Thanks for the reply jimp. I am running a firewall sizing work, new servers etc and for that reason I would like to know how many new connections are created in the firewall per second.

So, I will consider the state table, insert option to calculate my new connections per second.

Thank you,

We are still tracking down and updating things as we find them, announcements went out to the development and committers lists already.

This is awesome… thanks Phil!  (I'm the guy who initially pointed out the annoying no-ip behavior) but hey it's free, right?  Oh wait a second... pfSense is free too but there's no annoying behavior.  :)

IIRC, the cron job in pfSense does these updates at 1:00am or so.  If that is indeed the case then it's very unlikely to adversely impact anyone.

As for alternatives, I've found FreeDNS to be quite useful.  DNS-O-Matic does look interesting and since it's an OpenDNS service, I would expect that there's almost no chance of this sort of "monkey business" cropping up in the future.

Thanks again,

That should be fine for the OS, assuming your hardware is capable of using those effectively.

We have people running with hundreds of VLAN interfaces or other virtual interfaces and it's OK that way, the only question there is your hardware.

Chrome is nice it just caches too aggressively. You didn't need to reinstall chrome, just empty the cache and/or force a reload of the page (hold shift + click refresh button)

nobody has an idea?

I forward (WAN side) port 80 to port server 1 port 80 (LAN side).

Port 81 goes to server 2, port 80.

Port 82 goes to server 3, port 80.

Port 443 goes to server 4, port 443.

I access all other boxes via an IPSec VPN.

Ashish, I fixed bandwidthd so it should run OK on nanobsd Alix systems. Did you install the latest version 2.0.1.4? and it takes a few minutes to make the first graphs.
Edit: You were still on 2.0.1.3. I updated bandwidthd and set the parameters back to the defaults (it will update usage every 2.5 minutes) plus selected output_cdf and recover_cdf so it will reload everything when bandwidthd restarts.
Note: At the moment on nanoBSD the bandwidthd cdf data files are not saved anywhere - they are lost on reboot. Tonight I will try and add the code to save the data periodically to the CF card.

Edit: Oh, I'm sorry, you mean Monitor IP. No, all different on all interfaces (2 WAN, 2 VPN). But both VPNs have the same gateway IP.

Never mind.. Turns out it was a coincidental browser error, and clearing cache fixed it.

:-X

@phil.davis:

/tmp and /var are memory disks on nanobsd. They get created from scratch by the boot scripts. Whatever is in them at shutdown goes in the bit bucket (things like RRD data can get saved at regular intervals to the real CF card).
So it doesn't matter how big your CF card is!
There have been some mentions of making the /tmp and /var memory disk sizing settable from the WebGUI - that would help people who have plenty of memory in their nanobsd system, they could get more space in /tmp and /var.
At present you have to find where it is set in the boot scripts and edit the magic numbers.

Thanks. I've found it in /etc/rc.embedded.

it's called tmpsize.

It seems from your description that you have already setup more than one 'LAN' interface. Do you mean multi WAN?

If not please describe your network and what you are trying to achieve.

Steve

I don't think you can, but you can always try it and see. Post the results in here.

@Gi4usa:

I am new to PFSense. I did not see anything in the documentation section on web hosting.  I need information on how to securely host a web server, Win Server 2008 with IIS 7.0 using PFSense.  Can anybody point me in the right direction?

Hello Gi4usa,

Here is a link to the screenshots that I looked at, I have the same concern however, I did look at the firewall screenshots and it is good fit for what I need to do. I am not sure if these will help you but they helped me. http://www.pfsense.org/screenshots/ If you need help just send me a private message and I think I can help ya.

Good Luck,
Michael

I agree with asterix. While the Aironet APs are not the most admin-friendly on the market (I vaguely remember issues with setting up roaming correctly), they work reliably. Unlike the "Linksys by Cisco" AP stuff, which reliably fails.

Concerning Layer7 filtering: it increases CPU usage, but does little to increase security. I prefer not to use it, but your bosses might have a different point of view. If management decides that they want Layer7 filtering, your hardware requirements will rise by order of magnitude.

In my opinion, overly restrictive firewalls will only teach better "hacking skills". Especially in an school/university environment, where information about circumvention of restrictions are commnicated very efficiently (among the users, not towards the administration).

Virus scanners on the firewall doesn't make sense if users are allowed to bring their own hardware into the network. If there has to be traffic between the Guest WiFi network and the "production network", you should concentrate you efforts on this interface. However, this access path doesn't really need to be more hack-proof than from the public internet.

I tried that, but I can't make unbound listen on any alias - they won't show up on unbound's configuration page and can't be selected as  "listening interface".
Ideally we could configure aliases for the anycasted IPs on the loopback interface, but the loopback doesn't show up under "interfaces" either.

The vNIC trick applies to virtualized environments, but obviously that won't work with a pfsense running on bare metal.

http://forum.pfsense.org/index.php/board,37.0.html

SSH has a serious design flaw so I have SSH disabled to the outsides world. Any known user can connect an infinite number of times. SSH leaves it up to the OS to manage this.

SSH tunneling on a mac and windows both require administrative privileges to create the bridge interface as it's on-demand and not an OS level service. On top of that I need all the devices using the same VPN system and ssh tunneling can only be done with a jailbroken iOS device or with OpenVPN which is horrible on iOS and is not able to work on cellular for proxying.

I may just have to resort to installing Server on the mini and just using pfsense for firewall/proxy. With OS X Server it's much easier to use profile management on apple devices and force settings but I would rather just have one border device.

@star_tiger5, basically every TP-Link switch that is not unmanaged supports vlans. (web smart, managed, jet-stream)
Switching speeds and total capacity differs per product iteration.
So, if you are looking for the best performance, get the switch with the highest switching capacity for the number of ports you need.

tl;dr, get any tp-link switch in the jet-stream or web smart product lines.

Hey Guys

It think this situation is related to another post I got resolved as per this post.

http://forum.pfsense.org/index.php/topic,59608.msg321277.html

Wasca