The ALIX can handle 150 devices generally. I'd be a bit more comfortable with the Netgate 7535 at that scale, or one of the slightly higher end options from Hacom or similar.

My guess on why your DDWRT stops issuing leases is the lease file gets too big for the amount of RAM it has available, and the DHCP server crashes. You can't scale much with the kind of low end hardware DDWRT is generally used with, your average Linksys regardless of what it's running isn't suitable for a 150 device network.

Maybe the first description is not clear for anybody :-) So please see what I would like to do:

concept.jpg
concept.jpg_thumb

Ok, and what about outgoing frame, why this

[2.0.1-RELEASE][admin@midgard.home]/(33): ping -s 2000 172.30.1.50 PING 172.30.1.50 (172.30.1.50): 2000 data bytes ^C --- 172.30.1.50 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss

is not working? Shouldn't pfsense fragment the packet before sending it (like windows does)? 172.30.1.50 is a freebsd9 pc with 9K mtu on interface and frames are properly fragmented before they sent out.

root@freebsd9-storage:/home/alximik# ping -S 172.30.1.50 -s 18000 172.30.1.20 PING 172.30.1.20 (172.30.1.20) from 172.30.1.50: 18000 data bytes 18008 bytes from 172.30.1.20: icmp_seq=0 ttl=128 time=1.270 ms 18008 bytes from 172.30.1.20: icmp_seq=1 ttl=128 time=1.318 ms 18008 bytes from 172.30.1.20: icmp_seq=2 ttl=128 time=1.248 ms 18008 bytes from 172.30.1.20: icmp_seq=3 ttl=128 time=1.309 ms 18008 bytes from 172.30.1.20: icmp_seq=4 ttl=128 time=1.237 ms ^C --- 172.30.1.20 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.237/1.276/1.318/0.032 ms

============================
Checked the capture, the cause is big echo reply. It was pretty stupid. Please close this topic =)

maybe the webConfiguratorlockout rule? (can someone verify)

issue the following command and see if it returns anything.

pfctl -T show -t webConfiguratorlockout

For reference, if you run  "pfctl -T show -t bogons" you should return something similar to:
  0.0.0.0/8
  100.64.0.0/10
  127.0.0.0/8
  169.254.0.0/16
  192.0.0.0/24
  192.0.2.0/24
  198.18.0.0/15
  198.51.100.0/24
  203.0.113.0/24
  224.0.0.0/4
  240.0.0.0/4

Brian

Configuration MIGHT be somewhat easier if your modem-router can operate in bridge mode. I have tried to setup two different ADSL modem routers in bridge mode and failed to get it to work so used a modem instead. If you can get your modem to work in bridge mode then pretty all subsequent configuration will be done on pfSense. However getting your modem to operate in bridge mode could be a frustrating learning experience.

I'll assume you will stick with the modem acting as a router.

If your modem-router supports dynamic DNS registration to no-ip set that up, otherwise configure dynamic DNS in pfSense through Services -> Dynamic DNS/ Dynamic DNS setup on your modem-router is preferred since it can more closely track changes to your public IP address than pfSense can.

You will need to configure your modem router to forward the required TCP (and UDP?) ports to the virtual server IP address and add a static route to the modem-router so it knows to get to your virtual server IP address through the IP address of the pfSense WAN interface.

Looks like that may be normal if the settings were present and then were removed.

Checking the code, it just tests if the settings were ever there, and if they were but the IP is empty, it prints that message.

Damn it,

it seem's that I've forgot to set the trunk port on the switch, because this time everything worked out after the firewall reboot. Thanks for your help!

Cheers,
Szop

So you got the bridge setup ok?

That router appears to have a bridge mode that might work in pppoa. There is almost no description in the user manual though so it's impossible to say for sure.
In 'Interfaces Setup' in 'Internet' select pppoe/pppoa as the connection type and set 'Bridge Interface' to 'activated'.
If that doesn't work the next best option would be to use the DMZ feature to send all traffic to the pfSense box.
Please start a new thread for that though if the pfSense bridge is now working.

Steve

Alright, I'll try with IGMP proxy first. Mostly I would like to prevent unnecessary torrent and file transfer traffic to flood the WiFi. If I manage to get the iptv pass-through working with igmpproxy, then that as well.

not at this time

And how many hosts are you going to forward too?  Thats 1 right - so why do you need an alias?

Why do you need to put something under Wan Address - is that not going to be the destination IP??  What is normally your Public IP, or in your case 10.0.0.3 which your first router will be NAT inbound traffic to, since you put your pfsense wan IP in its DMZ.

No other forwards on your first router - just the DMZ setting is all that is needed.

Perhaps they haven't heard of the issues linked above - if they care at all about security, they wouldn't still be using PPTP.

That said, if your rules don't pass GRE, or if you have GRE forwarded in on WAN with a port forward or 1:1 NAT to some other box, it wouldn't work for outbound connections.

Now it's working the traffic goes thru the Switch with the right VLAN ID to the pfsense BOX.  :)

I updated to the newest snapshot yesterday. Strange that after the update the VLAN are working because I tried some reboots before.

The only Problem I have now is that from a VM I can reach the pfsense VLAN Interface with IPv4 and IPv6 also the traffic with ipv4 go to the wan but ipv6 to the wan doesn't go thru.

I have done a rule on the VLAN Interface from any ipv4 to any and any ipv6 to any. On the WAN Interface I tried the same rules for testing.

Did I forget something ?

cheers

Thanks for your reply.Do you know what that two input boxes are for?

@rikar:

I'm a huge OpenVPN user and adding 2 factor would pretty much make my f_cking day!!!

You can already do this with OpenVPN and basically every two-factor auth solution in existence, either via RADIUS or LDAP.

Does you ISP requires a constant MAC address for the NIC?  If so, you have to know that spoofing the MAC for PPPOE in pfSense does not work.

http://redmine.pfsense.org/issues/2641

If this is the case then I may suggest you a workarround solution to spoof your MAC address.

" it has some kind of "remote management" (not Drac, but BMC? )"

Normally those would be their OWN port on the box though, not part of the normal nic.  Remote management would be for outofband access normally and a different port than standard nic, even if built onboard and not a add on drac card, etc.

R200 - will look into what I see about that model.

edit:  Yup looks like you can do a shared lan method.  That has go to be it!  Try telnet to the IP and see what prompt you get.

sharedlan.jpg
sharedlan.jpg_thumb

No, that would be a separate issue and doesn't belong in this thread.

If you have that many proxy ARP VIPs, just define them as a "subnet" and proxy arp will make that many of them in a chunk.

If they are CARP, you couldn't have that many anyhow (vhid limit of 255), if they are IP alias or a combination of CARP+IP Alias it may work but I'd epxect some sluggishness from having that many IPs bound at once if your hardware is slower.

If they are "Other" type VIPs, then you might consider upgrading to 2.1 where the subnet trick works for Other type VIPs like it does for proxy arp.