changing using pfctl at the command line would be very, very temporary.

There isn't a simple way to do what you want from the CLI.

You could use viconfig to hand-edit the config to make the change and then manually trigger a filter reload, but that's not exactly simple.

Best to use the GUI if you can.

If you're looking to automate the process, it would take quite a bit of custom coding to make a command line utility to edit an existing rule in that way easily.

Give pfsense a try.  It will probably do most of the things you are doing on several boxes with just one box.

Use "iftop" instead, it will show you want you want (and probably more) in a nice curses GUI

Hi

@sgo

The Ip 10.64.64.0 or 10.64.64.1 is kinda a bridge. To monitor the gateway (and solve the trafic problem) i put in  "System->Routing->(e - edit 3g gateway ) -> Monitor IP (ex. 8.8.4.4 ).

The gateway use the DNS google ip (you can use another pingable IP) to monitor the stat of the interface. I prefere have my main(ISP) getaway but, better this than nothing. With the monitor with green color pfsense chose the interface to pass traffic.

Cya

Apinger, used for monitoring, doesn't currently support anything other than pings.
To do this I guess you would need to replace apinger with something more flexible. Any suggestions?

Steve

@ericmachine:

I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.

I am in Australia. I  use Gold Coast based ISP Onthenet. My pfSense talks PPPoE to a Tenda D820B ADSL modem. The combination works well enough.

I don't know a definitive answer to this since I've never tried it but I could suggest some things. First though please define the problem further. You wish to limit the available bandwidth to users connecting from a remote location via pptp or pppoe. Bandwidth on a per user basis or all pppoe users? Have you tried anything already?

Steve

Yes. I now got a 150MBit line, even this is now possible. Unfortunately, creating VLANs is still not possible.

Same problem here, with pfsense 2.1, squid3 and dansguardian…

@bsd3000:

Probably I need to upgrade my hardware (I read all document about tunning)

So, instead of my hp DL360 server with embedded 2xBroadcom, what hardware do you recommend?

Integrated Intel or PCI-E addonn card?

What the best Nic? (model/chipset)

AMD 16x core Proc or Intel Quad Core Xeon?

You can throw some more hardware at the problem in the hope it might make a difference but you really need to get more information on what was going on in order to correctly determine the solution. For example, if you have a rogue system (or systems) issuing floods of DNS requests it is unlikely that adding more cores or "server quality" NICs or more RAM will allow you to give "good" DNS response to other systems.

Both those errors are 'normal' though they look scary.  :)
The RRD tool error happens when the interface first comes up, it's not a problem. I believe it has been fixed in 2.1.
The lighttpd error shows that someone tried to connect to the webgui on an http connection when it's configured for only https. That error has also always been present but lighttpd errors have only recently been added to the main logging system so you wouldn't have seen it in previous pfSense versions. It's nothing to worry about, the box redirects you to https anyway.

Steve

Check the pfSense VM to make sure it sees all the connections as full duplex: Status: Interfaces:
Normally the NIC negotiates with the switch and that can, very rarely, cause problems. With both those things not really existing I'm unsure how that works.  ::)

Steve

Using the IGMP proxy may allow the software to 'find' the printer. I have seen that work with media servers/clients that work in a similar way. Though I've never used a VIP in that manner I can see how it might work, try it.

Steve

Well, I have made a copy of the /etc/rc.backup_dhcpleases.sh and modified it to update/save my file via cron. Done.

You are doing this the wrong way around to fit into your diagram. The WAN should msk0 and LAN ath0. However that will be a problem since you will be unable to connect to the LAN until you've configured the wifi parameters. So to work around this first setup pfSense with only the WAN interface and set it to msk0. Just return past the LAN setup. With only one interface configured pfSense will allow you to connect via the WAN. You will have to do that from a PC connected to the 2wire router. You can then set a firewall rule that to allow access to the webgui from WAN side permanently. Now add the ath0 NIC as LAN. You will now be able to configure the wifi parameters from the WAN side connection and then hopefully connect via wifi. Once that is in place you can disable or remove the rule that allowed access from the WAN side.

Steve

What he said ^.

Short answer: No.

Your secondary router is almost certainly NATing between 192.168.1.* and 10.0.0* so all connections from your downlstream clients will appear to come from the downstream router. To be able to see cleints you would need to disable NAT and have it act only as a router.

Why do you have two routers in line like this?

Steve

So if I have a physical port on my pfsense box and it has the IP address of 10.10.2.254/24, can I also make it talk on the network as say 10.10.100.1/24 at the same time by adding that address as a VIP on that interface ?

So whatever that modem is I would check it to see if it has a setting to allow it to respond to pings. Can you ping it from anywhere else?

Alternatively you could change the monitor IP used on that connection. There is little point using the modems IP since that only monitors the connection between pfSense and the modem, not the internet connection.
In the webgui go to System: Routing: Gateways: and edit the WAN gateway. Enter an alternative monitor IP that is some where on the internet. You can use 8.8.8.8, Google's DNS service, for example.

Steve