@cmb:

scp is a "very slow" protocol, it's designed to be secure, not fast. Getting 70 Mbps may well be the best you can do. You're not going to max out any hardware resources when doing a scp transfer generally. Google "scp slow" and you could spend months reading the results. Windows is worse if it's your client, OS X, BSD and Linux clients will be faster, but still nowhere near as fast as the hardware resources can transfer.

Thanks a lot. I was just wondering why. I even used jumbo frames at 9000.

@danielc:

does anyone know if Pfsense has some software that will put the PC into a stand-by mode after like 30 minutes of no activity, and then wake itself up whenever it receives a request for internet access?

You can't wake a system upon a request for Internet access, just not possible with anything.

Besides, even a small home network is highly unlikely to have 30 minutes of inactivity unless you power off every single Internet-connected device. Best to get something low power and leave it running. Only alternative is to power it off and back on as needed manually, or via wake-on-LAN.

@joako:

This has happened to be before… loading the embedded image and expecting output on the monitor. Make sure you use a VGA image!

Don't think that's the case here, that should show a F1/F2 prompt. That boot prompt is from a full install.

I hope you paid for it.  ::)

Steve

@cmb:

Almost certainly because you need a lower value for MSS clamping.

Yes! Setting Interfaces->WAN->MSS to 1492 (or lower) solves this.
Now I can finally move on to more important configuration… Thank you so much!  ;D

@monowallboy:

2nd NIC is some older 100M Realtek chipset

This could be an issue. 100Mb Realtek NICs have a bad reputation for misbehaving. What chipset/NIC is it?

Steve

Note: If you directly edit /etc/crontab, then that will be overwritten next time you reboot. The crontab is generated from entries the pfSense config.xml
To make it permanent, install the Cron package and edit the job from there - then both config.xml and /etc/crontab get updated.

Just uninstalling Snort doesn't clear the block offenders IIRC, that sounds like the symptoms of overblocking with Snort. There aren't any DNS-related changes or anything else that would cause that symptom on 2.0.2 when it didn't happen on 2.0.1, it's not version-related. The reinstall just did the same thing a reboot would have minus Snort.

I'll take the 3 ports! It's just 2 euros more and offers some cool options indeed - thanks for the hints! I like the idea of an open, seperate AP for example. Always wanted to do that - just to see what people are going to use it for. :)

@jonathanduane:

justing a dell optiplex i will check now for errors, thanks

Can you tell us what model of Optiplex?  They range all the way from first generation Pentiums through current i7's, some with 3Com, Broadcom, or Intel NICs onboard; the model will tell us a lot about what we're looking at.  It'll also be helpful to tell us about any secondary NICs you may have installed and are using.

Thank you sir….

@neteffectcafe:

I am blocked because i am an Internet cafe.

Bizarre.
Do they give a reason for doing this?

Steve

NAT reflection is ugly as a general practice (why loop things through the firewall when you don't have to), and you lose the real source IP out of necessity since the replies have to go back via the firewall. Nothing wrong with using it though if that's the best option in your specific scenario.

You cannot. The platform file needs the exact words it has. It can only be pfSense, nanobsd, livecd, and so on.

That does not control the name of the system as displayed on the GUI, console, etc. There is another place to set that. Leave the platform file alone. It is for internal use only.

Dear Steve,

This same issue i was also facing in my wan network.
According to your solution by enabling Nat Reflection. i won't get pfsense admin login page again but my web respective page was not shown.
but by checking the below option. I am able to view my require web pages.

"Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from"

Thanks a lot for your solution.

Some server software includes a "mini firewall". Server configuration requires specification of which interface(s) the server will access requests from and/or which IP addresses the server will accept requests from.

Perhaps the server is rejecting the requests you have logged because the server is not configured to accept those requests. There might be a server log giving more details.

That tip resolved it. I was under the impression that I had the "mini" firewall on the webserver disabled for my tests - but I must have been wrong. "Problem" went away when I uninstalled the local/mini firewall that is no longer necessary.  We were using an application that sits on top of iptables - and I assumed incorrectly that shutting down iptables would disable the local firewall application.  This local/mini firewall must have additional filtering outside of iptables as well.

Now - I have a separate question - how to setup load balancer to work across https connections. Will look around for info, and if needed post it separately.

thank you! I was looking all over

Was able to get this figured out.

Looks like the file system was not formatted.  Ran "newfs" on it, and all is good in the world again.