That wouldn't be a "cron" job since those are periodic.

To run a shell command after bootup in a way that would work across upgrades and such, look at the shellcmd package which runs shell commands at boot time.

If the rules pass the traffic, and outbound NAT is set to NAT them out, it should work. Though there is not enough detail to say for sure. Make sure the rules pass all traffic, not only TCP.

Some other things to check:

Try to ping the firewall (their gateway), if they can't, then rules are probably to blame
Try to ping an Internet host by hostname, such as www.google.com, if it can't translate the name to an IP address, check your DNS
Try to ping an Internet host by IP address, such as 8.8.8.8, if the other parts work but that does not, it's likely outbound NAT

I second a fanless solution, something like an alix board etc.. You'll go from ~60watts to ~10watts. Spec wise you'll just want 1-2gb of ram unless you want a crap ton of firewall rules / snort rules or something of that nature.

Win!  ;D

Steve

Looks like it's well covered in the thread but worth repeating in summary:

Internal ADSL cards are:
1. Difficult to locate/source
2. Expensive
3. Unsupported
4. A bad idea from an electrical/surge point of view

Working in PC repair years ago, I saw dozens of DSL modems fried over the years, and countless more entire PCs fried because of internal dialup modems. Replacing a DSL modem is probably on the order of $25-50, if that. Replacing your entire firewall (and the DSL card!) would be significantly more expensive. Surge protectors aren't perfect… It's not worth it.

This is an odd setup you have. What are you doing with the various machines on each side of the pfSense box?
Normally to access services running on machines behind pfSense, a web server for example, you would use port forwarding. Each of the services you want to access would appear to clients on the WAN side to be running on the pfSense WAN address.

If you actually want to be able to access to machines behind pfSense directly you need to have pfSense act purely as a router. You'd need to disable NAT, add firewall rules and then give the clients a route by manually adding routes to them.

Steve

@twp01:

This is the full script I am trying to run through CRON, it is the one the link went to, but here is it posted in its entirety. Thanks

_#!/bin/sh

#=====================================================================

pingtest.sh, v1.0.2 Created 2009 by Bennett Lee Released to public domain (1) Attempts to ping several hosts to test connectivity.  After

#    first successful ping, script exits.

(2) If all pings fail, resets interface and retries all pings. (3) If all pings fail again after reset, then reboots pfSense. History 1.0.2  Added turn dhclient on for the interface. (Dice81) 1.0.1  Added delay to ensure interface resets (thx ktims). 1.0.0  Initial release.

#=====================================================================_

The script is working but If it runs from pfsense Cron package, it needs the full path of the /sbin/ping executables as well, otherwise it reboots the pfsense every time.

This thread over on Broadband reports in pretty educational regarding QoS.

… - Latency and QoS - ...
http://www.dslreports.com/forum/remark,27252457?hilite=comcast

Thank You so much guys!!!!!!….Its a Usb keyboard,And I replaced the Removable Battery And it noticed the keyboard in which I booted into Bios and I Overwrited my Linux distro. over PFSense and all Is working as needed!
PROBLEM SOLVED.

Thank you very much for your help!

Fortunately after extensive troubleshooting, I found that my subnet mask on my WAN interface was wrong, because pfSense requires CIDR prefix, I just got it wrong during my initial configuration of my box.

Now after this fix, the box behaves stable. I'll continue monitoring the system, but I think this was the root cause of my problem.

Thanks to all of you, who take time to help me!

Have a nice weekend!

It is consistent with other descriptions.  e.g. "Low and high thresholds for latency in milliseconds. Default is 200/500."

Also please be sure to read the explanation and example at the bottom of the advanced section.

Given those, it should become clear that it is a time, in seconds, that is being entered.

Its working now with "Enable (NAT + Proxy)"
Thank you!
I do now have proxy running what does that option mean?

edit.jpg
edit.jpg_thumb

Get my vote for the unfi stuff as well.. I recently got their AC indoor AP, and run the controller software on a linux vm..  Not saying their 3.x version of the software is perfect yet..  But they are making great progress.  Update of the controller software and firmware on the AP is simple apt-get upgrade and then click upgrade on the firmware to update your APs.. Be it you have 1 or 100 of them.

For the budget minded – clearly the way to go.  This was only for my home setup - so the the $300 cost of the AP might be on the high side for some home users..  But I like to play with the current stuff - this gives me something to play with in the AC world, while picked up a pce-AC68 3x3 card for my pc to play with..

So you currently managed your 40 AP all my hand??  That would suck ;)  I would really look into the unifi stuff for the doing it in an enterprise way while on a soho budget ;)

Anyone? Please!

Kind regards,

Joao

"I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever."

I'm almost positive that it is Snort. The HTTP INSPECT goes wild often and for me anyways when pictures are loading on Amazon for instance this will happen:

#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6

AND when downloading a file this happens sometimes:

#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419

I would just try suppressing those. Maybe even clear out your alert list afterward and try accessing the site again and then check your blocklist in Snort to make the necessary suppressions. That's the thing about Snort. It's a wonderful program but it also needs babysitting to make it work right. I have found that if my firewall rules are good then I don't even need it but then again I don't have anything facing the public.

I would also just run one package at a time to see where the problem may be coming from as well.

"After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing. "

This can also be an issue so you're on the right track. I have noticed that for instance with HAVP, if I disable the proxy but I don't clear the checkboxes strange anomalies happen where things would just be very slow etc… Especially if you checked something that uses a RAM DISK. That needs to be unchecked along with any other customizations. I know that other packages have that option so you might want to check that out.

Also, one way to fix some problems is to go to your console and run a shell and then type fsck.  I think that you only have to run a shell if your console is password protected. Normally I could just press CTRL C to get the # to popup and then you can type fsck. It will check your file system for integrity problems.

"Hopefully a vanilla install will work.  Although after seeing all the things squid is detecting,"

That may be your best bet. Until you get a handle on a package I just wouldn't use it and if you're really concerned about younger users and where they go, HAVP worked very well for me when I needed it for that purpose. Simply because, say they go to a site that you don't want such as something complicated where it's not just zzz.youtube.com or whatever it may be. Say it's zzz.cn.thissite.dontgothere.com Let's say the prefix changes from cn to zb. If you put an item on your blocklist like this the site and the whole domain would not be accessible.

These are the formats that are available for HAVP.

*Enter each destination URL on a new line that will be accessable to the users without scanning. Use '*' symbol for mask. Example: .github.com/, sourceforge.net/clamav-, /.xml, /.inc

So you could type in the blacklist area something like this  .thissite.dontgothere.com/  so that even if the prefix changes it's blocked still. You could do it all the way up to just .dontgothere.com/  .  HAVP is very powerful in that effect. As you can see, by typing something like /.xml  you can block all of xml.  You can do the same thing to any extension. You could block anything like .org, .mil, .cn, .php or whatever your fancy is that day. You could essentially do the same thing with the allow list but I don't recommend that. Another thing to consider is to just make your own blacklists.

I have found that downloading blacklists is not nearly accurate enough to provide a lot of use. Also, there is a great set of rules in snort that prevent going to sites that young people shouldn't be going to. Which is emerging-innapropriate.rules. Just enable them all and if there is a problem find which rule is doing it and suppress it. I had to remove that because it did not work for me. Perhaps Dans Guardian would do a better job.

Back to HAVP though. Just like any other package of this sort there will be false positives such as when Adobe flash needs to be updated it will flag it as a virus so that's when you have to do your homework and find out exactly what addresses it needs to do the updating without problems and then use the allow list.  Like I said before though. If your Lan rules are golden then you really don't even need these packages. You could just make aliases and block the sites by way of ip address that you don't want people to go to. There's a lot of ways to use pfsense that are made redundant by some packages. Just something to keep in mind. Get used to using the ping tool in pfsense to help with sorting out IP addresses. Then go look it up at CIPB if you want to block an entire IP range via cidr.

Have a good day.
Cmellons

A third VLAN as a management VLAN is another option.  Or choose one and use that as your management VLAN.

@newburns:

Is it beneficial to continue troubleshooting the HVAP issue?

Well, I'm thinking that your initial concern is now resolved - the WAN traffic has been identified and stopped. If you want to keep working on the HVAP issue(s) perhaps start a new topic in the Packages forum? https://forum.pfsense.org/index.php?board=15.0

Same problem for me. I came from 2.0.1 and upgraded to 2.1.3.

Hi,

thanks for the reply. the advantage of the url filter was to make it easy to set limits. I use it in a school and I just have to say no porn no violence, etc put some sites in white list (my webmail is considered as porn…)
No need to be a geek for that, just need to know how to read.

I found on the internet an howto about  Squid + Squidguard, I will give it a test

thanks

Philippe