There isn't a way to adjust its interface binding, but you can certainly block it with firewall rules and access it via ssh port forwarding if you like.

Ouh… thatz hell of a task :)
anyways thx fr ur suggestions :)

Thank you for your reply.
i definitely need to assign a public IP on my server. NAT is not working on the internet service i need (according to the internet service support team).
I have tried to bridge WAN - OPT and after that, two more interfaces appear on Interfaces - Assign. The BRIDGE0 and an opt which has the same mac address with my WAN. Should i do something with them?
If you thing that this is not a good implementation, i can use pfsense in bridge mode only and route internet traffic of my lan to another connection.

Thanks again

Well we are trying to figure out the problem. Let us eliminate RIP and set a perm route to make sure.

@stephenw10:

pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
I think you may out of luck translating that from iptables.  :-\

Steve

If you don't mind setting up the rules manually, you can activate the portal and then create your own ipfw rules. The only trick is to make the last step in your rules skip over the portal rules (assuming you don't want captive portal functionality).

I run dhcp on my pfsense, and it provides IPs for ALL devices on my LAN.  This interface has been enabled since pfsense was installed.

What your saying doesn't make any sense - enabling dhcp has NOTHING to do with the web gui of pfsense.

How are you access the web gui now?  Via what IP and from what client?  You say your enabling the lan interface?? Can I please see a screen shot of your interfaces and what IP do you access the gui on now?  Your accessing it via 172.16.1.xxx  – why hide the last octet btw, that is a PRIVATE IP and not routable via the public net - there is NO security concerns with giving out this info.

You say that is your WAN IP in pfsense.  That is not how you would normally access the gui, you would have to allow for special firewall rules to access gui via WAN interface -- since default firewall rules would block all inbound traffic and block private networks.

So what rules do you have in place?

edit:  If your LAN network is 10.0.0.0/24 with pfsense on 10.0.0.1, then your client your accessing pfsense from would also be on this 10 network, not on the 172.16 network.  Your not setup like me if your access pfsense web gui on 172.16 wan address that is for sure.  I access everything on pfsense via its lan interface.  Are you changing lan from dhcp to static?  And your lan was dhcp before and its getting an IP from something else?  Your router??

What is your settings for your lan when it works and you can access the gui?

lan1.jpg_thumb
lan1.jpg
lansetup.jpg
lansetup.jpg_thumb

pfsense 2.01

We've only had it running for a day or so, but I'm trying to address issues early, like I said m0n0wall didn't work so well for us, we found ourselves restarting it every couple of weeks.

pfsense itself seems fine, the only stat I saw go too high was CPU usage, but that happened only when I reset the captive portal, and everyone had to log back in. State table is under 50% used, memory 75% used, everything else shows similar levels of usage.

You're right about 10Mb/s being insufficient, but this is for a school, giving students all the bandwidth they want for their smart phones isn't something they can do. The whole guest network is done on the cheap.

I am the consultant who's done it before. Like I said, the wireless is fine, we're just doing the guest captive portal part on the cheap.

I'll throw some more memory on the VM and see how it works.

Well, rebuilding the pfSense box took just a bit more effort than I had hoped.

I saw where the installation was looking for 'config.xml' on the floppy, so I suppose if I had it on there, it would have found it.

I think I saw where it looked on the flash drive, and if I had the file named 'config.xml', it would have found it. But it had the backup name. So I had to wait until I could access the WebConfigurator to load it up that way.

Anyway, just reporting that the pfSense box is functional.

Sure, if it's configured to run in transparent mode, you can forward the necessary port(s) to it (as marcelloc suggests in the link that heper gave).

I was finally able to get the wireless up and running on OpenWRT is been working pretty good, the max speed for file transfers is 6MB/s which I thought was kinda low but I can deal with it.

However these connection limit emails are really starting to bug me, I don't know what is telling them to be sent out…

@kradalby:

I have been in contact with my isp, they cant help me unless i have ips i can give to them, and i have not been able to get something out of the box under the attacks because it overloads.

I presume you have firewall rules on your WAN interface to block unsolicited traffic. Enable logging on those rules.

When you are hit by a DOS attack stop the flow (for example by disconnecting or powering off your modem). Your box should soon become usable again. Dump the firewall log file to a text file, (for example pfSense shell command```

clog /var/log/filter.log > firewall-log.txt The firewall log should give you some IPs involved in the attack UNLESS you have bugs in your rules OR the attack is very specifically targeted at your open ports in which case you might be able to configure the attacked servers to log incoming connects and such logs might provide some IP addresses you could ask your ISP to block. When you have a bit more information about the nature of the attacks it might be possible to make more specific suggestions.

I created this page on the wiki to answer this common question/concern. If anyone can think of any points I missed, let me know.

http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

@bobn:

Thanks both of you.

rjcrowder, Yea, I've noticed that is a wide difference among posters opinions about the matter of pfsense hosting wireless services.

starshooter10, are these steps in the gui, or a command line option; like is scheduler gui or cli?   Oops, I've finally found the scheduler tie in with the firewall rules…...  nm

Does the GUI firewall builder offer up enough that I don't need to learn the CLI?  If not, has anyone run across a great primer for that CLI.

I come from a cisco ios and asa background.  I dislike cisco's automagic network access they try institute in enterprise class products with their security zones freely allowing network from higher to lower security zones, I always start a new dmz vlan with an implicit deny ip any any inbound and outbound.  So I'm not unfamiliar with the SIP, DIP, DP, and masking concepts.  I just haven't actually had to work with linux type of firewall CLI, so I'm starting out at ground zero with it.

Is the web/http content filtering in this an inline filter, or explicit proxy filter?

Thanks

Probably shouldn't admit it, but I don't have much of a networking background… so I don't know much about Cisco devices.

The pfsense gui firewall rule creator is pretty nice and lets you do about anything you would want to do at layer 3. However, because it is using PF under the covers it will not let you do anything with layer 2. In order to mess with layer 2, you need to use the ipfw firewall - which is installed as part of the captive portal. Unfortuntely, there is no pfsense gui that allows you to create ipfw firewall rules - so if you need layer 2 rules you are at the command line...

From what I've seen, this is the major difference from linux based firewalls that I've played with (ipcop for example) which use iptables and let you create layer 2/3 rules.

http://doc.pfsense.org/index.php/Haproxy_package

or

varnish: http://forum.pfsense.org/index.php/topic,45496.0.html

or

squid reverse: http://forum.pfsense.org/index.php/topic,48347.0.html

Thanks for your replies guys, really helpful.

Jimp, I appreciate the company names and I appreciate the expansion into the security/update side of things, thanks.

As far as CARP goes I'm not sure how I could utilize and granted I have not built a CARP setup before. Our setup will go;

Fiber in –> What appears to be a media converter (Provided by ISP), ethernet out --> Cisco Router (Provided by ISP) single ethernet out --> Our current/replacement pfsense firewall. I can whack a diagram together tomorrow if that makes it clearer but because the Cisco router (which acts transparently as far as I can imagine; we have the public IP presented to the WAN interface on our current firewall and only need to NAT on that existing firewall and nothing above. I don't know how they set it up I'm just making educated guesses. I'll ask the person that comes out to program the cisco router. We're with BT by the way unless anyone knows) only has a single ethernet port coming out of it I don't know what I could do in terms of failover from there apart from having a warm spare (with an interface on both for pfsync if that's how it works? I'll look though the wiki/docs/forums/book) and physically change the cable over in the case of a firewall outage?

I do also like the idea of the support being provided by people who are also the developers. It would also be nice to put some decent contributions in and fund new features. On which note I'm glad to see there's processing for credit cards, as much as I love pfSense I couldn't help feeling the uninformed I may have to pitch my choice to may not value a solution that could only process paypal, so I'm chuffed!

Anyone got any UK based companies they could suggest? I'll be doing the usual Google reccy too. It is likely however that I'll reutilise some soon to be old servers and build the box myself, all the servers are the same model which will make any possible replacements my easier.

My money's on spam.  ;)
Though you might expect the provider to have notified you.

Steve

so she could go to other internet sites?  But not yours?  Prob others that you were just not aware of.

Glad I could be of help, and that its now working.

I've found the following 0 byte files that are being written pretty often (no idea what with, or why the writes are so large)

[2.0.1-RELEASE][root@pfsense]/var/log(33): find / -type f | xargs ls -lt | head -n 2 -rw-r--r--  1 root      wheel          0 Sep 19 17:15 /tmp/tmpHOSTS -rw-r--r--  1 root      wheel          0 Sep 19 17:15 /var/db/currentipsecpinghosts [2.0.1-RELEASE][root@pfsense]/var/log(34):

How can I stop these files being written?

Cheers,

Yax