@stephenw10:

Exactly.
Really the question you're asking is not how many clients but how many connections and that is very dependent on the type of client. I imagine that an IP connected thermometer is not going to be opening many connections, 1 or 2. However an internet cafe full of gamers is going to create a LOT of connections, as you have found!  ;)
Back in the day I first switched to a Linux based firewall (Smoothwall) when my existing solution (some software running under Win2K) crapped out every time I tried to open the server list in Counter Strike. It opened connections to every server in the list which I seem to remember was ~30K at the time. Now I imagine they have streamlines that process significantly in the last 15(?) years but even so. That was just one client.

Steve

Right, it was about 8 years ago that I switched away from an original WRT54G (running Linksys firmware) for similar reasons, I'd lock it up with (legitimate) torrenting and gaming, so I switched to m0n0wall.  And that was just 3 PC's and a couple Tivos in the house.

Even though m0n0wall does have a finite state table, I've still never hit it.

A few things you could try:

1. Packet capture on WAN interface of office pfSense, filter on (say) port=RDP. Do you see your outgoing RDP access? to the correct IP address? (local DNS might be wrong?)

2. Do you get any response at all?

3. Packet capture on WAN interface of of home pfSense, filter on (say) port=RDP. Do you see incoming RDP access from correct IP address? Does access attempt match port forward rule?

4. Packet capture on appropriate interface of home pfSense, filter on (say) port=RDP. Do you see outgoing access attempt to correct IP address and port? Does that access attempt appear in "RDP server" log on target? Does the RDP server log give any clues on how the access attempt was handled? (some servers have their own "firewall" capability such as "forbid access from specified IP subnets")

@stephenw10:

Running services on your firewall that aren't required for it's operation is just opening up possible attack vectors unnecessarily. On top of that it's far more likely any exploitable security hole will go unnoticed since you will be the only person (or among very few) who are running it.
It depends how familiar you are with patching security holes. Are you confident of keeping up to date with new FreeBSD exploits because the pfSense team won't be patching CUPS? In reality it's unlikely to be exploitable as long as you have your firewall rules set correctly.
It's a trade off between security and functionality. Since the purpose of pfSense is security most people see that as a risk not worth taking, however small.

Steve

Thanks Steve. It does make sense. In as much as pfSense is serious business application, it has many enthusiastic die hard fans like me who use it at home. And, I have recommended pfSense (with subscription) over fortigate at work last year (not that fortigate is a poor product).

Perhaps some enthusiastic developer can turn this type of feature into a CUPS package. That would be fun.

Best
Anil

After removing the scripts everything works fine.
Thank you for your support!
Happy New Year!

Regards.
Alper

I've done a fair amount of thinking and testing various configurations for exactly this type of usage scenario.

If you want to serve ~1500 concurrent Wifi users, and assuming you've solved the Wifi engineering issues, then pfsense can provide several parts of the overall solution, acting as a DHCP server, router, firewall, traffic shaping and NAT device.

You should also do some thinking ahead about how to best mitigate certain possible problems, because just a few virus-infected PCs among the ~1500 ones, can bring a network to its knees.

So it's most likely a certificate issue then, Would certificate issue causes packets to not being sent or received as expected by the server application ?

You can't hack in PAM like that. Using LDAP for authentication is how nearly all our PCI-certified customers do things. Some use local accounts on the firewall instead. The local admin account will still have to exist, but you just need a policy to manage it accordingly. Basically no firewall (or router, or switch) has forced password complexity requirements nor forced password changes, it's adequate to manually manage those things via your general security practices and policies.

Perfect, this sounds fair enough…  ;D
Thanks a lot

Actually, top -SH is the most accurate, since it also splits off threads for more detail.

@dhatz:

@GruensFroeschli:

There was very recently a thread about exactly this.
The solution was basically to configure the dhcp client to decline rfc1918 ips.

Check

http://redmine.pfsense.org/issues/2704
http://forum.pfsense.org/index.php/topic,56330.0.html

Thanks this looks great. I already have an alias on the interface to access the modem webpage whilst the connection is up and running. So rejecting the bad IP is I think the perfect solution.

Thanks!

@cdavis:

Hello, Sorry was out of town with the family and just got back in today. Maybe I should not have mentioned transparent bridge thats just what was tested first before different ip ranges and a dhcp server were chosen for that remote location. There are no firewalls between the remote location and the main office lan except the pfsense box in question.

The the vpn links are the metro ethernet connections  which are routed through cisco hardware endpoints and are not configurable by us it is transparent to the system end to end no config options to make and is managed by centurylink.

I will draw a diagram out but basically it is bridging 2 separate lans with one lan (Main office) on IP range 128.x.x.x and the Remote office at 10.4.100.x   Both Offices have dhcp. The pfsense box is routing between the 2 lans and each server at the main office is routed to the 10.4.100.0 range through the 128.x.x.x ip address of the pfsense wan named ethernet card.

"Internet" –---<-> Gateway/Netscreen (Cox Optical Internet) ----<->--- Main Office (DHCP,DNS,File Servers) --------- <->Transparent Metro Ethernet  (Centurylink)<-> ---------- (Wan) Pfsense Box (Lan) ------- Remote Lan/Workstations

The remote LAN can access the internet just fine but is having issues with connecting to windows shares on the Main office LAN. I did add all of the main office server machines to the pfsense DNS Forwarder Host Overrides section and can ping and connect to the main office servers just fine. The issue arises when someone opens a windows file shared from a main office server it shows up lists the files and directories then the files/directories disappear as if the connection has been disconnected and then a few seconds later the shares/files reappear and then the same thing happens again over and over. Internet connections as well as remote desktop/citrix connections do not seem to be affected. I will post pfsens config screenshots in the next part.

Basically I am trying to set it up so that I can have DHCP on the new remote lan ip range, Firewall capability, Squid Proxying, and Bandwidth traffic shaping at the remote location.

Ok.  So you basically have a Metro Ethernet link.

For all intents and purposes, this would be considered a 'network cable' that links your 2 offices.

In this case, I presume you use up a public IP for the pfSense WAN link?  i.e. The servers subnet at the main office is actually a routed public IP subnet.

In that case, you shouldn't need to actually block any services on WAN.

You probably need to adjust the office firewall/ router to add a static route to direct all traffic bound for the 10.4.100.x subnet to the pfSense WAN IP (128.x.x.x address) as the next-hop gateway.

Adding a rule on the WAN interface of pfSense to allow any traffic with source subnet of the main office (128.x.x.x subnet) and destination as LAN subnet should do the trick.

Depending on how the VPN is configured by comcast, you might want to enable 'Clear DF bit' and disable 'Scrubbing' to see if the issue persists.

hi, cmd.
ok, i have placed my directories(css,fonts,i,js) to /usr/local/captiveportal like there:

[2.0.2-RELEASE][root@pfsense.localdomain]/root(3): ls -lh /usr/local/captiveportal/ total 58 drwxrwxr-x  2 root  wheel   512B Dec 25 06:35 css drwxrwxr-x  2 root  wheel   1.0K Dec 25 06:36 fonts drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 i -rwxr-xr-x  1 root  wheel   8.5K Dec 12  2011 index.php drwxrwxr-x  2 root  wheel   512B Dec 25 06:36 js -rw-r--r--  1 root  wheel    11K Dec 12  2011 radius_accounting.inc -rw-r--r--  1 root  wheel   6.2K Dec 12  2011 radius_authentication.inc

How can i use this directories in html file?
some rows from main.html:

is this correct path to css and fonts folders?

It's not possible to configure VLANs with an unmanaged switch, unmanaged switches don't support 802.1Q. You'll have to get a managed switch and configure its VLANs accordingly to match the firewall (and don't use 1). Explained in depth on firewall and switch side in http://pfsense.org/book.

There is some watchdog functionality in freebsd you could use if you need it.
You can just rename the title of your first post in this thread to have [solved] at the beginning if you like. You have a limited time from the post date to to that. 7 days?  :-\

Steve

@brcisna:

Just a thought.

Try running memtest86 from any linux distro bootup disk on your pfSense machine. This will take just several minutes to do,and will at least eliminate the possibility of having a/some diffective memory sticks

Tried that, twice actually last week, No problems.

@brcisna:

.2) When the pfSense machine  is booted and run for just 15 minutes try running top from the shell and see if anything looks wonky in the printout here. Maybe you will see some oddity.

Nothing odd in the syslog at all nor anything in the running processes. Even when it locked up, it just locked and stopped everything including syslog.  To make sure the system wasn't hacked, I even did a full wipe and reload of the system.

@brcisna:

Also,,in your initial post did you say you are running 5 pfSense machines,and all 5 are experiencing these lockups ina similar fashion?

Only on one, the other 4 are perfect.

@brcisna:

Take Care,
Barry

Thanks for the Idea's  since putting the switch in, there hasn't been a single lockup and it is going on 5 days now.  So maybe a flaky comcast modem?? and the switch is dealing with it better than running directly to the nic…maybe????  oh and btw,  on the nic interfaces before and after the switch install, there were never any errors shown. always 0

Thanks

Dickie  :-)
Happy Holidays

Hi jimp,

Thank You for the reply. I am fairly certain the reason the machine failed to boot off the 'first drive' / highest number bios sata port, that i disconnected,, on purpose,was due to the fact the first drive was marked as off line,as you said,,in the fstab.
I should have booted the machine with booth drives connected,,  let the mirror array reubild then shut down and then disconnected the 'second drive" then booted on the first drive i disconnected , i am fairly certain the machine would have booted with no probs..

This scenario is hard to explain the sequence?:)..

After I rebooted the pfSense machine , after having reconnected both drives,,i looked every few minutes and had solid HD activity for about 20-30 mins until what i guessing the raid array was done 'rebuilding'(on 80gb sata drives).

In the dashbord geomirror widget i am seeing 'complete' in the raid setting. yeah!

Take Care,
Barry

Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.