Thank you

Thankx for the reply, yes i have 4 ip's.
Only using one now.
I will try nattting a second ip to the second interface.

What does this mean please?
@bangsters:

when the server using this ip communicates with the outside, it reflects the main firewall IP and not the virtual IP

What does```
pfctl -sn

Yes, I need to do some fact-finding before I can understand better.  Which probably means I need to get pfsense running in the first place replacing my router anyways :) !

I'll report back findings/progress when I've got it together (might take some time).

Thanks wallabybob and everyone for your help.

Well usually you dont have to reset the webGUI.
Normally you know how access to the GUI is allowed and just access it.

In most setups i have i allow access to the webGUI only via VPN (even if you are on the LAN side).

I found it!.
I configured it a few weeks ago and it worked perfect. this morning I remembered that the default gateway on the 192.168.20.0 net is 192.168.20.254 while the PFsense ip is 192.168.20.1. this is where I made the mistake.
When I tested the setup I had a static route facing 192.168.20.1 then I told to myself I will just add a static route on the existing firewall 192.168.20.254 and it will redirect the traffic. I rebooted the server a few time and the local route was deleted.

So it's very interesting why the firewall 192.168.20.254 has created the mess.
But I'm not going to investigate this.  I will replace it to Pfsense as well, and I hope that it will be ok.

Many Thanks
David,

Thank you!

Will look into it!

@tastyratz:

EDIT I am now able to pull up the page. I am unsure why I was never able to before in previous configurations or when swapping back and forth… but it now lets me. I suppose it is now a non issue.

There is anecdotal evidence that some cable modems in some circumstances care about the MAC address of the downstream device.

I do wonder however if its possible to block private networks on the wan port but allow a private network address exception so ONLY the modem config page can be accessed via the wan port.

pfSense firewall rules apply on the input device. So on the LAN interface you could add a rule to pass traffic to the cable modem and follow it with rules to block access to appropriate private networks. (In time you might add other interfaces with private network addresses and want to route between them and LAN.)

I also dropped this stuff into an FAQ entry for future reference:

http://doc.pfsense.org/index.php/Remove_F1_Boot_Prompt

And the debug should really be =16, not 0x16, my memory was fuzzy on that one so I looked it up again. It worked with 0x16 but that may be why the debug messages were printing, since it wasn't quite the right mode, it had more debug info turned on.

most likely not, if i recall correctly dd-wrt doesent use rrdtool

i´d  say dont bother

/F

Cool. Thank you.

@rkelleyrtp:

Thanks again.  Is there an easy way just to get allowed vs dropped?

That should be on the summary view, but it only counts logged items.

There isn't a web interface to it, but you can also check the output of:

pfctl -vvsr

From the console/ssh. It will show you things like this:

@6 block drop in log all label "Default deny rule"   [ Evaluations: 5        Packets: 2        Bytes: 104        States: 0    ] @41 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"   [ Evaluations: 5        Packets: 6        Bytes: 456        States: 2    ]

Nice Jimp!!

Wouldn't it be nice if that really was the protocol!  Make my life easier.

1.2.2….. We need to upgrade.

1.2.2 was based on FreeBSD 7.0, and 1.2.3 is based on FreeBSD 7.2

There could be any number of changes along the way that let it work.

You'd be better off starting with a 1.2.3 NanoBSD if you need embedded.

Sorry for the confusion - we run a WiSP service for a large rural area using Motorola Canopy radios (not 802.11) - over 500 customers, many commercial gas production facilities, coal mines, etc.  The radios have MAC's starting with 0a-00-3e…  When NAT is turned on they change the first number to a 2 (2a-00-3e...).

Again, I got this sorted out.  I know what the messages mean, and I use them regularly to monitor duplicate IP addresses being used, but there was an issue with our syslog server and the messages it was sending out to us (only sending the first message multiple times so it looked like same change was happening multiple times, instead and back forth between the hosts).

This is an old post, but I just wanted to update.
I was working on a WAN Emulation project and I wanted to use Alix/NanoBSD as base.
Since you guys have IMHO the best BSD based project I wanted to learn from you.

Everything has been resolved and is working beautifully.  It even have it using the front LED's to indicate if WAN Emulation is enabled and if there is traffic on any port.  :P