You can set it but it appears to get ignored and the pppoe1 interface always gets set as 1492.

Last I heard jumbo frame support didn't get added to the FreeBSD version of PPPd (2.4.6) until January this year.  But I'm unaware if the latest update (pfsense 2.1.1) includes this newer version.

I know if I manually ifconfig pppoe1 mtu1508 packets still get fragmented,  which is a shame.

@casoah:

You realize I can just toss the setup away at any time right?

Yes, so do it… yesterday was too late.

@casoah:

EDIT: I got it, I just had to disable ip masquerading on openwrt.
You guys could have mentioned that instead of bashing btw

You have been told at least twice that you are double-NATing.

If your trying to access your public IP from the local network you want to enable the nat-proxy in advanced settings. IF your having trouble even pinging your public IP I suspect you are suffering from double-nat ( is your modem a router as well? )

I can help you brother send me a message.

@PostalPreacher:

If I were to leave my webserver on the same lan as the rest of my network (workstations and webserver would all be on the .49 public address), would I still be able to do NAT reflection with pfSense?

You have 4 different WAN gateways? That is do say, you have 4 WAN subnets, right?

So add your subnets to WAN interface in Firewall > Virtual IPs.
Than add the 4 gateways in System > Routing.
After that you can go to Firewall > NAT > Outbound, mark "Manual Outbound NAT rule generetion" and click the save button. Configure the outbound NAT rules for each of your servers to use the gateway you want it to use.

Now it's should be done.

Lets not forget that there is no scanner on the planet that detects all bad files.

I have to wonder how your "server" would get infected to be honest - other than some worm running on your network.  Why would you be browsing or executing anything other than trusted exe on a "server" in the first place?

It's not possible currently, CARP does not support an active-active configuration at this time for load sharing.

The anti-lockout rule is there to make it more difficult to lock yourself out especially if you're not very familiar with the firewall. You can still tighten up the LAN rules though. You can still lock yourself out.  ;)

Steve

thanks bro, its has been solved :)

nanobsd is the way to go

Thanks, I submitted a bug report for this issue.

Check to see if the mtu is 1492.

Yes.  The Suricata package will decode and log all HTTP traffic.  You can see the source/destination address and the exact URL that is being requested.  Everything is timestamped.  However, it is a 'raw' log and will require some manipulating to pull it into a more readable format.

Another alternative is Netflow.  Export the data to a Netflow collector and you can see the conversations, but not the actual URL's being requested.

Another less informative alternative is to use OpenDNS.  You can generate reports on what domains are being requested, but not from which machine and the report is only on a full-day basis.

EDIT:  The squid solution posted above would be a very good way to accomplish what you want.

Are you able to ping from a SEC device to a DMZ device? What about from the DMZ interface to the SEC network (within pfSense in Diagnostics -> Ping)?

@jimp:

Sounds like either ntop is running multiple times, or you have a clock issue causing ntop to believe the clock is stepping backward or not ticking properly.

Time zone set  Europe/Athens
from console-terminal  is ok.
Must to configure and ntop time ? seperetely ?