsense box.  The LAN side of pfsense will have to "merge" with your existing LAN subnet, unless you're willing to dedicate a new subnet just for the pfsense IPSec. If you can give some more details (and/or diagrams) about what you envision this setup to look like, maybe we can help you arrive at a solution.

Reset to factory defaults got me going here.  couldn't find anything less invasive …. :(

@jimp: You'd have to use Captive Portal + RADIUS accounting and then the RADIUS setup would handle the bandwidth tracking and long-term decisions. Well, that sound complicated!

Correct.

@stephenw10: Conversely I would be less likely to do it on a work box just because the consequences of some yet undiscovered NTPd exploit would be so much worse. If my home firewall goes down for whatever reason I get grief but I'm unlikely to find the locks have changed when I get back. If a firewall I'm managing for a business goes down (or worse gets owned) because I opened NTPd to WAN as a public service that's a different matter. You could see this as simply increasing the attack surface of a the firewall which is never a good thing. If you want to run a public NTP server the firewall should not be your first choice.  ;) Or there's always the possibility some company could make a consumer router and hard code your IP address in the firmware and set a ridiculous refresh rate when it can't reach the server and end up having you be flooded by tons of NTP traffic, bringing your network to a grinding halt. (This actually happened to the University of Wisconsin, courtesy of Netgear: http://pages.cs.wisc.edu/~plonka/netgear-sntp/) But as mentioned, at work, I would not be running this on the firewall. (We run an ASA at work, though I've mentioned switching to pfSense when the discussion of replacing it has come up. Though I believe the last word on it was simply increasing the memory on it instead, though I don't believe that has happened yet.) My FreeRADIUS (on FreeBSD) server would be the most likely candidate for being a stratum 1 server (currently I believe it's a stratum 3) unless I special built a machine specifically for NTP.

That's unlikely to work because the pfSense box will not route the traffic with only one IP. You could do it if you don't have Squid in transparent mode. Steve

thanks for the reply, but sorry i was not able to understand what to do? please let me know how to do that briefly. Thanks.

@MindfulCoyote - admin and root are there by default, however… @JeGr - The point of this exercise is to not memorize and distribute the admin password :] @stephenw10 - Doh! Completely missed this in the list of packages. Thank you!

Right but as divsys said have you proved that the server isn't using http (non-encrypted) on port 443. That can make connection difficult because browsers try to be helpful by automatically using https as soon as you specify port 443 and vice versa. You could try re-assigning the LAN interface IP in the console menu via option 2. You can assign it the same address so that nothing changes but it should ask you 'do you want to revert to http?' or something similar to which you can answer yes. It doesn't on my 2.2 alpha test box I have here though. The config file is /conf/config.xml. If you SCP that off the box you can reset it to factory defaults or look through it for a config error (such as http on port 443). Yopu can try editing the file whilst on the box: ee /conf/config.xml Look in the <webgui>section. Change back to http on port 80 and then reboot. Obviously manually editing the config file is open to error.  ;) Steve</webgui>

@evano666: I should also mention I already have a rule in place for ICMP… IPv4 ICMP * * * * * none Where is that rule? As others have said, what sort of NAT arrangement to you have on these virtual IPs? It would be common to use 1:1 NAT to your internal servers but if you're not doing that then have you NAT'd ICMP? Steve

Um that is not a wan IP, that is a rfc1918 address that you would use on our lan.  Why do you need to control bandwidth on your lan?  To your 2k8 server?  If you go into more details of your perceived issue and what you would like to do to fix it. We can either agree this is best solution, or maybe point you in better direction.  Maybe pfsense can solve your problem, maybe not - but without understanding what your wanting to do exactly??

For other readers, bandwidthd defaults to writing stats at 2.5 minute intervals. As long as there is more than the minimum traffic seen (about 1MB from memory) then there should be data and graphs generated within 5 minutes of enabling it.

You should be able to put a pass rule for traffic from the alias, select the limiters you want and schedule you want. Then after that put a deny rule for traffic from the same alias. Then at schedule times the pass rule will apply first and be effective. Out-of-schedule-hours the deny will be hit.