@johnpoz: yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means.  And then rethink it and then don't do it!! ;) Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;)  Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available?  I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it?? THIS. Argh. I've been working on getting VLANs to work and part of that was moving DHCP off the pfsense box so I could configure the subnetting correctly. I didn't notice this put a gateway on pfsense's LAN side. And until this thread, didn't realize that was why the internet just turned off. :( Thanks though! I hate having my business behind store bought wifi routers. Chris

I disabled Static Outbound NAT just for testing and still having the same problem. No I have no idea what could be causing it.

Hi, look into Menu System / Advanced and there on tab Admin Access: At bottom you find the property Console Options / Console menu, check this property. BR wkn

Hi all, This is just to say that it works perfectly on the Alix board. I did some penTesting over the firewall and it performs great. Thanks a lot!

I am on the 25mbps plan with comcast, and my pfsense is just 1 of a few VMs on a N40L with Turion II Neo 1.5ghz Dual-Core, pfsense vm has only been given 512 and I max out both my download and upload pipe.  So I would have to think such a machine should be able to handle it no problem.  As asked what speeds are you seeing, and have you validated these speeds from more than just 1 test location?  And what speeds are you seeing? [image: 3284196746.png]

@jerk_shop: Can you download the wpad file directly from your browser? E.g. can you type in http://wpad.yourdomain.com/wpad.dat and does it load up your file? I can't download it via wpad coz my wrong is not creating a wpad inside usr/local/www but I was able to download via LAN_IP/wpad.dat but when mydomain.com/wpad.dat it says ooopppsss google can't find that stuff. wait quick question can I access the webgui using my inputted domain under general setup like for example under domain icantmakethisstuffwork.com. Can I put that at my browser to directly access the webgui? if you are using firefox, you have to change the proxy dedection option to the second one from top(by default the third one is selected), in browser proxy settings and be sure that your dns host override is correct host=wpad (not the host name you give in pfsense general settings) domain=domain name you have given in pfsense general settings ip=your lan ip description=anything you like

@darkcrucible: If you're seeing the 4% loss continuously throughout the day, then you're probably seeing a common issue with the apinger service. If it only shows up during part of the day, then you should search dslreports for their smokeping service to collect more evidence. If it is continuously reporting 4%, then see this: http://forum.pfsense.org/index.php/topic,68637.0.html The RRD quality graphs get their data from the apinger service. The workaround to the continuously bogus loss issue is to restart apinger. Try going to status->services and restart apinger. See if that resets the reported losses to around 0. Just the other day I saw a bogus 4% loss too. Restarting the service fixed that. restarting apinger worked for me… thanks!! will keep monitoring to see if the problem comes back...

Sorry for using the term "dumbed down" rather than "simplified for new users", I suppose that sounds better.  I would log bugs and patches if I understood the process.  I've been using PfSense for about 5 months now so I'm a relatively new user. On this issue I initially suggested that all native unbound commands be recognized by the GUI custom entry box such that they override the GUI setttings.  Or if this is unacceptable, at least allow custom commands that are not configurable via the GUI.  I could test every unbound command to see if it keeps the service from starting but that would take about a day.  I'm sure someone more familiar could generate a list in a few minutes. The bigger question is, "what's the goal"?  What can and can't be done with the unbound package script.  So far I'm seeing more interest in using command parameters to generate other command parameters.  In other words, a continuation to keep it simple and automated, rather than improving the ability to troubleshoot performance issues should they arise.  Maybe you can explain why the native commands weren't included in the package.  Is it just the time and effort to provide features that may get little use? As someone who had been using a stand-alone unbound service with only a script, surely you would expect some moaning when most of the script settings were rejected by PfSense.  It would have been nice to drop in a well tested and stable script rather than use the automated package that restarts now and then.  I may go back to a stand-alone service if I can't resolve the restarts. Are there other 64-bit users seeing their unbound package perform unattended restarts?  No idea how to troubleshoot this especially with many of the commands unrecognized.  Fortunately the service restarts fairly quick so it doesn't seem to cause much disruption.  However with each occurance the cache is cleared and has to begin rebuilding when the service starts making the package less effective.  I don't save the cache because of the SSD and it adds too much time to a PfSense reboot.

Hmm, I think I did something stupid like deleting the user from User Manager that I was logged in as.  It should never let you do that, but it did.  I'll try to log it once I can reproduce it.

If the machine running the game (or server) is behind pfSense you can look in the webgui at Diagnostics: States: and then filter by the IP of the gaming machine. That will show you the ports of any connections. Steve

I can confirm also that 2.1.1 prerelease fixes the cycling issue after 3 days of running no issues. 2.1.1 also fixed snort clearing it's block table. Firewall logs also seemed to stay in sync after rule changes.

@zohaib: Hi all, I am planing to deploy pfSesne 2.1 for 4 WAN link 500Mbps Shared and 4LAN links. kindly suggest me Best hardware for that. Recently i had a very BAD experience, for almost similar needs i purchase Dell PowerEdge r720 with 2 NIC card (8 port gb) but facing issue in installation. Kindly suggest me best Hardware model. I setup a very similar configuration a few weeks ago: 4 x 300mbps download/10mbps upload WAN connections (on an Intel four port gigabit card) 4 x 1000mbps (gigabit) LAN connections (on the same model card as above, Intel four port gigabit card) It's running on this system: http://www.ebay.com/itm/DELL-PRECISION-T5400-WORKSTATION-2x-2-66GHz-QC-16GB-2x-73GB-/380831423599 (the seller upgraded it to 32GB of ram for $60, not sure if it would make any difference or not). With two of these: http://www.ebay.com/itm/Intel-4-port-Network-card-PCIe-Pro-1000-PT-Quad-Port-LP-SVR-Adapter-EXP1940PTL-/121265781963 The performance is absolutely mind blowing :) -Jamie M.

We've started all over again and were able to get LDAP CLI authentication working :-) We now have it on both the webcfg as well as the CLI, which was getting increasingly needed, as we are getting close to 100 virtual pfsense firewalls and local user accounts were getting unmanageable. Some rough notes: ###login with ssh & std admin user 1) /etc/nsswitch.conf group: files ldap # group_compat: nis hosts: files dns networks: files passwd: files ldap # passwd_compat: nis shells: files services: files # services_compat: nis protocols: files rpc: files 2) pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/net/openldap-client-2.4.26.tbz pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/nss-pam-ldapd.tbz 3) /usr/local/etc/nslcd.conf # The underprivileged user and group used for running the daemon. uid nslcd gid nslcd uri ldaps://ldap1.local.domain ldaps://ldap2.local.domain ldap_version 3 base ou=somedepartment,dc=local,dc=domain bind_timelimit 30 tls_reqcert allow ssl on 4) /etc/pam.d/sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "sshd" service # # auth auth          sufficient    /usr/local/lib/pam_ldap.so  no_warn md5 auth            sufficient      pam_opie.so            no_warn no_fake_prompts auth            requisite      pam_opieaccess.so      no_warn allow_local #auth          sufficient      pam_krb5.so            no_warn try_first_pass #auth          sufficient      pam_ssh.so              no_warn try_first_pass auth            required        pam_unix.so            no_warn try_first_pass # account account        required        pam_nologin.so #account        required        pam_krb5.so account        required        pam_login_access.so account        required        pam_unix.so # session #session        optional        pam_ssh.so session        required        pam_permit.so # password #password      sufficient      pam_krb5.so            no_warn try_first_pass password        required        pam_unix.so            no_warn try_first_pass 5) /etc/pam.d/system    # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # System-wide defaults # # auth auth            sufficient      pam_opie.so            no_warn no_fake_prompts auth            requisite      pam_opieaccess.so      no_warn allow_local #auth          sufficient      pam_krb5.so            no_warn try_first_pass #auth          sufficient      pam_ssh.so              no_warn try_first_pass auth            sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass md5 auth            required        pam_unix.so            no_warn try_first_pass nullok # account #account        required        pam_krb5.so account        required        pam_login_access.so account        required    /usr/local/lib/pam_ldap.so  ignore_unknown_user ignore_authinfo_unavail account        required        pam_unix.so # session #session        optional        pam_ssh.so session        required        pam_lastlog.so          no_fail # password #password      sufficient      pam_krb5.so            no_warn try_first_pass password        required        pam_unix.so            no_warn try_first_pass 6) install sudo package in webgui 7) install shellcmds in webgui 8) add shellcmd via webgui -> services -> shellcmd: nslcd    shellcmd 9) hack the sudo.inc file, because we can not add the sysadmins group manually, because the sudoers file is reset on boot AND we can not add it in webgui, because the sysadmins group isn't allowed: /usr/local/pkg/sudo.inc ...         foreach ($sudocfg as $sudo_commands) {                 // (user|group) ALL=(ALL|user spec) ALL|command list                 list($etype, $ename) = explode(":", $sudo_commands['username']);                 $user = ($etype == "group") ? "%{$ename}" : $ename;                 list($rtype, $rname) = explode(":", $sudo_commands['runas']);                 $runas = ($rtype == "group") ? ":{$rname}" : $rname;                 $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : "";                 $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist'];                 $commands = ($commands == "all") ? "ALL" : $commands;                 $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}n";         }         $sudoers .= "%sysadmins ALL=(ALL) ALLn";         /* Check validity of the sudoers data created above. */         $tmpsudoers = tempnam("/tmp", "sudoers"); ... 10) let's make su work as non-root user: /etc/pam.d/su : # # $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "su" service # # auth auth            sufficient      pam_rootok.so          no_warn auth            sufficient      pam_self.so            no_warn #auth          requisite      pam_group.so            no_warn group=wheel root_only fail_safe auth            include        system # account account        include        system # session session        required        pam_permit.so 11) cp /usr/pbi/sudo-amd64/etc/pam.d/sudo /etc/pam.d 12) /etc/ssh/sshd_config PermitRootLogin yes Compression yes ClientAliveInterval 30 UseDNS no X11Forwarding no # Login via Key and Password PasswordAuthentication yes ChallengeResponseAuthentication yes PubkeyAuthentication yes # override default of no subsystems Subsystem      sftp    /usr/libexec/sftp-server Protocol 2 Port 22 Allowgroups sysadmins ###login with ssh & ldap user sudo su

It seems to be an issue of apinger that has troubles in this version of pfSense. I've configured cron to reset the apinger every 5 minutes and it seems to work. It's not the solution but at least a workaround. Here is the script that I execute with cron: #!/bin/sh killall apinger sleep 3 /usr/local/sbin/apinger -c /var/etc/apinger.conf

Yes, two ways at least.  I assume the pfSense machine has a serial port and connects to the switch.  One way is to set up pfSense to enable ssh logins from WAN, then ssh in and use cu to connect to the switch. Another more secure way would be to set up a VPN; once connected via VPN, then ssh in to pfSense and do the same. Any particular reason you want to use a serial line rather than ssh'ing to the switch directly? (you'd need to set up a VPN for this too).

@abadonna: It is set to block both. Remember that anything that causes pfSense to execute the filter_reload process will wipe out the block table. Try this if you want to see if Snort is blocking.  Go to https://www.grc.com/shieldsup and let it scan your IP.  Open two browser tabs:  one to your firewall interface with the Snort ALERTS tab, and one to the link I provided.  As the scan is in progress, periodically refresh the ALERTS tab page.  Look at the BLOCKED tab as well.  You should see the GRC site listed there. Bill

If you run a captive portal you can redirect clients to a web page of your choosing, usually hosted locally, so you can have whatever message you want but obviously users will only see it the first time the try to open a web page. If you want to have messages spontaneously appear on clients devices as they connect to your wifi I think you're out of luck. You would have to send it to some service already running on the clients like netsend for example. That may be possible but it would vary between devices/OSs. It would be very involved to get multiple things working and it would rendered completely ineffective by anyone running any sort of firewall like Windows Firewall, so almost everyone!  ;) Steve

It will get selected as default because it's the most recently defined gateway. However you almost certainly should't have a gateway defined on LAN at all. Steve