@bilbo:

Could tell me how to setup the cron job, I have got the overide working now, sweet.

Hopefully no more accidents when the kids are searching on google!

Thought you might be interested in something I figured out this weekend… The override for "encrypted.google.com" does not work if someone browses to "https://encrypted.google.com". Not 100% sure of all the reasons why but I was able to figure out two options for solving the problem...

1.) You can block outbound access on port 443 to the IP addresses that encrypted.google.com resolves to. Unfortunately, this is a pretty long list so it's better to use an alias in your firewall rule.
2.) You can use the dns override and forward encrypted.google.com to a different ip address. It doesn't really block encrypted.google.com, but it sends the user to another site you trust - for example the address of opendns.com

To block using option #1, I ended up using the url table feature of the alias. It will read a text file at a URL and block all the IP addresses or networks that are listed. The nice thing is that there is a built-in cron job that re-reads the text file daily and updates the table in your firewall rules. In order to make sure the addresses were up to date in the text file, I wrote another little shell script the does an nslookup of whatever names you want (in this case encrypted.google.com) and writes their resolved ip addresses to a text file. I place the text file in my /usr/local/www directory so that it can be referenced by url in the alias.  I just run my script 5 minutes before the built-in url update job runs.

This got me going on another track though... It seems that there are several encrypted search engines available that also provide image search capabilities. The ones I found were duckduckgo.com, ixquick.com and startpage.com. Unfortunately, these sites presented challenges with block option #1 because (for whatever reason) nslookup only returns one address for them - but it doesn't always return the same address! For example, you can do an nslookup multiple times in a 10 minute period and get multiple addresses back for ixquick.com! Because of that issue, I used option #2 to prevent access to these sites. Option #2 isn't perfect though - it would not stop someone if they were able to figure out one of the ip addresses of the site and browse there directly (via the ip address).

Some of the more obscure timezones have updated names - e.g. the old spelling of "Katmandu" is now corrected to "Kathmandu" - so if you have something like that selected, then you certainly have to use the pfSense GUI and select the new correct timezone name.

You can do that. Each mifi will have to have a unique private IP subnet on it, other than that no special considerations. Just like any other multi-WAN setup.

I'm far from a Network expert, but after try lot of "FW distros" (from A to Z), we ended deploying our FW & "pseudo SBC" with pfSense (+ siproxd), it do what we need and is easy to config. Thumbs up for the pfSense team, also the community here in the forum is helpfull.

@stephenw10:

I've never tried it but maybe you can import the raw nanobsd image into a VM image?

Steve

I'm not familiar with XEN but with KVM it's as simple as defining the pfSense image as harddisk.
No need to convert anything, it's directly usable.

"run direct multiple robocopy jobs between one VM to another - but VM to switch to PFbox to switch to VM"

first question:  are the files used for this robocopy test large?  bigger the better i've found for really pushing your gear.  are you sure your disks can do > 88MB/s?  read and write?

second question: when you say vm to switch to PF box to switch to vm - is this one vlan to another (so passing through the PF via an acl or some other 'route')?

If not, and the VMs are on the same vlan/subnet:  to rule out the PF  how about going from 1 vm (on host A) to another VM on host B - this would be:  host hardware-switch host.  so still exiting your host and going to a physical switch, and back up the network stack in the 2nd host.  This would eliminate the PF from the path.

If you are going between subnets/routing, and if your switch supports L3 routing, give it an IP on your vm's subnet.  edit your vm's routing table, set the gateway for the other VM's subnet to use your switch instead of the default gateway (PF) with no acl, just straight open route.  how is that speed?

yeah, you'll need to define 'connections'

even failed remote login attempts to the firewall are a connection (ack)

if this is more of a "once XYZ interface hits XX Mbps" and if it is safe to assume you have a server/pc on the private side of your network, then fetch the free version of this: http://www.manageengine.com/network-monitoring/  the free version is full featured and does up to 10 devices, defined as IPs, so the single management IP of your device would only count as one device, regardless of the count of interfaces/subinterfaces/vlans.  do snmp polling of your interfaces and set it to email/page/sms/log based on a given interface or vlan hitting X Kbps/Mbps, etc.

note, i'm hoping to get opmanager running against pf, haven't yet, but i use it in other sites and against other snmp capable hardware and software firewalls/routers.

if you need to know when an IP behind the firewall is having a series of connections being passed, at a more granular level than just interface or subinterface, then flows (netflows/sflows) model will work.  but that's not free with opmanger.  try prtg for that.  http://www.paessler.com/tools  it's limited to "10 sensors" to remain free, but that includes 'each item monitored" like IPmon now solarwinds, so you can blow through that in one device pretty fast.

both tools support alerting based on triggers.

There was a similar thread recently, here: http://forum.pfsense.org/index.php/topic,54475.0.html

In it a real figure for states per user is given as 120. In that case you'd need MUCH more ram.  ;)

Steve

Thanks for the responses. Unfortunately it is a Lenovo desktop and they've locked the BIOS down heavily, so I can't alter most of the ACPI and power settings. I tried to boot with ACPI disabled (An option from PFsense, not the BIOS), but the system will hang during boot then. I guess it isn't going to work :-( Thanks for the help.

so – is this the machine your having problems with your port forwards on?  So you do have more than 1 interface, and your prob forwarding out the wrong one that your .3 box is connected too??

Set HDD cache size to 0. I think this is described below the option if I remember correct.
Further you can set the minimum and maximum file size for files to be cached on HDD. So in theory you could increase the minimum file size to lets say 4MB so it will only cache some bigger files on HDD and not the many little 10kb webpage pictures.

But I am not an expert on such a big squid cache environment.

@mlrabbitt:

Thanks guys.  I looked into doing this through Xen and VirtualBox since both do PCI passthrough without VT-d.  Xen I found way too complicated to use as my linux skills are pretty basic and VirtualBox I found had poor performance and some incompatibility issues.  I ended up just buying a VT-d CPU since my mobo already supported VT-d.  I'm going to use either XCP or ESXi now and pass through the NIC to my BSD vm and pass through the tuner card to my Linux vm.

(insert big thumbs-up emoticon here)

Set up an openvpn server at you home/office/datacenter where you have the possibility to open ports.

then use you pfsense as a openvpn client to create a tunnel between remote-location & home/office/datacenter

no re occurance since uninstalling ntop
previous cycle solution was to uninstall bandwithd

so it's something to do with bandwith management packages together with our configuration.

hope this helps someone :-)
and thank you all for your assistance

Reinstalled pfsense 2.0.1 and retored config from backup and all works again, thanks for the post cmb.

No reason to feel stupid ;)
It's not that usual that an access point allows client separation.

I haven't managed to break anything password related yet hence I've not had to look into it!  ::)
Sorry.

Steve

@frbaratieri:

I've tried everything.

You are probably overstating the case.

Have you checked the server log for an explanation?

Have you checked the pfSense log file for relevant events (e.g. LINK DOWN/UP) around the time the file transfer failed?

You don't seem to have yet provided strong evidence that pfSense is related to this.