Figured it out:

https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

Thanks for the up to date doc's.

Plenty of help here:

https://doc.pfsense.org/index.php/Boot_Troubleshooting

@Derelict:

I would ask the ISP if they can assign a /29 or /30 (OR /31 IN 2.2??) for your WAN interface and route the /26 to you over that.  You'd have a lot more flexibility in how you use the addresses that way. (Like putting the /26 (or part of it) on an OPT interface and turning off NAT.)

An alternative might be to bridge WAN with OPT, then assign WAN to use BRIDGE0.  Anything you then plugged into OPT would effectively be out on the /26 with your WAN address.  But an outside switch can accomplish the same thing.  You lose essentially all firewalling capability this way.

^^^ What he said, Option 1.

Generally speaking, ISP's will give you a L2 point-to-point and a L3 routed block, most people install a router with the p2p (/30) on the front, and the routed block (/26) on the back-end. (You would then IP you firewall on the /26)  In this case, the router becomes a single point of failure.

Ask for an L2 /29 from the ISP so that you can support redundant pfSense Firewalls, then use your L3 /26 behind it on your DMZ interface.  You can still do NAT for certain hosts if you want by using VIPs, but you'll also be able to assign the public IP's directly to hosts by connecting them to the DMZ network.

[One day pfSense may support HA with smaller blocks (/30 or /31), but until then I would recommend a /29]

…ct

If you have the budge ($20k), SolarWinds NPM, hands down.

If not… SpiceWorks just released a stand-alone Network Monitoring application.  It's a new product, customization options are limited, and it only supports WMI and SNMP at the moment.  But, it's free, it works, and it has a very simple slider to control how much noise it'll generate. (Alerts)

...ct

The HDD (CF Card) failed. What a pain, but back up and running. Took the opportunity to increase the memory.

@KOM:

blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?

Keep the anti-lockout rule enabled and put the blocks below it.

It is still managing to pass the firewall.
I have attached the screenshots of the rules I have entered, kindly let me know if I have erred in the rules.

After the blocking of port 80/443 I have added IP of our DNS server and blocked rest of them in the next rule.

I have configured NAT or you can say I am Port forwarding the traffic to 3128(HTTP) and 3129(HTTPS)


Maybe you could drop heper a pm?

https://forum.pfsense.org/index.php?topic=77859.msg424553#msg424553

Is upgrading to 2.2 an option, seeing as the 2.2 forum has now been retired in the last 12 hours?

These threads might be relevant, but the first link caught my eye when googling "pfsense can't remove hook"

https://forum.pfsense.org/index.php?topic=36043.msg203273#msg203273

https://forum.pfsense.org/index.php?topic=31409.0
https://forum.pfsense.org/index.php/topic,31247.0.html

Although slightly different to your setup, ie mine is just pfsense2.2rc into a single modem with no vlan to access the router/modem, the highest I've seen a ppp attempt is 34 times (reverse order to your layout).

Jan 19 16:41:55 ppp: [wan_link0] LCP: Open event
Jan 19 16:41:55 ppp: [wan_link0] Link: OPEN event
Jan 19 16:41:55 ppp: [wan] Bundle: Interface ng0 created
Jan 19 16:41:55 ppp: web: web is not running
Jan 19 16:41:55 ppp: process 5756 started, version 5.7 (root@pfsense-22-amd64-builder 12:58 18-Nov-2014)
Jan 19 16:41:55 ppp:
Jan 19 16:41:55 ppp: Multi-link PPP daemon for FreeBSD
Jan 19 16:40:47 ppp: [wan_link0] Link: reconnection attempt 34 in 4 seconds
Jan 19 16:40:47 ppp: [wan_link0] LCP: Down event

a single retry attempt (reverse order to yours)
Jan 19 20:17:40 ppp: [wan_link0] LCP: SendConfigReq #1
Jan 19 20:17:40 ppp: [wan_link0] LCP: state change Starting –> Req-Sent
Jan 19 20:17:40 ppp: [wan_link0] LCP: Up event
Jan 19 20:17:40 ppp: [wan_link0] Link: UP event
Jan 19 20:17:40 ppp: [wan_link0] PPPoE: connection successful
Jan 19 20:17:39 ppp: PPPoE: rec'd ACNAME "npe001.cam-B20"
Jan 19 20:17:33 ppp: [wan_link0] PPPoE: Connecting to ''
Jan 19 20:17:33 ppp: [wan_link0] Link: reconnection attempt 1
Jan 19 20:17:29 ppp: [wan_link0] Link: reconnection attempt 1 in 4 seconds
Jan 19 20:17:29 ppp: [wan_link0] LCP: Down event
Jan 19 20:17:29 ppp: [wan_link0] Link: DOWN event
Jan 19 20:17:29 ppp: [wan_link0] PPPoE connection timeout after 9 seconds
Jan 19 20:17:20 ppp: [wan_link0] PPPoE: Connecting to ''
Jan 19 20:17:20 ppp: [wan_link0] LCP: LayerStart
Jan 19 20:17:20 ppp: [wan_link0] LCP: state change Initial –> Starting
Jan 19 20:17:20 ppp: [wan_link0] LCP: Open event
Jan 19 20:17:20 ppp: [wan_link0] Link: OPEN event
Jan 19 20:17:20 ppp: [wan] Bundle: Interface ng0 created
Jan 19 20:17:20 ppp: web: web is not running
Jan 19 20:17:19 ppp: process 65724 terminated

Dont know the history of your pfsense usage, ie installed from scratch or had some updates/upgrades over time, but some upgrade processes do not always go smoothly, so sometimes its best to install from scratch and config from scratch if problems occur.

fwiw.

Problem i there when WAN is configured on some VLAN interface such as bce0_vlan1000… As i say when i changed WAN in pfsense to just bce0 and set port in switch to untag VLAN problem is gone...
Seems something prevent interface to start working by itself after reboot when it is configured with VLAN and need to be set by hand every time... Now i restarted router couple of times with no problems at all...

-- edit --

Just for the record switch is TL-SG3424 if thats matter...

Thank you dir the help. I'm just now in my Holiday nur will Check it nett Werk and reply!

@fabrizziop:

I made a pull request about a month ago, fixing the issue, but got totally ignored.

Not ignored at all, that was just too late in the release cycle for making that kind of a change. Cipher changes seem innocuous, but when you have to support a wide range of devices, with a variety of other pieces potentially interfering (such as hardware crypto cards), that's not the kind of change you make late in a release cycle. It's something we'll get merged for 2.2.1 and newer releases.

Yes.  ;)

There's nothing special about the modem-router connection it's standard ethernet.

Steve

Install the Cron package and remove the nonsensical cronjob.

On most tests I did, bridge is not the best setup for packages. If you use it only as a firewall, try to create a forward rule to send http traffic to a third gateway/machine with dansguardian and squid.

clients –-> pfsense bridge ---> lan --->
                                          |---> second pfsense as a server with dansguardian and nat rule to transparent proxy.

Remember that a lot of sites today uses https, so this setup will not work for them.

I can max out my 80/20Mb connection on an Atom 510 board using dual Intel NICs. I am very happy with it. My VPN connection is always limited by the rubbish remote wifi I am on.
For home use, older atoms (if you can find them) are fantastic.

Yes, and that was exactly what was causing it. Just checked the x-forward box and it's sorted it. Cheers mate.

hmm… maybe it was a bug after all ... one thing i do remember, the first time i tried to update it went very quick, so i was worried and did another update after that, to make sure it didn't corrupt anything.

Besides squid not working, what are the other disadvantages of running nanobsd ? Like i said I had SLC SD cards so i'm not worried about limited write cycles.