@stephenw10: Ah OK. I use both Windows XP/Chrome and Xubuntu/Firefox regularly with no problems. Are you running and script blockers? Can you try Firefox? I seem to remember this bug from a while back and JimP suggesting a solution. Can't find it now.  ::) Steve Edit: Here: http://forum.pfsense.org/index.php/topic,63160.0.html ah, thanks for your help. it seems like click on the "top nav bar" before moving the cursor helps most of the time. as jim suggests. thanks!

/etc/inc/authgui.inc

How slow it is may depend on how aggressive an application is at getting a name resolved. For example I just assigned some non DNS address as the first DNS server and pinged a domain from a Windows 8.1 client.  A second DNS query was made by the client after about 20ms for which pfSense used the second DNS server and returned the domains address back to the client in under 40 ms from the time of the clients first query. Windows NSLOOKUP on the other hand is a total timeout failure that only hits the first DNS address. IE 11 name resolution results where similar to that of ping. I prefer not querying every DNS server since probably about 99% of the time the one I have listed first is the fastest anyway.  And because that is mostly due to network latency it's not likely to change.  So there is little benefit in some cases to sending all those DNS queries when the first one is going to be used anyway for the vast majority of the time. For a highly critical system it very well be required though.

Followed the guide that Mike mentioned. (For pfSense 2.0 - 2.1 has some extra features like 'Extended Query' which I left blank) Changed level from 'One' to Entire subtree now the Diagnostics:Authentication page returns 1 group… My challenge with OpenVPN and the same LDAP/AD is still on going (= not working) I am connecting remotely to the pfSense box and do not want to change Authentication Server from local DB to LSP just yet.

Small progress Adjusted Authentication server setup so that Level: Entire SubTree Authentication containers (4) CN=Users,DC=company,DC=local; OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local; OU=Security Groups,OU=MyBusiness,DC=company,DC=local; OU=Users,OU=MyBusiness,DC=company,DC=local Now Diagnostics: Authentication return a group (1 not all) User: Xxxxx authenticated successfully. This user is a member of these groups: Mobile Users OpenVPN authentication (from linux based laptop…) works if user name is in local database but NOT when trying to use a name in the AD... Any suggestions? Thx Peter

On most other devices I find myself wishing for a real shell but I know what you mean. Probably the closest thing pfSense has is the PHP shell: https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell Not really directly comparable though. Steve

@coreybrett: Is there a proper term for referring to the practice of assigning multiple IP addresses to the WAN interface of a router? I'm looking for the right lingo to explain my setup to the ISP. You mentioned that you have an allow rule on WAN for ICMP.  What is the destination address/ network you have listed in the rule? Your ISP does seem to be routing/ forwarding your subnet in an unusual manner.  Most will deliver in a 1 + 8 or 1 + 16 manner. i.e.  There is a separate /30 for WAN and all of the allocated static IPs in the block will be forwarded through that.  How you want to use them (Virtual IP/ routed) is up to you.

I agree OpenVPN is the way to go - but I need OpenVPN with AD authentication … and comes with it own set of challenges. The reason this one is an issue is that there is a PPTP server inside the LAN - pfSense 'forwards' to it. When the person is trying to connect to a PC on the internet (customer) using PPTP/RDP and setting up a new PPTP connection the reply coming back in from wan goes back to the PPTP server in the lan rather than the PC that initiated the connection. I found out that this is a 'known' issue and can be avoided with a second static IP etc. but I rather remove the PPTP server from the LAN and go with OpenVPN.

Maybe unrelated but check apinger logs. I had once a situation where connection stayed up but the gateway did not respond in time. Causing pfSense to reload its rules causing unwanted outages. You can adjust apinger treshold if needed. Good luck Peter

There is the Service Watchdog package that JimP wrote a couple of months ago. That auto-restarts services that go missing. It does not have any function to send notifications, but perhaps it could be enhanced to optionally send notifications (and optionally just send a notification and not actually restart stuff automatically).

If you are using postfix, i would suggest that you use RBLs to reject suspicious mail. I would suggest the following ones: reject_non_fqdn_sender reject_unknown_client reject_unknown_hostname reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org Postfix can also incorporate ClamAV and Amavis. I would also suggest that you use pfBlocker and use the following lists - ET, Spamhaus, dShield, CI Army, Zeus/Spyeye/Palevo, iBlock at a minimum The above steps will block a lot of Suspicious known activity eartly on before ClamAV sees the traffic. You could still use ClamAV as a last step. Also using pfSense Snort on your WAN and LAN. There is also a product called "Security Onion" that can be installed as an IDS to get a full understanding of what is happening in your network. Hope it helps you

Hmmm… sorry about that. I intended these scripts to be an easy way to setup a very specific configuration. I've never had any issue as long as I've stuck strictly to the intended use case.  The downside of that approach is that I haven't tried a lot of variations (multiple gateway boxes, different gateway addresses, etc.) and I'm sure there are multiple ways it could be broken. However, if you can pin down issues with the install process or instructions (or give me enough info that I can find them) I'd love to know what they were so that I can try to fix them. I'm a software guy by trade as well. What I've learned about networking has been purely by playing with stuff like this. Nice to see someone else branching out...

Okay, i went back to the orginal rc.newwanip did only this: https://github.com/pfsense/pfsense/commit/f3a4601c85c4de78caa4f12fefd64067fd83dbe8 and added boot/loader.conf.local and these 2 lines are in that kern.ipc.nmbclusters="131072" hw.em.num_queues=1 Rebooted. Under Firewall/ NAT i checked: Static route filtering Bypass firewall rules for traffic on the same interfac IP Do-Not-Fragment compatibility Clear invalid DF bits instead of dropping the packets The servers are timing out a lot less now. Maybe once in 30 pings sometimes 2 pings in a row… What is see in the logs at that times are tcp:fa / tcp:a from DMZ packages , has that anything to do with that? for example: block Jan 16 14:14:03 DMZ serverip:80   ipadres:50155 TCP:A

I got it to work eventually, but not with passthrough, it just wouldn't go. I used bridge mode, but with ipv4 disabled for those 2 nics at the host, so that there is no direct connection from the host to the internet, only through pfsense. Too bad passthrough didn't work, would've been better.

What it should do (i think) is issue or not issue the "ifconfig-pool net/mask" option in the config file (if you follow the logic). But, I found the following, from my observations: if you try to use "ifconfig-pool" in the advanced options, you get an error (in the logs) saying that you cannot use ifconfig-pool and "server" at the same time, because "server" already creates a pool for you. Indeed there's a "server" option in the config. the server option is not very flexible because it is kind of a ifconfig + ifconfig-pool in the same option, and the server takes the 1st address and all the rest of the entire range is reserved for the pool. I like to issue a ifconfig-pool where I use only a portion of the range, leaving another portion to static IPs in the client overrides. from googling, it seems that in the old days there was a configuration text filed where you would indicate the range for dinamic assignation (just what I expected) and that would issue a separate ifconfig-pool config option (or not). I was then changed to, when on  (presumably) issue a server command taking all the range and (presumably) when off, switching that command back to a normal/simple ifconfig (which I would be happy with because it would allow me to issue a ifconfig-pool in the advanced options). In the current state it seems useless. But maybe I'm missing something.

Is this a known issue? By the way, this happens only if my default gateway (VDSL1) reconnect. Update: Have a look on a other pfsense with only one pppoe wan connection, ntp work here fine. See in the log that the ntp server stop for a reconnect of the wan pppoe connection, is it possible that the ntp server start again to fast? Update2: "fixed" it with the Service Watchdog package  ;)