upupup!

@gmckinney:

@foomanjee:

Yeah, firewalls were on 1950's, then today I upgraded them to 2950's, since I knew I was going to have to run snort, and I was moving more traffic over..

Will check out that link - thanks.

Side note - snort sure does like blocking Akamai :(

If you are running in a production environment you may also want to checkout:

http://www.freebsd.org/cgi/man.cgi?query=pae&sektion=4

Just a suggestion….

gm...

Kind of need the kernel sources for that..  Do you guys have the pfsense kernel file up anywhere? (pfSense_SMP)

Search, it has been answered before  ;)

The easiest thing is to download, modify and reupload the config but this will force a reboot.

You may want to make use of the search function to find other discussions on this point ;)

@nicolas_thon:

Dear All,

As I have one Multiple Serial PCI Card to extend on Serial on pfSense Box, but I dont know how to make the card work on the box.
Anyway can anyone give me any solution to working on this.

Thanks In Advance.

What kind of Hardware is it? Is it supported by FreeBSd-6.2? Take a look here: http://www.freebsd.org/releases/6.2R/hardware-i386.html#SERIAL so see if it is supported …

Everything that's in the config will be backed up and restored (so if you added your your cron items there you are good to go). It also will reinstall missing packages on bootup if the config has packageinformation of packages that are not installed. Should be a rather easy upgrade. However you will lose logs and stats if you run such packages when moving to another system of course.

Our new webpage hase some nice info about hardware sizing. Check it out at http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 .

What i can recommend you if you do not want to go through this hassle is use prebuild packages.
Take a look at pkg_add -r option and if you feel you need a man page go to http://www.freebsd.org/cgi/man.cgi that should save you from your linuxism ;) of using –help which in the BSD world is just -h (as help) :S.

Anyway good to hear you weren't disappointed and stayed in the ship.

Just some thought to just let people know how to avoid some headaches, same as your post.

Regards.

I have not found this info on faq.pfsense.com, but is this issue because of specific size of log file? because clog specifies the specific size of the file, the 'empty' part of the file is filled with those characters (^@)?? I mean, this doesnt means that this is a file being corrupted?

I'm asking for this because I have had many problems with core dumped files in pfsense filesystem, after some ups fail; I dont know why but even today, when my ups fail some times (my ups battery doesnt last too much), it seems that some files are corrupted and the system begins to fail in some parts; last week it happened and traffic graph didnt worked anymore… so after have re-installed the system, I see this and feel worried about.

Thanks

Maybe someone should ask why kyohisro is separating these 10 computers into two subnets at all.
Playing games together makes me believe this is not a high security corporate network. Putting them in one subnet might free kyohisro from other hassle…
Load-Balancing the two WANs can be done differently; the easiest might be by policy based WAN routing.

Just my 0.02

Yes, 1.2 supports all the features of 1.0.1 plus more.

A 1:1 NAT doesn't expose the complete hosz to the internet. You still need firewallrules to allow traffic. But I wouldn't use 1:1 NAT for only a few ports either and it's more flexible if you do it with portforwards as you can forward some ports to server a and some other ports to server b then. Another advantage is that portforwards will work with natreflection whereas 1:1 nat won't.

Thanks razor, once again!

What you are suggesting seems like a decent solution, but makes things pretty difficult (read: beyond my abilities) for other parts of my network.  Is there no way the modem can distribute public IPs via DHCP (static mappings of course)? According to Comcast there isn't, but why not? I think that would be the ideal solution.

My gut feeling thinks that the modem wants some sort of communication to establish whether the connection will be DHCP or else a bridged static IP.  The pfSense log is seeing the "link up" message on the WAN port when it comes up, but it is not taking any action as it is not a DHCP interface (on the pf side).  Perhaps there needs to be some sort of communication from pf when that link does come up?

Regards,
Aaron

@superwormy:

Incoming T1 connection, a few machines need to have public static IP addresses, the rest will be NATed and just need access to the Internet. I'd like to have the machines that are exposed to the Internet in something like a DMZ… does pfSense have DMZ support, or is there a better way to do this, or...?

I have 3 network cards in the pfSense box... if I use one for WAN, one for LAN, and one for the DMZ machines, will this work to isolate the LAN machines from the machines that should be in the DMZ?

take a look to the docu from monowall written by cmb, it runs as it should.
http://doc.m0n0.ch/handbook-single/#id2604946

@Tai:

Im not sure what disabling NAT Reflection really entails if it is a horrible security risk or just makes port forwarding/nat more work. ??
Cheers

It's not a security risk, it just puts more load on the pfSense box. The domain name you use to access your virtual sites internally looks up to a public IP. Thus the request goes out to the pfSense box. Enabling NAT reflection allows the pfSense box to redirect the request back into the internal network to the correct host.

If you had split DNS when inside your network the domain name would look up to the internal IP of the server. This would avoid the unnecessary loop to the pfSense box as the request would go directly to the server. When outside your network the domain name would look up to your public IP.

There are ways to do such configs not from the pfsense gui!

Search google if you want to do such a config but it just provides basic security and not a real protection.

Go to the console or ssh in (if you have ssh enabled at system>advanced) In the menu you'll find an item "pftop" that will do exactly what you are looking for. Press "h" for advanced options while running pftop.