In many ways you want the IDS to see all the traffic hitting the WAN of your firewall. That way the IDS can look for patterns in the hits to match against known attacks etc. Steve

@gnius: 2. control access to LAN machines and NAS of radius-using users What exactly do you mean by that? If you are talking about controlling what is accessible based on login credentials then things get complex. The easiest way to this would be to add another NIC to the pfSense box to connect the AP to. You would still probably have to add VLANs between the AP and pfSense box to separate the two wifi user groups onto different interfaces. Since you're running dd-wrt on the AP that should be possible. You may be able to it just using what equipment you have depending on how your unmanaged switch handles VLAN tagged packets. If it passes them with tags intact then you could do it two VLANs from the AP to the pfSense box. Steve

Sure, CPE's are in router nat mode but I seperate lokal networks with routers… routers are basics of networks, should it be problem ?  

I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file. Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach? Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.

You have firewall rules that allow your ISP to ping your internal interfaces? Seems unusual. Or your ISP is somehow able to determine your internal interface IP and it trying to ping it? Steve

Have a read this:- https://forum.pfsense.org/index.php/topic,72528.0.html oops it's more Filtering HTTPS not caching, sorry.

Did you setup a WAN rule for connections inbound to that Public IP at your ssh port? A little more info would be helpful, not clear if you made a Wan rule or a Lan rule.  Change your firewall rule and enable logging, try to connect, then see what is in the log. Actually, are you trying to ssh to get to the command line interface or to the web based UI?  Not clear on what exactly you are trying to accomplish. I'm not personally a fan of opening up direct access to the command line or web ui on your public IP.  Like I said in a previous post, I'd setup a VPN (something cert based like OpenVPN) and have it tunnel to the LAN, then you would simply connect the VPN and have access to both the web ui and the command line interface at their private/LAN IPs.

I've never been clear if I'm dealing with a pure packets-per-second problem (incoming packets driving a lot of interrupts) or a state table problem (too much state churn) or a combination of both.  The key part for me in this post is what I see under STATE in the output from top, it shows "*pf ta" - as I understand it this means that the CPU is waiting on the pf process for something.  I'm guessing the "ta" part relates to the state table.

/etc/rc.filter_configure_sync contains the following….. | #!/usr/local/bin/php -f /* $Id$ / /     rc.filter_configure_sync     part of pfSense (http://www.pfSense.com)     Copyright (C) 2004 Scott Ullrich     All rights reserved. Redistribution and use in source and binary forms, with or without     modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice,       this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright       notice, this list of conditions and the following disclaimer in the       documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,     INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY     AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE     AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,     OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF     SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS     INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN     CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE     POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); filter_configure_sync(); ?> |

Thank you. :)

@johnpoz: If your saying it stops when you remove client X from the network, that really points to it being client X.  Sure its not just downloading the gazillion updates a new install of windows 7 would call for? ^^This. Windows 7 downloads in the background, so next time you shut down it can say "…Please don't shut off the power.  Applying Update 12 of 135329"  :)

Default gateway switching allows pfSense-originated traffic to find its way out if WAN1 is down. Mostly this is just the dashboard firmware update check, and installing packages. (when you already have gateway groups and policy-routing rules for your client traffic) If you have multiple DNS servers defined in System:General and pick a WAN gateway for each then you will still get DNS when 1 WAN is down, without needing default gateway switching. In a 2-WAN system where you just want everything to fail over from the main WAN1 to a (usually much slower) backup WAN2, then you could just use default gateway switching and not bother with gateway groups and rules.

Thank you Phil! This is good information.  I appreciate your time and perspective.  We've tried to keep anything out of DropBox and Google that was the least bit security sensitive.  But it's helpful to know some of the good reasons for that practice.  :-) I also hadn't thought about the certificates being stored in the XML file.  That's a very good point. Does anyone know if there is a limit to the size (length) of the AutoConfigBackup key? Thanks again!

Thanks for your reply. We don't have asymetric routing. There is just one LAN. pfSense acts as the NAT, firewall with less than a dozen rules, and DHCP server. I still have the packet capture file; I'd be happy to upload it to a place which is convenient for you.

Virtual machine equals Win server 2012 ye, sorry for not pointing that out. I did some configurations yesterday and managed to make static WAN work out! I sat WAN to 192.168.10.103 (static) and gateway as pfSense LAN adress. I also sat my homerouters IP-adress as DNS-server and I can ping everything included Windows Server from pfSense :) But I'm still not able to browse the web… So I guess it has to be something blocking port 80? I tried to check both Windows Firewall and pfSense firewall but couldn't find any settings that would block port 80. So there's still some troubleshooting left for me.

Steve, you were right: it was hardware related!  ;)

I currently have the same issue :( EDIT: Okay I have managed to get it working, it turned out for some really odd reason the network port the PPPoE was on wasnt the correct one, in fact it wasnt anything… As shown there is now the interface (alc0) for PPPoE but before hand there was nothing shown here also... [image: sdsdsd.png] So using the webconfigurator all I did was assign the WAN to alc0 (MY direct incoming connection (ISP infinity cable coming from the VDSL modem) using the assign interfaces, then I went into the settings specifically for WAN and configured it like so… [image: sesersdfd.png] Then as if by magic it suddenly started working, and the right interface was assigned to WAN [image: Capture.PNG]

This is really basic stuff here - not sure how it could be worded better? you have this client –- lan (pfsense) wan --- internet If your pfsense stuff going to clients would be out the lan, stuff from clients would be in on lan.  On wan stuff going to internet would be out, and stuff coming from internet to pfsense would be in.  Look at the traffic flow from pfsense perspective