If your clients use DHCP, you can also communicate a specific SHCP server via the "NTP servers" option.

Of course, this is not as bulletproof as the "sneaky approach". It's also less geeky ;)

I got it to work :D

As it turns out, there was no problem with PAP. So the information in the thread linked above is probably outdated and no longer true - it certainly had me confused. The actual problem was much simpler: The shared secrets on PPPoE server and FreeRADIUS didn't match. Other then that, PAP works out of the box.

Thanks for a quick reply.We will give it a try

@cmb:

There's nothing unstable about OpenVPN client, it's one of the most widely used things. You have some kind of problem that isn't a bug, but no telling from that description what that might be.

cmb, I had the WAN disconnected for 24 hours and now that I reconnected WAN the OpenVPN client didn't come up. I think I have nailed the problem to be with OpenVPN exiting when there is no WAN connection - This shouldn't happen and OpeVPN client should keep trying or it should be smart enough to come up the moment there is a WAN connection detected again. So, something is failing here. Following is the log:

[b]Mar 3 22:43:48 openvpn[39786]: SIGTERM[hard,] received, process exiting Mar 3 22:43:48 openvpn[62930]: UDPv4 link local (bound): [AF_INET]192.168.254.10:47383 Mar 3 22:43:48 openvpn[62930]: UDPv4 link remote: [undef] Mar 3 22:43:48 openvpn[63453]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 6 2012 Mar 3 22:43:48 openvpn[63453]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 3 22:43:48 openvpn[63453]: LZO compression initialized Mar 3 22:43:48 openvpn[63453]: TUN/TAP device /dev/tun1 opened Mar 3 22:43:48 openvpn[63453]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 3 22:43:48 openvpn[63453]: /sbin/ifconfig ovpnc1 172.18.18.2 172.18.18.1 mtu 1500 netmask 255.255.255.255 up Mar 3 22:43:48 openvpn[63453]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1561 172.18.18.2 172.18.18.1 init Mar 3 22:43:48 openvpn[4443]: UDPv4 link local (bound): [AF_INET]192.168.254.10 Mar 3 22:43:48 openvpn[4443]: UDPv4 link remote: [AF_INET]65.64.64.64:54344 Mar 3 22:43:48 openvpn[4443]: Peer Connection Initiated with [AF_INET]65.64.64.64:54344 Mar 3 22:43:49 openvpn[4443]: Initialization Sequence Completed Mar 4 09:32:24 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:25 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:26 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:27 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:28 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:29 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:30 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:31 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:32 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:33 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:34 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:35 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:36 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:37 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:38 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:39 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:40 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:41 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:42 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:43 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:44 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:45 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:46 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:47 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:48 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:49 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:50 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:51 openvpn[4443]: write UDPv4: No route to host (code=65) Mar 4 09:32:52 openvpn[4443]: Inactivity timeout (--ping-restart), restarting Mar 4 09:32:52 openvpn[4443]: SIGUSR1[soft,ping-restart] received, process restarting Mar 4 09:32:54 openvpn[4443]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 4 09:32:54 openvpn[4443]: Re-using pre-shared static key Mar 4 09:32:54 openvpn[4443]: LZO compression initialized Mar 4 09:32:54 openvpn[4443]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.254.10: Can't assign requested address Mar 4 09:32:54 openvpn[4443]: Exiting Mar 4 09:32:54 openvpn[4443]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1561 172.18.18.2 172.18.18.1 init[/b]

List of process running at this moment as it might be relevant per this link =  https://forums.openvpn.net/topic8933.html  :

$ top last pid: 25694;  load averages:  0.00,  0.00,  0.00  up 0+22:43:15    19:40:08 34 processes:  1 running, 33 sleeping Mem: 39M Active, 24M Inact, 41M Wired, 8K Cache, 34M Buf, 130M Free Swap:  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND 24839 root        1  46    0 36564K 24408K piperd   0:49  1.95% php  262 root        1  76   20  3408K  1208K kqread   3:25  0.00% check_reload_status  466 root        1  76   20  3656K  1460K wait     1:06  0.00% sh 48841 root        1  64   20  6080K  6104K select   0:15  0.00% ntpd 24156 root        1  44    0  8764K  6628K kqread   0:08  0.00% lighttpd 32953 dhcpd       1  44    0  8436K  5688K select   0:07  0.00% dhcpd 62930 root        1  64   20  5116K  3304K select   0:05  0.00% openvpn 33857 nobody      1  44    0  5564K  2552K select   0:02  0.00% dnsmasq 16616 root        1  44    0  5912K  2368K bpf      0:02  0.00% tcpdump 24408 root        1  46    0 35540K 19848K accept   0:02  0.00% php 16411 root        1  44    0  4956K  2436K select   0:01  0.00% syslogd 48534 root        1  64   20  3316K  1352K select   0:01  0.00% apinger 16778 root        1  44    0  3316K   904K piperd   0:00  0.00% logger 49678 root        1  44    0  3408K  1388K nanslp   0:00  0.00% cron 54249 root        1  71    0  3316K  1040K nanslp   0:00  0.00% minicron 17024 root        1  44    0  3436K  1444K select   0:00  0.00% inetd 63848 root        1  76    0  3688K  1576K wait     0:00  0.00% login  282 root        1  44    0  1888K   532K select   0:00  0.00% devd

***The only other VPN process on this pfSense is a VPN server.

It seems like once WAN is connected some script is not notifying OpenVPN tunnel to restart so it just stays stopped.

***I think this issue is closely related to this issue: http://forum.pfsense.org/index.php/topic,2785.30.html

Thanks

Sadly, AV companies can't take a joke…  :P

Hi again and thanks for the reply's.

No it's not hosted by our self.

The problem was apparently our dns server on the win2003 server. a friend of mine fixed the problem and showed me how to add sites outside our lan.

thanks again for your support.

Kenneth

I believe I may have found what was causing this issue. When I have IPSec enabled I seem to have issues connecting to the company website. With IPSec disabled things seem to be normal. Has anyone encountered something like this?

Well
I did what you said
But before I did that on the primary system
I did that to secondary system that installed on a virtual machine

in the file I downloaded from the virtual machine

Specified line was there
I changed and it worked

in the file of the main machine
It was not there

It doesn't for me: If I ssh into pfSense, select option 8 (Shell) , start a ping then type Ctrl-C the ping terminates and I get a shell prompt.

If your ssh sessions behave differently, please provide more details such as the system you ssh'd from and exactly what you are doing. Screen capture would probably be helpful.

I test what you say,yeah, I can type ctrl+C terminate ping in local shell.
but I mean's in the pfsense menu selected option 7 to ping host.

ok,get in the shell and then ctrl+D is a good way to redispay the menu.
thanks.

Sorry about that i don't know all the names of things and still getting the hang of networking

Here this is How you would setup a 2 segment network and using your linksys as accesspoints
So
Pfsense
Wan dhcp = public IP from your ISP
LAN1 (lan) = rl0 10.0.1.1/24
LAN2 (opt1) = rl1 10.0.2.1/24
Connected to LAN Ports of your linksys boxes, who have their dhcp servers TURNED OFF!!!
linksys lan 1 10.0.1.2/24
linksys lan 2 10.0.2.2/24
Now devices on lan 1 would be say 10.0.1.42 and would point to 10.0.1.1 as gateway (pfsense IP on this network)
Devices on lan 2 would be say 10.0.2.14,15,16, etc.  And point to 10.0.2.1 as gateway (pfsense IP on this network)
Now you could forward what traffic you want from internet.  But if you don't allow traffic between your lan 1 and lan 2 via your firewall rules they will not be able to talk to each other.

You sir hit the nail on the head, this is what i was tryin to say! (never been to good at asking for help on forums)

TURNED OFF!!!

Yes i know and set it to for forward to pfsense/DHCP Server

so let me get the names right

pfsense = WAN/gateway/firewall/LAN
linksys (&/or any other device) =  accesspoint?

Now you could forward what traffic you want from internet.  But if you don't allow traffic between your lan 1 and lan 2 via your firewall rules they will not be able to talk to each other.

ok. So i would need to open (lets say FTP Port:21) so on lan1 open Port:21 and on lan2 Port:21 then one or more devices from lan1 can talk to a servers on lan2?

–---------------------------

edit: I think I reversed the lan 1 and 2 and the ips I put in the picture..

yes you did sorry my pic was not as good next time ill make it better

I just kept it simple.  Keep it simple with a easy to read and understand /24 mask.

Yes that is why i did 10.1.1.1 and so on, yeah /24 mask is what i am going to do after i get this working right now this is just for testing!

The Express Card slot has a maximum bandwidth of 2Gb/second, so it won't achieve full line speed with a dual GbE NIC (like the Exsys EX-6088).

"Best performance" doesn't sound like 100MBit or USB NICs are an option, so I assume that the latop in question already has a GbE NIC.

You can do layer2, and hence MAC, filtering with the captive portal. It uses ipfw instead of pf like the rest if the pfSense filtering.

Steve

do you have a cable modem?

Folks -

I am just now looking over all the posts and I thank you all for the valuable information. It's not likely that I will lose my job over this, as we have been shrinking though attrition for years now and all it takes is for two people to call in sick to make it hard to staff the library desks, so I am needed if for no other reason than to provide a warm body to answer patron questions like "where's the books on butterflies?" and such. If the library wants to pay me to sit and answer dumb questions, then hey - it's their dime. Customer service is important, too.

The ease of which pfsense is installed and managed should be a great selling point to my supervisor when she realizes that she won't be able to make a cisco configuration change by pointing and clicking a mouse on a web page, but rather has to call up the firm that installed the Ci$co firewall to do it, then charge us for the change.

Since the starting of this topic, the director of the library has seen the report on the state of our network that the consultants have concocted. He has (correctly) come to the realization that it's a sales tool first and foremost, and that we, my boss and I, get to decide what proposals we feel will work for our organization, not the consultants. That's a relief.

We are doing battle with another outside firm right now over a web tool they wrote for us that is failing miserably, so it might leave management with a bad taste in it's mouth for contractors.

Again - thanks to all who contributed to this conversation. It will be useful to me.

LibraryMark

Yeah I would not call such low amount of traffic any sort of attack..  The torrent theory fits, does not have to be that you jut got a new IP.  If your using UPnP for your client and it changed ports on you - you going to see traffic to old port for days and days and days.

If it bothers you, or fills up your logs - prob best to just create a rule to not log it.

I have a clean up rule that does not log udp – there is just way to too much noise to worry about.

@Klaws:

Try unckecking "block bogon networks". Perhaps your public IP address is one of the very new ones which is still regarded as bogon.

I don't really remember how bogon block are applied within pfSense, but I think I remember that it might have been that they are loaded very shortly after the interface goes "up". Well - very vague, I know.

That didn't work, I unchecked the block bogon networks checkbox, saved and applied the changes and I'm still not getting any ping replies from x.x.x.102 nor 8.8.8.8

Now suddenly spiegel.de works again.
strange.  ???

Easy!

RRD data is in /var/db/rrd

Just rm the data you no longer need.

e.g.
[2.0.2-RELEASE][admin@pfsense.domain]/root(1): cd /var/db/rrd
[2.0.2-RELEASE][admin@pfsense.domain]/var/db/rrd(2): ls
GW-quality.rrd      ovpns1-traffic.rrd  system-states.rrd
WAN-quality.rrd      ovpns1-vpnusers.rrd  updaterrd.sh
ipsec-packets.rrd    ppp-cellular.rrd    wan-packets.rrd
ipsec-traffic.rrd    system-memory.rrd    wan-traffic.rrd
ovpns1-packets.rrd  system-processor.rrd
[2.0.2-RELEASE][admin@pfsense.domain]/var/db/rrd(3):rm ovpns1*.rrd
[2.0.2-RELEASE][admin@pfsense.domain]/var/db/rrd(4):

to drop the OpenVPN interface stats