Not easily, no.

If you craft a rule and edit the advanced options and set just the right TCP flags, maybe, but I'm not certain that would really help or if it might hurt.

I have yet to reproduce it reliably, so I don't know. I've seen it maybe a half dozen times over the years, from 1.2 to 2.x. It's rare, but it does happen.

I don't know if it's due to an especially high/sustained rate of logging or something else that puts it over the edge.

Best option is to use console option 13 to reapply a firmware update to make sure that all needed files are present. It's possible that more than just pcre is missing.

hehe

Im sorry for my late answer I havent have time before know!

Thanks !!

Then I learned something new!

@newbieadmin:

Can I hook up the Intel gigabit onboard (vPro port) onto the switch and have it work (just get IP address for mgmt and nothing else)? Would it cause a loop and crash the switch/network?

Yes, you can connect it to the switch and get an address via DHCP.  I do recommend setting a static IP in the BIOS for it though.  Allows you to monitor the entire boot process over IP (internally) and before the router boots.

The RRD graph shows block and pass seperately, the Traffic Graph I'm not too sure of.

The logs might seems like a lot of blocked connections, but that means there was only one packet, so not a lot of data.

Switches are designed to move packets. They are simple things really. pfsense will have processing to do and adds a bit a time for that. So, what happens is that you will get less than line speed. Generally that is not a problem except in highly utilized networks.

Use this as a comparison.

http://forum.pfsense.org/index.php/topic,53185.0.html

Not really, depending how you set it up.  I use to run in type 2 mode - but what was the point to running a full OS on the hardware when the hardware was just for VMs – made no sense from resource sense.  Anything I wanted to do on the host OS, just do in a  VM.

You do run a more of risk I would think of exposing the host to public, if for some reason you put an IP on the interface on the host that you have setup for public side pfsense wan, etc.

There is one thing if your playing with a couple of vms on your desktop, and that is the only hardware you have, etc. Sure you can run your vms in type 2 setup.  But if you have hardware your going to run VMs on only, etc.  Why in the world would you not run type 1??  Your just throwing away cpu cycles that could go to VMs on the Host OS.

@wallabybob:

@_Adrian_:

@marvosa:

Other than that, your NAT:Port Forward should look like:

WAN | TCP | * | * | WAN address | 80 (HTTP) | <webserver ip="">| 80 (HTTP) | description |</webserver>

WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS1
WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS2

Why do you have two port forward rules? Since they have the same port range only one of them will be effective.

What is "SERVER1 address"? Since you mentioned DynDNS I suspect your WAN interface has a dynamic address. If so, the port forward rule needs to specify Destination type=WAN address (not the CURRENT IP address of the WAN interface) so the rule's behaviour will track changes in the IP address of the WAN interface.

Thanks wallabybob !!!
Its working :D

Had to do a couple changes…
It didn't want to play nice so i went to a port 8080 redirect.
With that being said...

NAT :
WAN | TCP | * | * |WAN address | 8080 | <webserver ip="">| 80 (HTTP) | SERVER1 ( Description )

and created an rule for it that ended up looking like this:
IPv4 | TCP | * | * | <webserver ip="">| 80 (HTTP) | * | none | NAT SERVER1 ( Description )

Now when going to adrculda.hopto.org or adrculda.zapto.org gets redirected to my first IIS7 Server.

Now i wonder if my provider offer multiple external IP's :P</webserver></webserver>

I once managed to block some of the GUI with Ad Block Plus. Confused me for a while.  ::)

Steve

Hmm, I don't think I've fully understood the problem here.  :-
Are you asking whether multicast over OpenVPN is possible?
Perhaps: http://forums.openvpn.net/topic8036.html is relevant.
Or are you trying to solve some ipeng problem?

Steve

Edit: You may use the IGMP proxy to multicast between subnets, possibly an easier solution. Perhaps!  ;)

On my windows I reset the script to:

@echo off :: similar to above methods but this works :: get current date/time into vars :: vars= day month year hour mins secs mili for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a for /f "tokens=2* delims= " %%a in ('date/t') do set mmddyyyy=%%a for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a echo day =%day% echo month=%month% echo year =%year% echo hour =%hour% echo mins =%mins% echo secs =%secs% echo mili =%mili%

Thanks I wasn't aware of the shellcmd feature. Perhaps I'll checkout 2.1 as well as the box isn't going into production for the next couple of weeks. Maybe I can keep it free of extra packages with 2.1.

Cheers / Thor

So your VMs is the lab you want to access? Does your VPN allow access to your internal network as it is now?
I am not sure that you would have to alter your setup nor that you need any vlans for what you want.
If you connect to PFsense through OpenVPN you could deny the traffic from reaching your internal traffic by blocking any vpn-traffic that wants to go out the "Wan interface" of PFsense and only allow it to go to the Cisco switch. And if you don't want to allow traffic from your lab to reach your internal network, you could block access for traffic originating from the PFsense router to reach your internal network.

You could do this in a couple of ways, it all depends on what access requirements you have and if you need any traffic from the PFsense router to access your internal network.

OK, I'm Dumb!
The remote site's lan subnet is 192.168.1.0/24 and I could access all devices on that network. Remote PF sense LAN is 192.168.1.1

Months ago, on my local pfSense I set up a test network for the client with the same subnet and assigned 192.168.1.1 to a spare nic on my pf sense. I then promptly forgot I had done that!
So I was actually trying to log into my own firewall.

Interesting though that 192.168.1.1 was hitting my firewall but all other requests to 192.168.1.0/24 go over the ipsec tunnel to the remote site, even though the subnet is configured on the local firewall.

Sorry for wasting your time guys.

I get the idea of nat redirection wit socat,
as seen in http://aplawrence.com/Girish/socat.html

socat TCP-LISTEN:5000,fork TCP-CONNECT:23.3.4.45:25

but I don't see actually actually I can make it
work with loadbalancing.

Since the requests coming from a public IP adress are sent by the load balancer to two differents lan IP, I would need to have two different socat command but listening on the same port ?

I don't see how such a setup is possible, so I will look if can achieve the same http load balancing feature with HA proxy or a Reverse Squid.

Can anybody test it? It's my problem or pfSense release? For testing you can connect to ftp server only, without downloading. If problem exists, after you setted these sysctl enviroments, you will be disconnected from sever after ~one minute. Wait a little more and try to send other command like "dir".