Anyone can seed a pfSense iso, but there aren't any 'official' ones. I think I have seen torrents for pfSense on sites before, just be careful that the md5 matches.

You could just mirror the WAN\LAN port over to a random port on the switch and attach it to the IDS-machine then sniff.

Atleast that would be my way of doing it with procurve.

I've already switched it to let the DMZ machines grab the DNS from the pfsense dns forwarder.

as for the firewall rule, I didn't get a chance to look yesterday, I will be doing some more playing with firewall rules today and I will post back what I find for anybody else having the same issue as I was.

–--

Easy enough, compared firewall logs with and without the allow all rule to DMZ network and found that port 53 was being blocked.

Since port 53 is the DNS port using tcp/udp, i just created a rule allowing the DMZ to use port 53 tcp/udp to the DNS Forwarder.

TCP/UDP
Source: 192.168.5.10(Only DMZ Machine) Port: Any(because i seen it using multiple higher ports)
Destination: 192.168.1.1(DNS Forwarder) Port: 53

I'm operating a CyberCafe as well (and was a consultant in this for nearly a decade) and I can safely say this..

1)  You need to have some form of software security
2)  You need to observe your customers needs and install the software they need

On point 1, there is no such thing as giving users full rights over the system (even when I experimented with disk image based management systems which reset on reboot, access to system settings were locked down).
If they need admin rights for installing software then you need to have some form of lock down on the critical aspects of the system.

In Windows, you can use registry hacks to:
1)  Disable right clicking on the desktop (no changing of graphics settings, wallpaper etc)
2)  Disable taskbar icons (no disabling of antivirus, changing of network settings)
3)  Disable right-clicks on Start Menu (no adding/ removing shortcuts)
4)  Disable Command Prompt (No access to what you need to secure via the command line)
5)  Disable Batch/ CMD files, VBscripts or Registry Files (choose one of the latter 2 since you need either to unlock the secured system for maintenance; I recommend disabling Registry files since it's far harder to find and download a VBscript to unlock system policies)
6)  Disable drive access and Windows Explorer (all downloaded files will hit the desktop since that is the one folder you cannot deny access to)

Couple this with removing the shortcuts to Control Panel and Network settings in the Start Menu and the user won't be able to muck around with changing the Network Adapter settings for a start.

In such an environment, run Deepfreeze or Windows SteadyState to reset the software installations upon a reboot.
On the second point, if you start to learn what your customers need and install them, then you need not give them access rights.
I have helped setup and managed CyberCafes with more than 100 applications and games per PC simply because a lockdown was required.
It takes time to update and patch these but trust me, you'll lose more money and man hours if anything screws up because of a user messing around with the system.

@thunder8911:

Heyas again,

Yes, Not a BBU of course, i'm talking about a UPS. Usually when power is cut, they don't power on themselfes without pressing a Button or anything,
because it's not true server hardware.. The Mashines themselfes are around 6 months old now. The Air condition in the room generally filters all the dust
in the room and gets maintained on a regular basis. I will probably just try to put all mashines to a different power outlet.

Hope this helps :) Thanks again!

Hi, I don't mean that as a server feature.  It is a basic setting in the BIOS (CMOS).  Under Power Options, you should find a setting that says:
Power on after power failure - Options:  On, Soft Off, Last State.

This is definitely available on consumer boards.  Set this to "On".  If the machines are powered down due to power line issues, when the power comes back on, the machines will automatically boot up.
However, if the machines are manually powered off - by pressing and holding the power button or via shutdown command (script or manually entered command), the machines won't come back online.
This should hopefully, help you isolate the problem as to whether this is a powerline issue or script problem (or sabotage for this matter).

In this case you cannot use policy routing and you will have to create static routes for all these servers pointing to the gateway of WAN2.

Haven't tried a direct connection yet, but did have a tech out today, and he found some problems with my line.  So hopefully that was the culprit.

That sounded like an ideal solution, but it doesn't work for me. I disabled the helper proxy, and forwarded the ports to the computer with the server. There doesn't seem to be a way to configure the FTP server to only use passive mode, but I configured IE to do so. Nothing shows up in the FTP logs, either from my local network, or remotely. Direct to the IP address within my network still works fine. Any ideas?

@Everen:

Gredd,

I have many (more than 80) Axis cameras going through a pfSense box without any issues. I can't promise anything, but I would like to assist if possible.
Which Axis model are you having trouble with? Which Axis firmware version is it running? Which version of pfSense are you running at your location?

Thanks for helping :)

Its a 207W but I don't have the firmware version at hand right now. PfSense box is a 1.2.3 and I'm about to try the 2.0 beta, mostly for the traffic shape stuff but maybe it solves the web cam issue too.

Thanks for the reply and your right it was a rules issue.

So now I have moved on with a fresh install. I am bridging switch0 with switch1 (0 is on the wan interface, 1 is LAN interface) and I have followed the bridging guide. I can ping traffic from the LAN connected switch to the Wan connected devices with out issue but can not ping from wan connected devices to the LAN connected devices. I can if I go to advanced setting  and disable filtering. I have a rule for everything to everything on the wan interface but no luck. Any help would be much appreciated.

One more question, if I build a new system and put 3 interfaces in the system, bridge LAN and opt1 and just ignore wan all together would that get around any funkiness?

Thanks again everyone and thanks to the PFSense devs. You guys have done a fantastic job with this product. I am really looking forward to 2.0.

Rich

Placing of those rules depends somewhat on the firewall and nat rules involved between segments.

You might also try killing all processes that match pftpx and ftpsesame and then re-saving any firewall rule to trigger a change. See if it restarts properly after that.

Just realized that I made a typo, it should read "can't get or isn't assigned an IP."

The two rules should go below the allow everything rule, since you will be having "Apply the action immediately on match." unchecked on the 3 rules.  Rules are evaluated top to bottom, but with that unchecked (something you can only do on the floating rules), it will only apply the action from the last matching rule of that type, waiting until it hits the end of the rule list, a rule that matches and has that checked, or a regular rule from one of the tabs with an interface name.

It is kind of complicated to explain, but basically if you have "Apply the action immediately on match." unchecked on those 3 rules, the rules on the tabs for the interfaces or anywhere else can still override it.  Some of the built-in hidden rules, like the default deny rule, are made this way.  They are actually above other rules in the list, but allow other rules after them to match traffic and override them.

Yes you would need portforwards.
Also you would need static routes on your existing router, telling it over which IP the VPNs are reachable.

I didn't mean disconnect in the sense of not existing, but that you connect your existing network to the WAN.
Something like this:

|–-------------------------------------|
inet-----router-----|----virtual_WAN                        |
                        |                |                            |
                        |        ---------------                  |
                        |        |  pfSense    |                  |
                        |        ----------------                  |
                        |                |                            |
                        |            virtual_LAN                  |
                        |                                              |
                        ----------------------------------------

Basically, the WAN is the interface to which your VPN clients connect to, and the WAN is the interface which is used to talk to the rest of your existing network.