@stephenw10:

Anyboby else know how to use apinger to monitor other IPs?

Well, you could create bogus GWs. Frankly, with the source being unavailable, the thing reporting inexplicable "packet loss" when in fact there is none etc., I would not recommend anything like this.

@OP: Get back to the APs vendor about some centralized monitoring, also, there's SNMP and whatnot, again depends on particular HW model.

Do you actually need the public IP on your server?
Commonly this would be done by using a virtual IP on your WAN to get the second address and then 1:1 NATing it to the server.

Steve

Thanks for the buffer bloat explanation, figures comcast would have a huge buffer. :|

I did try the traffic shaping wizard, and that worked great to almost eliminate the upload latency spike while saturated, though download still hits about 200ms, which isn't all that bad I guess.  I'll continue to research and tweak it.

The only thing left I can't figure out is why polling causes the network interfaces to stop working, I would think Intel Pro NICs would support that feature.  Is there something in the kernel that isn't compiled in by default which is required for polling?

Indeed HAProxy is an option i think reverse-squid and mod-apache can also do this.
If your going for the haproxy option i recommend the 'haproxy-devel' package.  ;D (which i currently maintain)..

Writing this from my phone. after waiting another 20 minutes I did a force reboot.
I'm never using the gui updater again, broke my shit completely, wouldn't even boot complaining about some sbin installer init script is missing.

so right now doing reinstall and config restore.

this shit suck.

also I think the devs need to add to the gui a log output window to show what stage it's at in the update and any errors, because I had no fucking idea what caused this.

small bump.

Hello,

So after thinking and reading, I will not go away from pfsense.
It has a great captive portal system, that i will not missing.

I will try to establish the same like doktornotor and I hope this is working with capitve portal as well?

And when I put my second Box into "AP"-Mode where can I configure the sync to the master?

When the second box is in sync with the master, will it work with captive portal, so that users can log in on box A and Box B.
And do they have to reauthenticate when they switch from box A to B or visa versa?

Thank you for your help and your nerves.

So you only see one gateway? A common mistake is assigning a gateway on the LAN interface which becomes the system default and breaks routing.

Have a look in the PPP log. Do you see the modem connecting correctly, the username/password being authenticated, a public IP being handed out?

I assume that the modem is known to work, that you've tested it under some other OS, that it is in contract/has credit?

Steve

Sounds like you should additionally read the documentation that comes with your webserver concerning virtualhosts.

doing:

revealed a different openssl version in /usr/local/bin/openssl that was exploitable, so I did need to upgrade

You would forward 1 or more ports in to the pfSense WAN and make OpenVPN server/s listening on pfSense WAN.
You could have 2 servers - 1 that provides routes to both DMZ and LAN subnets. And give the different groups of people clients keys for the relevant OpenVPN server. That would eliminate those customers from seeing a route to the LAN at all. They should be able to use their domain username/password for connecting to the OpenVPN server.
Then put firewall rules on OpenVPN (you will probably need to assign an interface to each OpenVPN so you get a separate Firewall Rules tab for each OpenVPN server) to restrict which IP addresses are allowed to be reached.
When people connect to a file share on the server/s they will need to use ordinary Windows authentication - their domain username/password.

I go the the relevant LAN in pfsense and forward this to my server. But it will not go through.

Normally you make the port forwarding entries on pfSense WAN interface, for traffic with destination WAN address, port nnn, and forward to some address that happens to be in an internal LAN.

Thank you for that hint.

Now I have tried activating multiple queuing also. It seems to be stable.

@doktornotor:

You need to configure both DNS and DHCP, plus actually make the wpad entry resolve via DNS, since it is blocked by default on Windows DNS servers.

http://technet.microsoft.com/en-us/library/cc995158.aspx

Thank you for your help! I've added a CNAME to reflect the WPAD in pfsense and also configured that address into DHCP. It started working like a charm.

Hmm.
Are you running Squid in pfSense or doing any layer 7 filtering?
Do you see anything in the firewall logs when a mobile device trys to connect?

Is there a distiction between http and https sites? With the current Heartbleed crisis it's likely that ssl certificates are being revoked all over. Just a guess.

Steve

Thanks!  That's the ticket.  I appreciate the tip.

So you found it?

;D 8) :-*

OK, possible explanation found. I am running the bind package with some slave zones, and the timestamp of newest zone database file coincides with the 'Last config change' timestamp.