@alchemyst: What I would to know is, through pfsense can I setup rules per user or per group as definined in active directory? Also can pfsense report internet usage, data sent/received, sites visited, etc per user in active directory rather than IP based? No to both. You're looking for more of a proxy server than a firewall. The Squid package can do some of that, offhand I'm not sure how much.

Yeah, it just seems odd. Why am I getting a "Destination Host Unreachable" message though?  It seems like it's reachable but I would expect the switch web interface to just not respond.

Do you have 'block private networks' checked? I take it there's nothing in the firewall logs? You have checked the network settings received by the laptop are correct? What is the wifi card you are using? Can you see the laptop associating and being issued an IP in the system log? Steve

Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).

In general, yes that's doable. How depends on specifics, in typical Internet load balancer scenarios the original source IP is retained and passed onto the internal server, but that may break routing in a LAN environment depending on the location of clients and servers, requiring a different type of config or outbound NAT to translate the source IP (as with the original source IP, the server will probably reply direct back to the client, which will break the TCP connection).

That's normal NTP traffic to pool.ntp.org hosts, which are all over the place. Your outbound spikes aren't the NTP though, get a packet capture and use Wireshark's analysis to see what that is.

@jimp: Are you sure that was "top -SH"? It should have shown you the kernel threads using that cpu. Next you could try: systat -vmstat See what is firing off those interrupts. Think the last post was just top    

On the console, choose the option to reset the LAN IP. When doing that, it offers to reset the webgui port/protocol.

We're working on a book for 2.0 but we need to get 2.0 out first. Lots of things changing, hard to document a moving target. The closer we get to a release, the less things change, the easier it gets to document. So there will be a new 2.0 book, we just need time to write it! :-)

Solved it. I forgot to rename the driver. It was named as rr26xx-8.0.ko and it have to be named as rr26xx.ko Thanks for everyone. Shutdown problem was fixed when I updated to the latest BETA version. RC1 -> 2011-06-15 RC2

Well, the physical interfaces on the switch that you are using need to reference the vlans you're using otherwise it will junk the traffic.  If you had access point one (upper left corner on the diagram) plugged into port 1 on your switch, port 1 would have to be set to understand tagged vlan 1 and 20 (since you're using them as muti-access points). All the other access points will be pretty much configured the same. When you get to the firewalls through, since it will be easier not referencing vlan traffic on the interfaces going to the firewall, it will assume all traffic in or out of that interface is meant to be stripped of all headers of vlan. If you had the "corporate" firewall on port 10, all traffic on that port would just be unagged for vlan 1. The "perimeter firewall", if it were attached to port 11, would have a similar setup to the internal firewall.  You're looking at having port 11 referenced as untagged for the vlan 20.  That way everything going in and out of the switch will be naturally understood as being meant for vlan 20. Easiest way to remember tagged is that all traffic will leave that interface with a vlan header (so if the device doesn't understand vlan headers you won't have any valid traffic for the device to understand) and all traffic coming in on that interface MUST be tagged (otherwise the traffic will get junked by the router/switch device). Untagged is easily referenced as, ANY AND ALL TRAFFIC, regardless of where its destination is, will be converted into tagged traffic for that vlan.  If you use a computer and have crappy hardware, but would like to isolate that client on a vlan, you would have all traffic untagged (so the client computer that doesn't understand vlan tags on the computer can keep working like nothing is there).

You should still be fine. You may want to consider 1 GB of RAM, or more, just because Squid will work better with more memory to play with. If you've got a 32 bit build then you're limited to 4 GB of RAM (from memory).

rm /var/db/rrd/*, then go to the RRD settings and press save. Check the system log after doing that and if there are any errors with the files, it should show you there. Also check after loading the page.

Hi Steve… I am pulling the Kingston memory and my guess there is something going on there. This x700 also has an upgraded used pIII processor so I may even have to look at that and put the OEM celeron back in if the symptom does not stop with the memory. I am building a drive copy off the working x700 and will retest this x700 again with the OEM memory to see if that changes anything. No, the symptom is not on all ports... And somehow this was all working on the dlink switch prior to this "On off" issue... which was really confusing. I thought this box was completed and went to the customers business to install and then the fun began. It would not pass DHCP on his unmanged Cisco switch. Since bringing the box back to my lab it is getting worse so will have to test the OEM mem and processor to see if this clears up. When you see this port issue happen there is no link light on the Cisco 3750 switch port and in the serial console you can see the port going up on down on the x700 re1. It started acting up and then with no link light and then shutting off and on. I moved this hard drive to my second x700 and it runs fine when installed. My guess is the memory. Will update later. Thx... H.

If you run the PPPoE server, does that mean everything upstream of the WAN port such as ADSL routers need to have their MTU also changed to 1492?

Switch might be better idea. Have you tried bridging, i'm not sure if it works with vlans, but try and inform

I can't see a problem with this. They mention pfSense on their web page. They seem to be offering an appliance with a fork of pfSense. Of course my Portuguese isn't great!  ::) Steve