I just wanted to inform you that a fresh ibstallation of pfSense did the trick, WITH Lan as a private network in Hyper-V and WAN as an external network  ;)

Does anyone have any theory as to the cause? I would restart apinger or reboot the firewall and it would go away, as some have mentioned, for a matter of hours and then be back. Mysteriously, the problem seems to have subsided. Anything further I can do in regards to troubleshooting or additional information gathering? Worth submitting a bug report?

If the error count is accumulative, there are none shown.

Status up
MAC address 1c:af:f7:0e:57:da
IPv4 address xxx.xxx.xx.xx 
Subnet mask IPv4 255.255.255.0
Gateway IPv4 WANGW xxx.xxx.xx.x
IPv6 Link Local fe80::1eaf:f7ff:fe0e:57da%vr0 
ISP DNS servers 127.0.0.1
xxx.xxx.xxx.xxx
x.x.x.x
Media 100baseTX <full-duplex>In/out packets 701359/732555 (328.44 MB/324.27 MB)
In/out packets (pass) 701359/732555 (328.44 MB/324.27 MB)
In/out packets (block) 716/2 (121 KB/152 bytes)
In/out errors 0/0
Collisions 0</full-duplex>

A couple of days later and - without touching the pfSense box - this problem seems to have disappeared. Weird!

Yes, pfSense is capable of VLAN for most interfaces. If you create a VLAN20 in pfsense, then you could block access back to the corporate LAN and limit the speed to the internet.

I haven't been able to figure out what is going on here.  I went ahead and disabled port 8843 from the outside and logged all ping request, however the odd traffic continues.

In terms of packages, here is what is installed:
Lightsquid
mailreport
NRPE v2
pfBlocker - 4 lists set to download daily
Sarg
squid
squidGuard

I will keep looking at the States table, but nothing it jumping out at me.  Any other thoughts would be greatly appreciated.

Thanks for the help so far.

Yep!  All is well now.  Thanks for your help cmb

Hello Steve,

thank you for the clarification.

As for the 2 WAN IPs, I am not looking for a failover setup. It will be straight inbound NAT and the same subnet should be not a problem in this situation.

Maybe I will get a bit more fancy as with monowall and will install some extra packages.  ;)

Johannes

Huge fan of running pfsense virtual - but why not just put say esxi on the hardware and then run pfsense as a vm, and then whatever other os you want to host your website, etc.

As to running services out of the house - other than playing/learning there is little reason to host your own site.  You would be be much better off just hosting the site offsite.  The electric alone is going to cost you more than hosting it somewhere most likely.  You can get low end vps for like $15 a year that can host up websites for example.  I have 2 of these low cost vpses – they make great endpoints for vpn, they are perfect for testing from other locations and other networks for network issues, etc.  I have a honeypot running on one for example that I host up a website I can access to get info about the honeypot, etc. etc.

But if for learning experience I really love doing pfsense off a vm!!

websiteofflowend.png
websiteofflowend.png_thumb

@djoyce:

Very helpful. From the research I've done it looks like DansGuardian is ~$100 for commercial depolyment and free for home and non-profit. I think that's a one-time fee, right? So, if I've put this all together correctly, the only costs to get a firewall, multi-interface, content filtering, domain filtering box is the cost of the hardware plus DG if I need a paid version, plus any donation to pfSense, right? So, in most cases I'll be out about $250-450 depending on hardware.

Am I on the right track?

Now, for support. Can I purchase one block of hours as my business and use it for pfSense deployments at more than one customer or do I have to purchase for each customer?

Thanks for your help.

We're a registered charity, so as you say there was no cost for DG.  The base charge for pfSense support is $600/year.  That includes 5 hours of support, extra 5 hour buckets @ $500 per, and if the support relationship is between you and pfSense, I don't see an issue with using that bucket of time for multiple sites - but as the other poster suggested, you can always connect with them for further clarification.

I think if you want the end-user/company to be able to contact pfSense directly, then a separate agreement may be required per company.  If you are always the one initiating the support case, I imagine there isn't an issue.  The automated backup is supported for multiple sites/firewalls, but be aware that each site can see the other's backup file(s) from within the GUI, so if the client has access to manage the firewall, you might want/need separate accounts.

P

Perhaps you were running samba on your dd-wrt platform?  Even if you were not serving any files stored on your dd-wrt platform, samba may still have been acting as a domain controller (or 'domain master' in earlier terminology?).

If you still have your old platform, try plugging its LAN port into your switch.  Look around for the samba configuration, analyze it and figure out your next move.  But ptt is right, it's not a pfSense issue; it's local to machines on your LAN.

@charliem:

Your ISP should be out of the picture, right?  Your cable modem is the one issuing the address, if I understand correctly.  So, cm notices link to ISP is down, cm hands out a dhcp address for 192.168.100.x.

I think that is correct– stupid cm trying to be a NAT router or something.

@charliem:

Or do you have two issues: one being a local address from the cm when the link goes down, and two being an incorrect IP coming from the ISP when the link comes up?

I think only one issue– the DHCP being picked up and used by the pfsense when the interface is set to static-- possible sometime in the period of flapping around when the connection resets. Therefore-- exacerbated by the internet connection's current instability.

You have some other access except via VPN? If not, pretty much tough cookies.

Makes sense.. checking this morning the number of errors on WAN has not changed at all.  So fingers are still crossed.
thanks for sticking with me on this weird issue.

If you keep all of your tunnel networks in a close range you can add a manual accept filter for the entire larger subnet which includes the smaller tunnel networks. For example if you have 192.168.22.0/30, 192.168.22.4/30, 192.168.22.8/30 and so on for tunnel networks, then you can setup an accept filter for 192.168.22.0/24 and I believe that should work OK.

Yep, what Phil said.  :)
The default LAN rule will block that because the source is outside the LAN subnet so if you haven't changed it or added more rules that traffic won't be allowed.

Steve