@ljadmin:

My gateway status is 'online' but i cannot ping my gateway from the IP of my Firebox but I can from other systems on the switch.
[Gateway (#.#.#.217)] – switch -- [Firebox (#.#.#.219) & ServerA (#.#.#.220)]

What does ping report? (a png report is nearly always more informative than "cannot ping").

How many interfaces have you configured on the firebox? How many of them are in the same IP subnet as the pfSense WAN interface?

I presume the switch you mentioned is connected to the pfSense WAN interface and Server A such that Server A can directly contact the gateway (bypassing the Firebox).

@marvosa:

When using FTP behind a NAT Firewall, I've always forwarded the passive ports.  Unless the firewall dynamically monitors FTP connections and opens ports dynamically when it detects a passive FTP connection, which I'm guessing is what the FTP helper is trying to achieve.

From -> http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes:

FTP helper now in kernel

So, maybe it's a kernel bug or the "FTP Helper" has been deprecated.  If someone has a more official explanation, feel free to chime in.

I think you are correct. I have not disabled it so maybe there is some kind of bug on the FTP helper since although enabled i have to port forward the passive ports my self.
Except if the FTP helper on pfsense is not supposed to do this as the [ Tracking / NAT Helpers - FTP nat helper ] i said.

Who knows.

Regards

Try looking for the VLANs tab on Interfaces -> (assign)

I realize this was posted in wrong place. I just want to update in case someone was scared off by my experience, When I downgraded to 2.0.2 I had the same issue when I restored the config backup. So apparently there was an issue with my config exposed by the upgrade process, unrelated to version 2.0.3. I am now running 2.0.3 with config rebuilt by hand (with aid of the xml file open in notepad) and all seems fine. Was probably a good time for a config 'spring cleaning' anyway..
Thanks again to maintainers of this project for this solid update!

@pvoigt:

@dig1234:

I'm on nanoBSD i386. upgrade from 2.0.2 to 2.0.3 was a disaster. Bootup would hang at Starting Firewall.
Turned on verbose logging, eventually bootup finishes but packages did not reinstall.
Getting message in syslog and console:  kernel: t_delta 15.fd984de3455432fc too short etc.
Will try installing from scratch, maybe upgrade process just crapped out. Otherwise I'll go back to 2.0.2

Well, these issues are looking even more serious than those nsswitch warnings. Maybe I missed it but are you getting the nsswitch warning besides your other problems? If yes, could you please give feedback I they do disappear after a clean install? I'm runing a NanoBSD image and it is a real pain to exchange CF card for re-imaging.

Thank you all for your help. I also found out that every night comes the night guard to this company with his own laptop which was also infected:)

@heper:

squid on pfsense can work with AD authentication. How well it integrates with squidguard/dansguardian i don't know.

You have to install the following packages

you will sea the proxy filter and proxy server on the service tab you have configure like this

You can't use two WAN NICs with the same gateway.  It'll only route traffic out of the default gateway.

If you have more than one public IP address that can use the same gateway, you can do it with one NIC, and VirtualIPs and 1:1 NAT routing. (http://doc.pfsense.org/index.php/1:1_NAT)(http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F)

On my WAN2 interface I have a public IP address ...39, and ...40, and ...41.  The ...39 is the LAN2 subnet.  ...40 is a single IP on LAN2, and ...41 is another single IP on LAN2.  I could easily have added another public IP and had that route to LAN1, but in my case I have a completely different WAN connection with a different (different than WAN2) gateway instead.

Create the one WAN interface and use 1:1 NAT with a VirtualIP.

If you are looking at building a new box it's hard to recommend anything other than a low-end Sandybridge/Ivybridge based board. As Tim suggests above, using an socket 1155 board gives you lots of upgrade options. This board:
http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622
Is slightly more but gives you a smaller footprint and DC power for greater efficiency.
Even a low-end Celeron will firewall/NAT at Gigabit wire speed so should be good for 120Mb of OpenVPN (I have no test results to confirm this). http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889
If you want less building then maybe something like the Shuttle DS61: http://forum.pfsense.org/index.php/topic,56950.0.html

To be honest you could probably get 120Mb VPN with a far less powerful system but it's probably easier and cheaper to go with something such as the systems above.

Steve

If they fix it upstream, we pick up the changes either the next time we shift OS versions (not very often) or if we bring their patch into our code (happens all the time).

You cannot expand it to fill the card, at least not at all easily. It's relatively easy to load up the 4GB image and restore the config though.
However there is very little point in doing so. It's very unlikely you'll run out of space in the 1GB image. The RRD data is stored in the config (50MB) partition and I think that is the same size in the 4GB image. I'd have to check that. The RRD data does not grow in size though, that's the primary feature of it.

Steve

**my system work on ESXI 4.1 , pfsense for merge 2 line my multigatwy then go to Mikrotik 5.20 for Distribution internet to clients ,
every route have bult in siwtch take cable form router 1 to router 2  and from router 2 cable to wan , ( i disable dhcp in bothe of them )  ( in ESXI creat  2 virual network adapter in pfsense , contact to wan by creat virtual  switch then acreat vm switch btween mikrotik an pfsense

this is my network every time restart my Routers only one is online and the other is offline to solve problem need to restart pfsense every time after restart routers  , hop to fond solutoin**

thanks for your reply..
@dhatz:

Your best bet to increase overall performance would be to switch to pfsense 2.1-BETA (based on FreeBSD 8.3, with new drivers for most hardware). As long as you won't be doing any disk-intensive tasks (e.g. squid) the most important factor affecting performance would be your NIC(s) e.g. Intel or Broadcom etc.

Since you have plenty of RAM, you could try
kern.ipc.nmbclusters=262144

thanx  for thats a  big help  now i  just need to  work out  installing  but it cant be  that  difficult    hopefully  ???

however that  not my  firebox 700  but its a big help

That's an IP conflict, the device with the MAC it's listing is using your IP. It won't be in the ARP table since that IP is local and it won't believe whatever the conflicting device is. But your upstream router will. What to do about it depends, if that's something on your network, turn it off or change its IP. If you're plugged straight into your ISP's network, you'll have to contact them about it.

That'll happen if that traffic makes it to the firewall. At that point you can either block or pass it, but it's going to show up in your RRDs either way. Whether or not it makes it to your firewall depends on the device its WAN is plugged into. Something on that upstream device must have changed to send out that multicast on all ports rather than just ports that have joined the appropriate group. Whether or not that's configurable or you can do anything to change the behavior, not sure, better chance of finding that out from your provider (if you can get someone with a clue) or a forum of theirs if one exists.