Thanks, jimp.  That's what I thought but wanted to be sure. Yakup

thanks for the quick reply. it's setup already from the freenas box so it would be easier yes. i was just wondering if there any any implications to storing keys on pfsense? i'm not going to do it as having them on the freenas box is an extra layer but it was just something i was toying with.

perhaps you could throttle bandwidth for EXE, CAB, MSI files. Further this high bandwidth usage is only as long as, till the proxy has them all in the cache. Perhaps you can do a windows update over night and at the next morning all files will be downloaded. Another option ist, that you lower the maxmum file size, so that only small updates gets cached. There are pros and cons for caching those files.

All Geode CPUs (ALIX, Soekris, etc) have the GLX Security Block device (glxsb) which will accelerate only AES-128. So for OpenVPN you need to set aes-128-cbc, and for IPsec, you set Rijndael (which is AES-128). Unless you have disabled the glxsb device under System > Advanced, it is loaded at boot time on supported platforms.

Yes I've disabled the block private ip addresses and the other one as well.  The only problem is when I change modes to the router mode I lose internet connectivity for clients on the network.  I'm looking for more information on this topic now.  I may try another stock router to see what happens as well.

I did a fresh install on another disk and identical system. Seems to work just fine, so I'm not sure what the issue is/was? Perhaps the disk has a problem. Update: For those who come across this thread … The cause of one PC not booting properly is still unknown but most likely a hardware issue with the MB. I determined that the issue was not the disk drive, cables, or network cards. I installed on two systems with identical MB (Asus p4c800e) and bios settings. On one board, the standard ich sata port would not boot properly. Same drives on alternate PC never showed a problem. Switchiing to the Promise controller sata port on the bad board does work. Other OS's have no problem booting (linux, windoze). I can only assume that the older MB may be failing in some way. I'm new to BSD and not familiar with how BSD determines device names, but on one it would find the disk as ad4s1a and on the other (non-working) ad8s1a with promise controller disabled.

Some more interesting info: This is the log from the other router that connects successfully 16:16:34 pppd pppd 2.4.4 started by root, uid 0 16:16:34 pppd Using interface ppp0 16:16:34 pppd Connect: ppp0 <--> /dev/ttyp0 16:16:35 pppoe PPP session is 13507 (0x34c3) 16:16:36 pppd PAP authentication succeeded 16:16:36 pppd kernel does not support PPP filtering I can see that it's using PAP authentication. At pfsense /var/etc/mpd.conf  the following statements are enabled: pppoe: new -i ng0 pppoe pppoe set iface route default set iface disable on-demand set iface idle 0 set iface up-script /usr/local/sbin/ppp-linkup set bundle disable multilink set bundle authname "xxxxx@xxxxxx.com"         set bundle password "xxx@xxxxx" set bundle no noretry set link keep-alive 10 60 set link max-redial 0 set link no acfcomp protocomp set link disable pap chap set link accept chap set link mtu 1492 set ipcp yes vjcomp set ipcp ranges 0.0.0.0/0 0.0.0.0/0 set ipcp enable req-pri-dns set ipcp enable req-sec-dns open iface I can see the "set link accept chap" So is the problem related to the type of the authentication used? Should i change to pap in pfsense?

CLOSED THANKS

This is awsome!  ;D In my opinion (as someone living in a supposedly Christian country!) it should be part of pfsense. If you reboot your box on Christmas day it should play jinglebells.  :D That opens up the possibility of other date related start up themes….... Steve

@dreamslacker: That will fall under:  Maximum number of established connections per host Just create a rule that catches all traffic from LAN then set the limits per host.  Of course, if you need to shape more then there's much more tweaking to be done. What is the recommended setting for this? I set it to 60 on both the WAN and the LAN side and after a few mins my connection just came to a crawl. I had to disable it to get back online.

Update to the question.  Initial issue resolved due to problems with cached mak address being seen by the firewall devices and our switches.

Because many people open the web interface or SSH from specific remote locations for management and want to do so without having to NAT. Changing that now would break thousands of upgraded systems. I agree it wouldn't be a bad idea to have an option to only bind to specific IPs. Patches welcome.

Adding this pointer to the FAQ since this thread comes up high in Google results. http://doc.pfsense.org/index.php/Can_I_sell_pfSense

Or setup a VPN so you have secure access to anything internal. OpenVPN, IPsec, PPTP, etc.

wallabybob, Ill give 1.2.3 a go and tell u how it goes. tnx

You probably should have the Windows Server/primary domain controller, behind the firewall, become the primary DNS server for the entire LAN. Configure the Windows DNS to get its DNS info from a valid server on the Internet. Then have your pfSense box get its DNS from that Windows Server, and no other. That way your pfSense box will have the same DNS info as the primary domain controller.