There have been regular posts about this. Yes, the (now known as) Electric Sheep Fencing guys are producing this sort of thing, and it will be a paid commercial product. No delivery date promised or estimated.

I hate seeing when my firewall is blocking things its supposed to block by default.  I always think to myself.

"Ohhhh look.  Someone trying to get into my blocked port…  Thats nice".  No action needed.

Its like the 10,000,000 hack attempts on my openvpn that is just forever ongoing from what appears to be an inexhaustible supply of random IPs out of China.  They don't have my certs, so who cares?  Let them waste their time.

Ah, OK. Glad you resolved it.  :)

Steve

hello. I'm reopening my question.

I'm now getting intermittent connection using the ping command. sometimes "request time out" will appear out of nowhere. This was generally bad when my customers were surfing the net and the gamers were affected here the most. I've already tried directing my dsl to my main PC (pfsense closed) and I haven't gotten any successive RTOs after 1 hour. So I suspect something is wrong with my pfsense.

already installed pfsense anew (entirely deleted my old pfsense from the VM) and re-followed the directions told here and still the same problem. just in case I already enabled UPnP & NAT-PMP. same IPs as above.

edit: sorry guys false alarm. it was my internet after all. I'm so fail. dsl needs fixing.

I have attached a diagram of my network. The access from the outside is made through WAN1, which is a modem router with port redirection to the pfSense IP address on port 80. In pfSense I have a NAT port forward created to redirect the traffic from the outside to the web server on the DMZ on port 80. This NAT port forward has an associated firewall rule to allow the traffic.

I can access the server well and the speed is the same. The problem exists when I try to download the file.

Thank you for your help.

network.jpg
network.jpg_thumb

ok it was a driver problem.

i just tried the module from NeverSimple posted here http://forum.pfsense.org/index.php/topic,65355.msg366244.html#msg366244 and now it's working :)

After plugging my wan i have an IP, no need to reboot nothing.

Running Squid and Dans in 256MB is always going to be a tight fit. If it's working OK for you be happy about that.  ;) So yes 85% seems entirely expected, quite low even.

Steve

@mauirixxx:

I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec.

Yes, i know its doable, but not with pfsense on the work/office since pfsene NEED a static IP on your home box. I have setup other solutions and many boxes dont need to have a IP for the home box. I think it is made this way so the office could connect to the home, but if home had a stay alive checkbox there isnt any reason to use static ip on both places.

Look up virtual hosts as it applies to apache also.

We run one apache server with multiple websites.

http://httpd.apache.org/docs/2.2/vhosts/

@maverick_slo:

Hi all!

I posted here since 2 packages are involved…
We have 2 locations with same firewalls (pfsense 2.1 release).

On location A I have OpenVPN server for roadwarriors.
On location B I connect to this server with OpenVPN client.
Configured with SSL-TLS+user auth.

Now the weird thing...
When connected CPU on pfsense on location B is OK.
When I start to download file from location A to location B, snort goes crazy and consumes 100% CPU.
See attached image.

Any idea? Is this a bug maybe?

Regards,
M

From the looks of that screenshot, it appears you are a victim of multiple identical Snort processes getting started.  If you have only one interface with Snort active, then you should have only a single Snort process showing up.  You have four with the same GUID (the 10837 number).  Shut down Snort and then kill any remaining Snort processes.  Start Snort again and see if things behave better.  This multiple process start problem seems to be more acute on 2.1, but still does not affect everyone.  I am looking into the root cause, but so far have come up empty.  It happens to the majority of folks on reboots.

Stop and start Snort from the command line using these commands:

/usr/local/etc/rc.d/snort.sh stop /usr/local/etc/rc.d/snort.sh.start

Bill

There is OS detection in firewall rules. It isn't perfect, but it can be reasonably accurate.

Add a block rule, pick the OS you want to block (if it's there), and if it detects them, it will block them.

select_os.png
select_os.png_thumb

@Sn3ak:

I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present.

I don't use OpenVPN, so I can't comment on that part.

You are correct. VIA padlock, Hifn, and others not listed there are in the kernel, not modules.

AES-NI and glxsb are modules because certain use cases warrant not having nor wanting them loaded.

Also selecting the cryptodev engine in OpenVPN isn't entirely necessary, we have found. OpenSSL will use a chip that claims support for a specific cipher if that cipher is the one in use. So if glxsb is on, says it does AES-128, and OpenVPN is set for AES-128, then it would use the accelerator chip no matter what the OpenVPN GUI was set for. Same for VIA padlock and so on.

Sorry but you haven't done anything that people in the virtualization sub-forum haven't been doing for a while: http://forum.pfsense.org/index.php/board,37.0.html.

That thread you reference was about doing pfsense and FreeNAS in the SAME OS, not via a hypervisor. Not to mention, you wouldn't get SBS to run on FreeBSD anyway, pfsense and FreeNAS are both FreeBSD based and so they thought they might be able to combine them into one physical box under the same OS. It's certainly possible but definitely not ideal. A hypervisor provides the isolation you need to do it "right" (though there are some that still prefer separate physical firewalls for further security).

Orange light?

I have two months to figure out how to do it

{Meanwhile I will try to solve another problem I have with pfsense not related to this forum}

Anyway
Thanks everyone for the help

Yes, by default only LAN clients will have access to the webgui. However it's only restricted by the firewall rules, the webgui listens on every interface. You will have added rules on the WLAN interface to allow any access you have to exclude the webgui if you don't want wifi clients accessing it.
That is a curious error though. It looks like access is allowed but the password/uname is wrong. :-\

Steve