@phil.davis:

Try this to generate the list of FaceBook IPs:
https://forum.pfsense.org/index.php/topic,69860.msg383922.html#msg383922

Then use the Alias as destination in a pass rule on LAN and direct that traffic to the VPN gateway.

That's … brilliant. I can use this for so many other sites it would be nice to anonymize too. Thanks!

Thanks for your help everybody. This was a compound issue, and it looks like everything has been explained now. I appreciate the help.

Sounds like something got botched on install.  Maybe you accidentally put in a bad setting.  I'd reinstall again and start from fresh.
Much easier than trouble shooting a broken install.

BTW - I'm also running similar CPU as you, also broadcom on the WAN with 4 gigabit intel PCIe NICs for LAN.  It should work no problem.
This ugly pfsense for some reason is the most reliable one for me.  Seems to never glitch at all.  Its my personal use box in Maryland.

Because traffic is allowed out of an interface by default, without a firewall rule. Thus there is no rule capturing the traffic to log it.
It requires a rule on LAN because it's going in on that interface and hence is logged (assuming you've enabled logging on whatever rule you have there).

You should see that traffic arriving over the IPSec tunnel is logged on the IPSec interface and not the LAN.

The only exception to this are the floating rules which can operate both in and out.

Steve

@heper:

this is a freebsd 8.x problem … working around it, is not hard. once installed you can turn your cores back on.
imho, nobody will bother to fix ancient bsd releases.

you could try the pf 2.2 beta on freebsd10.1, perhaps they've fixed it there.

;D

Hello,
I find the problem.
Other users ask me to change the GUI to Portuguese. And some settings don't work in Portuguese.
I set GUI to English and it works again.
Thanks.

Helps when you read instructions! Its up now :)

http://en.community.dell.com/support-forums/network-switches/f/866/t/19445142

Ok so I revisited my code after giving it a rest for a few days and made some progress on my original idea of creating an Alias called "Whitelist" and then programatically updating that list by pushing the config.xml file from the server, updating the Whitelist Alias, then pulling the config.xml file back to the firewall and reloading the config….

The issue I ran into was  that running rm/tmp/config.cache would not apply the changes…

Today I found that if you run both rm/tmp/config.cache and then /etc/rc.filter_configure it will apply the rule!

Two questions…

1. Are there any unforeseen issues with running the /etc/rc.filter_configure script… it looks like it is pretty straight forward.. and I did not see anything obvious…

2. Is there any way to preflight the config.xml BEFORE is run the commands to reload it? Like you can with Apache?

I am running all kinds of safety checks in my script that updates the config.xml.. but I want to be as safe as I can be…

For anyone interested here are more details…

I am running coldfusion on a box that is open to all Ip address on the WAN.

1. I have a page on that server that requires the agent to authenticate to.

2. The coldfusion script looks at the users IP and determines if it is a new one.

3. If it is a new one it updates a database for that users profile and sets a flag that tells a scheduled task (cron job) that a new IP needs to be added to the whitelist.

4. The scheduled task runs every five minutes and looks for the update flag… if it sees it it runs…

Here is what it does….

Gets the new IP whitelist from the server… uses putty to run a .sh script on the firewall that FTPs the config to the coldfusion server (all done inside the LAN) Replaces the previous whitelist with the new whitelist uses putty to run a .sh script on the firewall to ftp the config.xml file back to the firewall server runs a .sh script to reload the config..

I just found the vm.swap_enabled sysctl, and have now set this to 0 in the system tunables section. Hopefully this fixes it. If anyone knows any other places that swap should be explicitly disabled please let me know.

Yep with that configuration you could easily setup a VLAN that only terminates at each pfSense box and use that as a dedicated connection to route the traffic.

Steve

Thanks for pointing me in the right direction. I was able to access my website using Host Overrides at the General DNS Forwarder Options.

Intermittent fault. Failing switch, failing NICs. Failing under high load or memory use conditions. Failing due to some unusual network traffic.
The older Realtek NICs used to suffer watchdog timeouts with monotonous regularity on some hardware/driver combinations. Despite some concerted effort to determine a cause none was found but suspicion fell on fragmented packets being a common cause. Many people were able to eliminate or massively reduce the issue by placing a good quality switch immediately connected to the Realtek NIC. I'm not saying that applies here though, that was a much older NIC, but you can see how it could work fine for months and then suddenly fail when some new or updated piece of software starts sending differently formatted packets.

Steve

any news?

need to be sure my outgoing trafic is encrypted

So pfsense and squid on the same lan – lets call them pf 192.168.1.1 and squid 192.168.1.2

How would pf have anything to do with other lan members say 192.168.1.3 talking to 192.168.1.2??  Unless there was a duplicate IP, or dhcp server change?  What is your dhcp server on this lan?  Are clients static?  How are they pointed this proxy?  Autodiscovery/wpad/implicit?  What are the clients gateway - what is the gateway off this network?  Pfsense?

Really need some more info to guess to that the issue could be.

I updated a different old post- but related to this- this morning
https://forum.pfsense.org/index.php?topic=68229.msg467037#msg467037
I think the strange timestamps in the system log are somehow a key factor in this- because only the lines that start with "check_reload_status" have the incorrect timestamp. I am also using an embedded image.