My ISP has given me a new block of ip addresses to isolate the computers connected to the router by giving them each a different public ip address which should put them all onto a different network but still going through one common gateway.

I'm going to use the old firewall to monitor the connections from the other pc's connected direct to the router to see if one of them might have something on it which can interfere with the two routers handing out dhcp ip addresses as this seems to be the stumbling block.

If your ISP is routing your public IP space to the /32 on the WAN, then you only need to disable NAT for the DMZ network. It sounds like you still have automatic outbound NAT on or still have the auto created rules.
Switch outbound NAT to manual. It should create a default set of rules.
Remove any rule that includes the DMZ subnet.
Setup FW rules to allow traffic from WAN to DMZ. Do the same with your LAN (to allow access into the DMZ).
You do not need 1:1 NAT or port forward to a routed set of public IP addresses.

Nacht,

Thx a lot. Will do so.
I've a 2.1 beta running on one of my schools. Only thing I have is slow internet connection when SQUID and SQUIDguard are activated.

But I'll repost that issue within the correct sub.

Kind regards,

Me

@pmiccich:

LAN 2 & LAN 3 unfortunately dont have internet connectivity… and they cant connect to each other, which is something i REEEEALY need

By default, only the pfSense LAN interface has firewall rules allowing access "anywhere else". You need to add firewall rules to those interfaces to allow the access you require.

ok, see i didn't know what to think, i have always had problems with java, seems whenever it's on my computer i can expect it to have problems, but lately i have been playing minecraft so it's kind of necessary. I'm also on youtube a lot, in the meantime i think ill just bypass HAVP if it's not going to harm my computer (theoretically), i was just wondering if it wasn't someone tampering with the download.

You can easily achieve a fail-over scenario between two WAN connections using a single instance of pfSense installed on your box. You can load balance the two connections as well if you want.
Depending on the speed of the connections and the spec of your hardware you may want to install pfSense as a single VM anyway because you can then use the hardware for running additional VMs. This does reduce security (potentially) but given your lack of access to hardware might be the most efficient way to use it.

Do you intend to run any packages on pfSense, Squid Snort etc?
What is the full spec of your box?

Steve

@Klaws:

I prefer regular APs instead of built-in WiFi cards. No driver issues, no need to buy outdated hardware. And you gain the flexibility to put the pfSense box at a convinient location while the AP goes to the optimum position for RF coverage.

I agree with those listed advantages for external APs but I have found the pfSense reporting and troubleshooting facilities far superior to those on any commodity AP that I have encountered.

You can just copy the last good config from /cf/conf/backups/ to /cf/conf/config.xml and reboot.

I tried the WiFi option in pfSense as well and I had to give up at the end (I posted about it in the wireless section). I came to the conclusion that the hardware that works well with FreeBSD 8.3 in AP mode is very limited and hard to find at best. I could spend hours trying to find the right ath based card on ebay or just spend $90 for a proper AP and be done with it.

Okay thanks so much.

Luke K.

well guess i will have to use a normal pc for my setup.
Thanks alot for the great helpful and informative andvise

Ah, sorry, I misunderstood your first post - I thought the issue was related to a "new version installed".

You can add external batteries to most UPS boxes with a bit of effort too. Pick one that is about double your power use so it is running in the most efficient range and get a reasonable runtime in the basic box. Add as much external battery as you like, recharge will take a long time but otherwise all will be just fine.

I really like AGM (absorbed glass mat) batteries for inside use, no chance of acid fumes or spillage unless you horribly abuse them.

Hi Guys

I've been experiencing something similar, though I'm not sure if it is the same.  My post is here:

http://forum.pfsense.org/index.php/topic,59546.0.html

Essentially what's happening is something is triggering my interfaces to kick out, and only a reboot of either the DSL modem or firewall bring them back.  I do see the WAN gateway alarm where is cannot reach it, but that could be the chicken or the egg - did it go down because the interface died or did it go down first and then the firewall could not recover.  I have DSL/pppoe.

-Lou

Does the Services menu have a Bandwidthd entry?
If so, then your system has had the actual Bandwidthd package installed at some point, but an upgrade (or something) has somehow lost it from the installed packages list. In that case, from System->Packages you can install Bandwidthd, then uninstall it again. That will get rid of the menu entry, and the program.
Otherwise, post the output of pkg_info command. (You can then probably use pkg_delete to get rid of bandwidthd, but there might be other bits that could also be removed, and there might be other things installed or customised on your system?)

@stan-qaz:

Man page: http://www.freebsd.org/cgi/man.cgi?query=kill&sektion=1

Start with just kill and your process (from your other post) id:  kill 5018

Add options if that doesn't work, -9 or -15

kill -9 5018  or kill -15 5018

It worked :) thank you very much sir.

Thanks for the reply jimp. I am running a firewall sizing work, new servers etc and for that reason I would like to know how many new connections are created in the firewall per second.

So, I will consider the state table, insert option to calculate my new connections per second.

Thank you,

We are still tracking down and updating things as we find them, announcements went out to the development and committers lists already.

This is awesome… thanks Phil!  (I'm the guy who initially pointed out the annoying no-ip behavior) but hey it's free, right?  Oh wait a second... pfSense is free too but there's no annoying behavior.  :)

IIRC, the cron job in pfSense does these updates at 1:00am or so.  If that is indeed the case then it's very unlikely to adversely impact anyone.

As for alternatives, I've found FreeDNS to be quite useful.  DNS-O-Matic does look interesting and since it's an OpenDNS service, I would expect that there's almost no chance of this sort of "monkey business" cropping up in the future.

Thanks again,