Yes rogue dhcp servers can be a huge PIA!  ;)
Another user here experienced a similar thing except that the rogue server turned out to be an mobile hotspot application running on an iPhone. The user who's phone it was didn't even realise it was running and of course it was only there during work hours when diagnosing stuff is most difficult.

Always worth remembering that story when things are looking really weird. Check the MAC of the DHCP server, you can see if it's the correct one instantly and if it's not you can find out the manufacturer which gives you something to look for. Of course that doesn't help if it's a malicious attack where the rogue server has spoofed your own MAC.

Steve

On Windows (I don't know if you can do it under Linux) I usually untick the IPv4 and IPv6 protocol on the network cards which supply connectivity to other network segments.

For example :

If I have a pfSense box with two network cards (RED = WAN) and (GREEN = LAN) then I usually untick both IPv4 and IPv6 from the WAN interface.

The LAN interface I leave as is, as you'll need to have either a static IP (suggested) or dynamic IP on it for you to connect and administrate pfSense.

The rest don't need IPv4 or IPv6 either, should you have other network cards.

This makes it more difficult for ne'er-do-wells to try and hack the windoze box hosting pfsense.

@pfNeo:

can a tcpdump file be converted to exe?

In Security Onion, you can recover files in multiple formats.

The new pfSense Suricata package also has file capture capability.

You are correct. It did not auto install. Got it going now thanks!

yeah using the same sort code as exists on other pages would be fine, you're welcome to submit a pull request to master/2.2 with that.

Anyone…. ?

::)

@phil.davis:

You have set an "upstream" gateway on your LAN. Actually there is no gateway on a pfSense LAN, it is the WAN that has the gateway out to the internet.
Interfaces->LAN, change the gateway to none and save.
System->Routing - delete the gateway for LAN, and set the WAN gateway to default.
Firewall->NAT, Outbound - set it back to Automatic.

Now pfSense will understand that LAN is an internal network and WAN is the way out to the big bad internet. It will auto-generate NAT rules from LAN to WAN.

Nice one. Didn't catch that when I looked.

Connection to a laptop seemed a bit more stable, but still something like a 1 in 20 chance of auto-neg and the link staying up - it could take 5 minutes or more for it to actually get a connection.
PFsense just didnt want to stay connected; i guess it handles weak links differently than my laptop does.

I don't remember anything obviously wrong with the v120 before it went pop. worked fine before flicking the switch, and then problems when powering it back up.
touch annoying that it only lasted just over 12 months. hope this one lasts longer!

Apologies for resurrecting this thread.

I have the same issue as the OP, however, I'm able to add a few extra details and information :

pfSense version :

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

2. 32-bit version

3. Full install (running as a virtual machine)

4. Status - Services do show bandwidthd is running

5. System log - the last few messages I have from bandwidthd is

Mar 6 10:43:03 bandwidthd: Monitoring subnet 192.168.0.0 with netmask 192.168.0.0 Mar 6 10:43:03 bandwidthd: Monitoring subnet 192.168.48.0 with netmask 192.168.48.0 Mar 6 10:43:03 bandwidthd: Monitoring subnet 192.168.80.0 with netmask 192.168.80.0 Mar 6 10:43:03 bandwidthd: Opening em3 Mar 6 10:43:03 bandwidthd: Opening em3 Mar 6 10:43:03 bandwidthd: Opening em3 Mar 6 10:43:03 bandwidthd: Opening em3 Mar 6 10:43:03 bandwidthd: Packet Encoding: Ethernet Mar 6 10:43:03 kernel: em3: promiscuous mode enabled Mar 6 10:43:03 bandwidthd: Packet Encoding: Ethernet Mar 6 10:43:03 bandwidthd: Packet Encoding: Ethernet Mar 6 10:43:03 bandwidthd: Packet Encoding: Ethernet

I must add that it did work for about 4 to 5 hours before stopping. Now I only get the "has nothing to graph" message.  >:(

Hi, Yes I have seen this before, I think the answer is that pfSense does not support remote disconnection with standard POD packets, instead it uses re-authentication technique, which has some drawbacks over the POD system.

PfSense uses re-authentication to check the validity of the logged accounts
In your Radius configuration (can I ask which system you are using?) you need to find the simultaneous use option and give oit a value of more than 1 (I chose 10) this does mean a user can be logged in to more than 1 device, but will fix you rissue, try 2 and see how it goes which will make it hard to be logged in with more than 1 device.

Sim-use = 1 will result immediate disconnection of the user when the first re-authentication packet arrives to RADIUS (RADIUS server thinks the user is already online and doesn’t give a permission for a new concurrent connection which causes pfSense to close the active session of the current user)

(This answer has mostly been copied from some radius manager documentation I found.)

I am having my own troubles getting PPPoE to work, I would really appreciate your help with my issue if you could give me a run down of how you set up the firewalling and networking side of your PPPoE server as my clients can connect and get an IP but not any access to the WAN. I will post a question shortly. Hopefully we can trade help for each other as these forums seem dead to me :(

I did read somewhere that this was to do with Multi-WAN stuff happening even on single WAN setups. Maybe that was corrected. Would that make sense?

Yawarra in Melbourne have been supplying pfSense based appliances for some time. They might be able to assist you or recommend someone local who can. I've never had any dealings with them.
Really it's hard to recommend anything other than the ESF team (the official support portal) if you don't need on site support. They are by far the most experienced.

Steve

@mohdsh85:

by the way i change my monitors  IP to one of my static IP's

One of your own IPs? Where is this IP, at some data center? It must be at the other end of the ISP WAN connection.

Are you running Snort? Or any other packages?

Were any sites still accessible when you came in?

Steve

The Realtek card doesn't care what's in the traffic it's passing it just sends and receives Ethernet frames. It has no knowledge of the encrypted connection and is not affected by it.

Steve

@stephen Is only configured on the LAN port, thanks for asking!

coreteam@pfsense.com

Try that.