It solved thank you so much.

Well - we have not reached a final conclusion yet - but….

We realized that using virtual firewalls, how ever flexible, it still would be a single point of failure, and thus effectively making CARP on main firewall pointless.
Yes we would have HW failure protection, but there would still be ONE VM that could fail, and  thus essentially creation a "System Down" event.

So - currently we are leaning towards option 2 - in regards to the DMZ.

On the matter of using Snort or Proxy ... - welll - we are still in the dark and looking into options.

Not sure that helped much...  ::)

/Jannik

You are posting / asking at the wrong forum section ;)

About your questin, check this:  http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter

Sorry, should have added that my pfsense boxes are version 2.1-BETA0 (amd64) built on Thu Nov 8 06:41:07 EST 2012

Using the first usable for the router allows you to subdived the IP block later if required without having to change the router IP.

As an example, say you had.

192.168.1.0/27

Network  =  192.168.1.0
Broadcast =  192.168.1.31
Usable = 192.168.1.1 to 192.168.1.30 (30 Hosts).

If you make 192.168.1.1 the router and allocate hosts from that IP upwards, you can always decide later to split that IP allocation between two /28s. (assuming you've not gone past 14 hosts)

192.168.1.0/28 & 192.168.1.16/28

If you'd placed the router at 192.168.1.30 and then wanted to split the subnets, you'd have to re-ip the router and all the host config that used it  This may not be so much of an issue for a /27 but scale that up to a /24 or /23 and it soon becomes a right royal pain in the ….

It is for this reason that I would always set the router/Firewall/HSRP etc IPs at the start of the subnet block rather than then end.

Thats funny…    :P

I guess "working" is an improvement.

Considering fiber, managed switchs and VLANs?  Smart.  You will be glad you did that over wireless.

Interesting point here. Whilst it may be true that in this case the device details were not relevant I would always encourage people to give as much detail as possible. In many cases people come to the forum with a problem after having tried for hours or days to solve it themselves. During that time they will have decided what may or magnitude be relevant. Unfortunately it's often the decision that something isn't relevant that has prevented them solving the problem.

Steve

@elementalwindx:

Any possibility there might be a walkthru?

Any possibility you can be more specific on how you want to charge?

Perhaps you would be happy to sell vouchers, the vouchers containing a code unique to each voucher. The code allows the purchaser to access the internet for an interval of time that is specified when a "roll" of vouchers is generated. The interval starts on first use of the voucher code. This can be pretty much accommodated by a pfSense system on its own EXCEPT you would probably want the help of another system with word processor having "mail merge" capability (e.g. OpenOffice, LibreOffice, Microsoft WORD) to print the vouchers.

You also need to worry about the number of concurrent connections, which is roughly based on the number of users but matters more with what they run than how many you have.

One user with bittorrent will need a lot more states than a user who casually surfs the web.

The ALIX only has 256MB RAM (in most configurations, some have 128MB but they are much more rare to see) so you can't allocate a ton of RAM to handling connections. By default it will take 10% of the RAM for that, so 25000 states. Each user connection takes two states (one into the firewall, one out of it), so that's really 12,500 user connections.

If everyone's web browsers use ~100 connections (random wild guess) at a time, then you could have 125 users at a time. If they only take 10 connections at a time, you can get away with 1250 users.

If you have asymmetric routing happening, it would explain that (traffic entering and exiting different interfaces) - or if you have made a layer 2 loop, STP on the bridge would shut off a port.

It can also be from the driver if it ran out of buffer space to process a packet or some other error condition that resulted in a dropped packet.

Some drivers are nice and report the actual condition of the failure in sysctl output. For example if you have an em nic, run "sysctl -a | grep .em." and see what you get. Substitute the driver name as needed (bce, bge, igb, etc) but make sure not to put the number on the end, as in the sysctl tree it would be em.0 and not em0 or it may only have a general list of things.

Thanks Phil.  That all makes sense.

I do notice something going to a site in Italy, I think it's possibly from Ntop.  I'd like to check into that.

It's not a terribly urgent concern, but I do think we should know these things.

-F

FAQ: Why can't I view view log files with cat/grep/etc? (clog)

How is the pfSense VM configured? Other hosts would not be able connect to it's WAN interface by default.

Steve

My old board I'm using has an option I've never wanted or needed before anywhere except on pfsense.  It has an internal VGA graphics adapter and at BIOS it can be set to off. The effect is nice.  It will boot and run but there is no video at all of any kind.  The only way to change that is to clear the CMOS with a jumper.  I considered using this because I felt if the case is locked, and there is no console access going to be damn hard for someone to reset my password even with keyboard access because I've also turned off all boot options except that one drive in BIOS.

Anyway, guess that also saves power - But its otherwise a crap board.  I'm surprised its working so well, but it does.

No idea if you can do this with your board.

Excellent..that helped me sort it :-)