I'm not sure that the modem I'm using will let me. I'll do some more research on it.

It's also available in the pfSense-packages git repo.

You should be able to achieve that with squid, probably with squidGuard.

no the server cannot connect to the internet.

I am testing by hosting a website on the server and trying to access it. I assigned NAT rules. and also rules on the lan to allow tcp between 2 interfaces and still nothing.

I will try to explain more about our setup, since this problem continues to bug us.

Network Setup

WAN
PfSense
LAN > VPN > Remote site with IPTelephones (H.323)

The gateway to our remote site has the pfsense as its internal default gateway.

So, all traffic from our remote site passes through the VPN , then to the pfsense and from the pfsense out. I´ve tried to find the iptelephones ipnumers in the state table, but they dont seem to be there.

When we for example changes a static route on our pfsense, the filter reloads and the calls on our phones on the remote site breaks.

The telephone system is Solidus Ecare on a MX-ONE telephone system and really has nothing to do with the pfsense itself, only that the clients on the remote site speaks through the pfsense to our telephony systems.

The clients seem to bee unaffected otherwise when the filter reloads. They maintain communication to all the systems. Only the iptlephones traffic breaks.

Any comments tips or the like is much appreciated.

Best regards

pkg_info

arc-5.21o_1        Create & extract files from DOS .ARC files
arj-3.10.22_1      Open-source ARJ
bandwidthd-2.0.1_1  Tracks bandwidth usage by IP address
clamav-0.95.1      Command line virus scanner written entirely in C
db41-4.1.25_4      The Berkeley DB package, revision 4.1
gamin-0.1.10_1      A file and directory monitoring system
gd-2.0.35,1        A graphics library for fast creation of images
gdbm-1.8.3_3        The GNU database manager
gettext-0.17_1      GNU gettext package
gio-fam-backend-2.20.1 FAM backend for GLib's GIO library
glib-2.20.1        Some useful routines of C programming (current stable versi
havp-0.90          HTTP Antivirus Proxy
jpeg-6b_4          IJG's jpeg compression utilities
lha-1.14i_6        Archive files using LZSS and Huffman compression (.lzh file
libiconv-1.11_1    A character set conversion library
libslang2-2.1.4_1  Routines for rapid alpha-numeric terminal applications deve
libusb-0.1.12_2    Library giving userland programs access to USB devices
lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser
lzo2-2.03_2        Portable speedy, lossless data compression library
mbmon-205_4        A tty motherboard monitor for LM78/79, W8378x, AS99127F, VT
mc-4.6.2            Midnight Commander, a free Norton Commander Clone
mysql-client-5.1.44_1 Multithreaded SQL database (client)
neon26-0.26.4_1    An HTTP and WebDAV client library for Unix systems
net-snmp-5.4.1.2    An extendable SNMP implementation
ntop-3.3.8          Network monitoring tool with command line and web interface
nut-2.2.2          Network UPS Tools
openldap-client-2.4.10 Open source LDAP client implementation
openvpn-2.0.6_9    Secure IP/Ethernet tunnel daemon
p5-GD-2.39          A perl5 interface to Gd Graphics Library version2
pcre-7.9            Perl Compatible Regular Expressions library
pcre-8.00          Perl Compatible Regular Expressions library
perl-5.10.1        Practical Extraction and Report Language
perl-5.8.8_1        Practical Extraction and Report Language
pkg-config-0.23_1  A utility to retrieve information about installed libraries
png-1.2.35          Library for manipulating PNG images
python25-2.5.4_1    An interpreted object-oriented programming language
rate-0.9            A traffic analysis command-line utility
snort-2.8.5.3      Lightweight network intrusion detection system
squid-2.7.7        HTTP Caching Proxy
squidGuard-1.3_1    A fast redirector for squid
squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later
unzoo-4.4_2        A zoo archive extractor

Nothing special at the logs, mostly ntop messages.
I tried tcpdump and figured out that all packets are going correctly. Seems like NAT doesn not send/recieve all packets to clients…

Yikes!  I need to take notes. This has gone away and I can't remember what Ive done in the last few weeks…  Ive been using I.E. to admin the router so did not notice it go away.

Ill compare notes with anyone who may stumble across this later.  Hopefully no one!  :P

It depends on where they were blocked. There are two tables in pfSense that can get IPs in them from different triggers, but it's pretty rare, and they are periodically purged.

If you want to check, run the following from Diagnostics > Command.

pfctl -T show -t sshlockout pfctl -T show -t virusprot

If they are empty, that is not your problem.

If you see an entry, you can delete it with -T delete <ip>or just flush it completely:

pfctl -T flush -t sshlockout ```</ip>

pfSense is not linux and there is no glibc by default in pfSense ;)

For lagg to work, your switch has to support it as well.
If you look at the feature list of your switch, see if it supports 802.3ad (this is the official standart defining link aggregation)
more info here: http://en.wikipedia.org/wiki/Link_aggregation

hi. because you are using Squid Guard and Squid proxy with your main pfsense box. its better you use another pfsense box with Squid Guard and Squid proxy.

in my exprience Squid Guard and Squid proxy in most case they slow down the system. at first they run like charm. but when ever they start to full flow(heavy load) they start to slow down the system.

Me i am using 6 pfsense in six different internet cafe. All those cafe has 20+ work station. when i started to use Squid Guard and Squid proxy.

They let me to face lots of problem. so i uninstalled those package and then all those problem gone.

I think you are facing similar problem.

BUT NEVER EVER DOUBT ON PFSENSE. It's Awesome…........

@rcbandit:

What framework are you planning to use?
Which framework do you find best for pfsence

I don't think that has been decided. There has been talk of CakePHP but some people like it and others say it's too slow.

Given that it's so far in the future for a topic, it's far too early to say.

There is a board just for CARP here, that would be the best place.

Thanks for replying.

My ISP is plusnet.  I'm not LLU, I'm on a normal BT exchange with 21C, but not ADSL+ as I'm too far from the exchange to take advantage of it.

On plusnet's forums I can see that other folks are using PPPoE just fine with them.

They use the standard BT VPI/VCI 0/38.

Yup, using PPPoE means my MTU has to be a little less than 1500.  I'm using 1492.

I'm on the latest non-US firmware for the DG834Gv4.  It's currently in dumb-modem/bridge mode via the standard url hack.

So far, my old d-link dgl4300 gaming router is working fine with the DG834Gv4 in PPPoE mode.  No uncompleted page loads.

However, I'd far rather use pfsense.  That's why I'm here :)

I'm not pegging the CPU on the 533mhz Via chip that I can see.  Downloading 20 SSL connections from my usenet server works a dream.  Going full rate.

It just seems to be spikey web pages loads… like loading a new web page with lots of images that causes things to get lost/go wrong.  Things like page loads aborting... or image loads hanging.  Just regularly enough to be annoying.

Note I did have to disable DMA on IDE for the CF chip, or pfsense wouldn't boot.

I'm wondering if the network chips need a workaround.  They seem to be that model that everybody's complaining about.  realtek?  I tried disabling the checksum offload, but that didn't make any difference.  I tried device polling, and neither did that.

-- gyre --

We've roughly 70 employees; I guess that's big.  Thanks for the link mhab12.  I will check it out.

You probably just need to copy /usr/bin/tip from a suitable FreeBSD host of the same vintage, and then from the shell you could run:

# tip com1

Which would connect you to the serial port. To disconnect, press enter, then type ~.

cu might work but I'm partial to tip.

If you have a blue "Cisco" serial cable like they include with the router you do not need a null modem adapter.