you are trying to fix a layer2 problem by using a layer3+ solution …. this will never work very well. the solution you actually want involves dynamic vlans & 802.1x authentication. (see this juniper page for a short explanation: http://www.juniper.net/documentation/en_US/junos11.4/topics/concept/802-1x-pnac-dynamic-vlan-understanding.html )

On pfSense console menu (12) developer shell, you can: playback gitsync If you know what you are doing and why, you can GitSync to get the latest changes from the GitHub repo. e.g. for testing coming 2.2.2-DEVELOPMENT script changes without instaling a whole development snapshot.

Only if you've disabled filtering on the bridge members. You can limit and shape on bridged interfaces as far as I'm aware. Bit old but for example: http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/ There are some restrictions though, such as: https://redmine.pfsense.org/issues/3824 And more importantly in 2.2: https://redmine.pfsense.org/issues/4405 Steve

Haha. I am sorry, but I was not close to a terminal with WebUI access while I asked that question. So I assumed there was a textbox present instead. Good, then this answers my questions. :) ~repne

While you are correct he didn't mention it.. from this statement "Also, when I had SSH enabled I was able to see multiple attempts to break in by brute force;" But sure guess its possible for someone on his LAN trying to brute force his pfsense ssh connection.

@johnpoz: I don't get it??  Why would anyone set up something like that?? And you have multiple down stream routers for different segments as well? Is there anything below those routers?  More routers?  Oh so that is what you meant by gateways..  Why so many??  Where is the core of this network?  So all your routers are running vyatta?  On what hardware?  Why would you not just put in a nice layer3 switch and be done? So what pix, you mentioned a 515 you got rid of.. What are the existing ones?  Why don't you just replace those all with 1 pfsense box?  You can easy add multiple ports there.  But I don't understand why you need so many segments?  If you want the ext and internal - great that is 2 boxes ;)  And then a L3 switch below there for your other segments.  Sure set them up in HA if you want, etc.  So say 4 boxes 2 ext, 2 internal and 2 L3 switches. With the absense of Layer 3 switches would the following be possible? Likely to cause any issues? Green and Orange represent data flow along different VLans (only drawn 2 I have 25 in use) on the internal network. Blue would be a Vlan on the external side for traffic between subnets and would be on a private address range, red would be vlan for internet bound traffic, with the interface being public ips Black lines are the physical connections and would pretty much all be trunk connections. Hopefully that all makes sense, and thank you for your input  

@newkansan: I did determine that rebooting the ISP modem will temporarily fix this problem. You can restart the apinger service instead of rebooting. The issue is not addressed in 2.2.1. Current bug status shows as targeted for 2.2.2.

Hi Charliem, thanks for the reply. I believe i have the same issue as the owner of the other thread. I will add my comments into that thread so we can both come to a solution. Cheers

@doktornotor: @mikepogi: I just unplug the main switch without shutting it down the pfsense :-[ [/quote] You might want to rethink your strategy…  :o https://redmine.pfsense.org/issues/4523 Yanking the power plug does not cause a kernel panic. That's specific to kernel panics only, not unclean shut downs. With nanobsd versions, you definitely want to cleanly shut down/reboot so it saves your RRD data, etc. With full installs, it doesn't really matter. I very rarely do a normal shut down of any dev or test system and can't recall ever breaking anything from doing so. That said, I would never just yank the plug out of any important production system running any OS if it's avoidable. There is always a possibility, though extremely remote, that Windows, Linux, BSD, etc. will end up with some kind of not easily repairable issues if you happened to pull the plug at exactly the wrong time. Certain use cases are much more likely than others to suffer such problems (like Windows servers with Exchange or SQL, *nix systems with busy MySQL, Postgres, similar servers).

When there are rules that use a schedule, pfSense will add a cron job: 0,15,30,45  *  *  *  *  root  /etc/rc.filter_configure_sync That job is set to run ever 15 minutes. It will effectively cause the ruleset to be parsed for rules that are in/out based on schedules and do its stuff. So you need that cron job to run every 5 minutes also. It's somewhere in the code - I will let you find it as a learning exercise :) And remember, after every upgrade you will need to re-check what mods need to be made and then re-apply your changes.

@johnpoz: Where are you when you go to either http or https www.myurl.com - are you inside pfsense or outside on the public internet? IF you don't see any http getting to the box how are you getting redirected to https://www.myurl.com:9909?  Where are you doing the redirect, pfsense can not do such a redirect that I am aware of. Externally and thats the problem we aren't doing that redirect anywhere. I thought this was the culprit WebGUI redirect Disable webConfigurator redirect rule When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule. I understood that option was doing the redirect. I have this box ticked and it makes no difference

@Harvy66: I just leave mine at Adaptive and my 3.2ghz CPU is pretty much always at 300mhz any time I check it. I'm using Adaptive too, it works pretty stable. But I usually switch into minimum at midnight to save little more power. However, if I could do that in cron job that would be perfect. In Adaptive mode : Intel(R) Pentium(R) D CPU 2.66GHz Current: 1329 MHz, Max: 2659 MHz 2 CPUs: 1 package(s) x 2 core(s)

It's apparently the default for us and not explicitly set

@hege: @eskild: ipsec is unable to read the private key. with ipsec listcerts you should see a line like   pubkey:    RSA 4096 bits**, has private key** If that's not the case, try the following commands ipsec rereadall ipsec restart (restart not reload!) What's the output of ipsec listcerts ? I had the same issue with pfSense 2.2 after creating a CA and a certificate (annoyingly, StrongSwan apparently does not and will not support wildcard certs).  IPSec log when I connect: charon: 05[IKE] no private key found for 'C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net' ipsec listcerts output: List of X.509 End Entity Certificates: subject:  "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net"   issuer:  "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1-ca"   serial:    02   validity:  not before Mar 17 23:10:33 2015, ok             not after  Mar 14 23:10:33 2025, ok   pubkey:    RSA 2048 bits   keyid:    xxxx   subjkey:  xxxx   xxxx $ ipsec restart Stopping strongSwan IPsec… Starting strongSwan 5.2.1 IPsec [starter]… no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! After those commands, I get "pubkey:    RSA 2048 bits, has private key".  Unfortunately despite that, I still get error 13801 from Windows when using the common name or IP address.

I literally haven't had a single watchdog timeout on an interface that wasn't set to WAN. Both interfaces I tested are on the same card, but that doesn't explain why they stop misbehaving IFF they aren't WAN. I'll try another mobo when I get the chance, but it's odd that only the WAN interface complains. I'll try setting the 10/100 NIC as WAN too, 100Mbit is better than nothing!