Thats my bad, I should have realised it was regex cant remember last time I called it "regular expressions" so I was trying logical expression ie =+-<>&

The thing that threw me, is there are only 35 chars for the ip addresses which isnt enough space for ipv6.

Anyway for anyone else interested in how regex works, the link has some good examples to explain.
http://www.proftpd.org/docs/howto/Regex.html

or a quick overview can be seen below.

^ caret matches the start of a string, eg ^192 will match all entries that start with 192, ^10 will match all entries that start with 10, although not relevant on this page, but in other applications ^&foo will match all entries that start with &foo and ^@domain will match all entries that start with @domain

$ dollar sign is similar but the opposite to caret in that its used to match the end of a string, eg 10$ will match all entries that finish with 10, @domain$ will match all entries that finish with @domain.

. period matches any single character eg 1.2 will match the 3 digit numbers  112, 122, 132, all the way up to 192, s.f will match any 3 letter word that starts with s and ends with f, eg saf, sbf, scf, sdf and so on.

open and closed square brackets will match any one or more entries containing the numbers, characters & symbols encapsulated in the square brackets. EG [192] will find all entries that have 1 and/or 9 and/or 2, [abc] will match all entries that contain a and/or b and/or c.
Numerics in square brackets can also contain a range eg [0-9] will match all entries that one or more of the numbers in the range specified inside the square brackets.

| Vertical pipe/bar is an either or operator eg ^192|21$ will match either all entries that start with 192 or all entries that finish with 21.

\ Backslash is used to prevent the special meaning of operators eg . will make . (period/fullstop) behave like a period/fullstop and not a single char match, hence the . in the example Jimp provided. ^ will prevent the caret operating as a match the start of a string eg ^foo will find all entries that contain ^foo.

? question mark will match once or not at all, eg 19?2 will return 192 and 12 only, he?llo will return hello or hllo

asterisk will match as many times as possible or not at all eg 192* will return 192, 19, 1922, 19222 and so on. will match at least once 192+ will return 192,1912, 1922, 1932 and so on.

*, +, ? are acted upon first, followed by any concatenations and then finally |

fwiw.

Time zone mismatches can cause problems with other systems or flag up alerts, less so with Windows as it doesnt record time properly in the first place which is why you'll never see windows being used in High Frequency Trading platforms which rely on fractions of a second to carry out trades, but even this years leap second will cause some problems if the programmers are not aware of it.

Thank you Derelict

A fix will go in for 2.2 that will correct the issue.

ok well i might have answered my own question.  i reset pf and the modem, disabled ip passthrough.  The PF wan nic got a 192.6i.15 address, i plugged my laptop into the switch where the pf lan nic is uplinking to, i pulled a dhcp ip from pfsense however i cannot ping out.

am i screwed with the idea of using pfsense in this situation?  i need and want to loadbalance these lines.

i sit here not totally sure of what the actual problem is.

right nbow pf only has 1 ipdsl line pluggedd into a wan nic, and since i reset pf to defaults there is no other config confusing it.  it has 1 wan and 1 lan and i still cannot get outside.  WTF am i doing wrong here?

@Derelict:

I would do a couple things:

First, /24s are fine and everyone expects them.

I would pick something at random like 172.24.0.0 then split that into /24s.

172.24.0.0/24
172.24.8.0/24
172.24.16.0/24
172.24.24.0/24
172.24.32.0/24
…

That way you can increase any of the subnets if you want later.  You can cover everything with 172.24.0.0/16 if you want.

If you're going to renumber, just get off 192.168.0.0/24, 192.168.1.0/24, and 10.anything/anything.  Your likelihood of having a collision over a VPN with the above 172.24.0.0 networks is pretty slim.

No need to go nuts.  Main thing is to get off the common networks to avoid future collisions.

I lied. I forgot an interface/VLAN. It's actually this:

Current Setup:

WAN1 - 5x Static IP's from ISP1
WAN2 - DHCP from ISP2
LAN - 10.x.x.x/24
OPT1 - 10.x.x.x/24 (wifi)
OPT2 - 10.x.x.x/?? (VLAN to kids/family wireless router)
OPT3 - 10.x.x.x/24 (VLAN to ESXi Cluster1)
OPT4 - 10.x.x.x/24 (VLAN to ESXi Cluster2)
OPT5 - 10.x.x.x/24 (VLAN to ESXi VMkernels)

I see your point with the 10-dot Class C's… but it is what it is at this point and I/we have used these numbers for years so they correspond to things and would be a PITA to change. The only thing that will EVER be attached to that VLAN is that one wireless router. VLAN's are easy enough to create and/or modify anyway. Unless anyone has reason not to I'll just give the thing a full Class-C and be done with it.

Thanks.

If it were me I'd take a backup of the config, install fresh, and put a minimal config on it (just WAN/LAN/NAT, no snort, no packages,etc.).  If it still does it, you've pretty much eliminated pfSense and can start looking elsewhere.

You can always restore the config and be back where you are now.

@donaldo:

so is the warning something to be concerned about?

It'll cause GUI display issues and the error pasted by OP because of the PHP bug linked earlier in this thread. Things that actually use the certs though should all be fine as none of that is dependent on PHP.

I think, you have some trouble with network classes. A class A net has the CIDR /8, a class C /24.
https://en.wikipedia.org/wiki/Classful_network

192.168.1.10 /255 is no possible network.
A class A net for wifi??? You will need thousands of APs to serve the clients.
But this is your beer and not the topic.

If you don't remove the default allow rule on LAN interface or add a block rule for your local network on the top the wifi clients will also be able to access your local hosts! So the firewall will have no effect!

To access the 192.168.1.10 WAN IP at first you have to remove the check at "Block private networks" at the interface configuration tab.
Then you have to add a rule (Firewall > rules > WAN) to allow traffic on WAN interface to WAN address and the Webconfigurators port (by default 80 and 443 > therefor you may use an alias). You may also restrict the source to allow access just from a view IPs.

@doktornotor:

@TyMac:

Also, I still cannot actually log in with the AD admin user.

Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD.

Post some logs/info, nothing to work with here!

Can't log in to the pfsense web admin page with the admin AD user I created that works with the bind credentials parameter.  What log do you want me to post?

Thanks for coming back with that useful info. Must be quite a few people that have been hit by this. Safari 5.0.1 was released in 2010 though so almost everyone using would be affected you'd think.

Steve

You could try disabling and then re-enabling RRD backend graphing. Select 'Status/RRD Graphs' from the top menu. Select the 'Settings' tab then untick and re-tick the 'enables' option.

sorry went on holiday and busy. the issue was the first switch, it is a fast Ethernet, i switched the switches. I now have full gigabit on both wan and lan. thank you guys for putting up with my ignorance, I greatly appreciate you guys being fast on your responses and taking the time to help me out.

WAN should default to DHCP.  Is your DSL PPPoE or DHCP?  You might need to call your ISP for the details.

Have them also tell you how to get your DSL modem in bridge mode so it's transparent and the pfSense WAN address picks up the outside IP address.

Then you need to configure your WAN interface for either DHCP or PPPoE according to their instructions.

Does not make any sense whatsoever unless it's a managed switch with VLANs. Cannot even see how does that fix the "everytime we control internet access (giving internet access to specific IP, blocking websites etc.) we always call our ISP to perform the task" issue.

If you want to see the requests like that with URLs, you need Squid and its logging. Squid is essentially equivalent to TMG's logging of proxied traffic in that regard.

I've had good results with Snort.  pfSense also has Suricata.  Both are IDS engines (Intrusion Detection System) that load daily update files with threat parameters.

Hmmm I just tried again and it worked OK, not sure what I did wrong. Maybe I'll delete this thread.