Reset to factory defaults got me going here.  couldn't find anything less invasive …. :(

@jimp:

You'd have to use Captive Portal + RADIUS accounting and then the RADIUS setup would handle the bandwidth tracking and long-term decisions.

Well, that sound complicated!

Correct.

@stephenw10:

Conversely I would be less likely to do it on a work box just because the consequences of some yet undiscovered NTPd exploit would be so much worse. If my home firewall goes down for whatever reason I get grief but I'm unlikely to find the locks have changed when I get back. If a firewall I'm managing for a business goes down (or worse gets owned) because I opened NTPd to WAN as a public service that's a different matter. You could see this as simply increasing the attack surface of a the firewall which is never a good thing. If you want to run a public NTP server the firewall should not be your first choice.  ;)

Or there's always the possibility some company could make a consumer router and hard code your IP address in the firmware and set a ridiculous refresh rate when it can't reach the server and end up having you be flooded by tons of NTP traffic, bringing your network to a grinding halt. (This actually happened to the University of Wisconsin, courtesy of Netgear: http://pages.cs.wisc.edu/~plonka/netgear-sntp/)

But as mentioned, at work, I would not be running this on the firewall. (We run an ASA at work, though I've mentioned switching to pfSense when the discussion of replacing it has come up. Though I believe the last word on it was simply increasing the memory on it instead, though I don't believe that has happened yet.) My FreeRADIUS (on FreeBSD) server would be the most likely candidate for being a stratum 1 server (currently I believe it's a stratum 3) unless I special built a machine specifically for NTP.

That's unlikely to work because the pfSense box will not route the traffic with only one IP.
You could do it if you don't have Squid in transparent mode.

Steve

thanks for the reply, but sorry i was not able to understand what to do?

please let me know how to do that briefly.

Thanks.

@MindfulCoyote - admin and root are there by default, however…
@JeGr - The point of this exercise is to not memorize and distribute the admin password :]
@stephenw10 - Doh! Completely missed this in the list of packages. Thank you!

Right but as divsys said have you proved that the server isn't using http (non-encrypted) on port 443. That can make connection difficult because browsers try to be helpful by automatically using https as soon as you specify port 443 and vice versa.

You could try re-assigning the LAN interface IP in the console menu via option 2. You can assign it the same address so that nothing changes but it should ask you 'do you want to revert to http?' or something similar to which you can answer yes. It doesn't on my 2.2 alpha test box I have here though.

The config file is /conf/config.xml. If you SCP that off the box you can reset it to factory defaults or look through it for a config error (such as http on port 443). Yopu can try editing the file whilst on the box:

Look in the <webgui>section.
Change back to http on port 80 and then reboot. Obviously manually editing the config file is open to error.  ;)

Steve</webgui>

@evano666:

I should also mention I already have a rule in place for ICMP…

IPv4 ICMP * * * * * none

Where is that rule?

As others have said, what sort of NAT arrangement to you have on these virtual IPs? It would be common to use 1:1 NAT to your internal servers but if you're not doing that then have you NAT'd ICMP?

Steve

Um that is not a wan IP, that is a rfc1918 address that you would use on our lan.  Why do you need to control bandwidth on your lan?  To your 2k8 server?  If you go into more details of your perceived issue and what you would like to do to fix it.

We can either agree this is best solution, or maybe point you in better direction.  Maybe pfsense can solve your problem, maybe not - but without understanding what your wanting to do exactly??

For other readers, bandwidthd defaults to writing stats at 2.5 minute intervals. As long as there is more than the minimum traffic seen (about 1MB from memory) then there should be data and graphs generated within 5 minutes of enabling it.

You should be able to put a pass rule for traffic from the alias, select the limiters you want and schedule you want. Then after that put a deny rule for traffic from the same alias. Then at schedule times the pass rule will apply first and be effective. Out-of-schedule-hours the deny will be hit.

Routing between directly-connected networks "just happens" once you put firewall rule/s on each interface to allow the traffic - e.g. on OPT1 put a rule that allows source OPT1net destination LANnet. No need to do any port forwarding or other tricky stuff.
To access a server that has a public name that is port-forwarded back inside your own network you can use NAT reflection. But actually it is easier to do "split-DNS". In pfSense DNS forwarder add a host override for that public name, pointing to the local/private IP of the server. Then LAN-side clients that ask for the name to be resolved, will get an answer that is the local/private IP of the server, and they will successfully connect locally to it.

Abandoning this project didn't get it work
Thx everyone for ther help

[SOLVED]  -  It was the USB disk that went bad.  I put in a new one and restored the config and were back in  business.

Restarted apinger (killed it then saved the gateway config and applied) and now it's back to 0%.

@chemlud:

And the service quality was OK with ownit? I have different experiences… Was it with a fixed IP, too?

The providers all lie, when you complain about the lousy quality, nobody tells the truth and often I have the feeling they don't even know what they are taking about (as usual at level-1 service, very difficult to escalate a complaint to a level where you talk to a competent person who knows what he is talking about)

I had that with Telia, too, in the past, they "repaired" a telephone line in the neighborhood and simply disconnected our IP-line. Took more than 1 WEEK to get back online. Nightmare...

Dynamic IP from Ownit, but it remained the same for several months. Did not have the pfsense loaded equipment at the time so i have no quality statistics from that connection. Speed was great however!

I was promised a more detailed investigation if the issues continue, they say that they have done some "maintenance" last night. I recognize the support patterns from my professional work as well (at one of the word leading exchange companies), it's hard to get things started sometimes…