Nothing wrong with that. You don't need managed switches I just like them because they let you have more control of your network. I would just make sure that you only send untagged traffic to your unmanaged switches. Although there are some unmanaged switches that can deal with tagged traffic. Typically unmanaged switches will not support LAGG and may not have spanning tree too so be careful when running extra links between switches for redundancy.

Just to confirm. The netgear modem was causing issues. Seems it doesnt really go into full bridge mode. Have replaced modem and all is well.

I couldn't try actual physical disconnection because I needed to be there in person to do that! Now I tried it, unplugged the main WAN and waited. The ordinary internet access using a gateway group failed over to WAN2 and the Dynamic DNS names that are tied to a gateway group changed. But none of the OpenVPN servers (site-to-site and 1 road warrior) switched to listen on WAN2 and the 1 OpenVPN site-to-site client going out to another office did not switch to going out WAN2. None /var/etc/openvpn*.conf got rewritten - which they should to in response to gateway group status change.
I will have a look at that code, I guess it doesn't implement the same failover processing as when a gateway just stops responding to ping.
Added: On a test system, it activates all the processing, but my test hardware only has 1 real WAN, and thus a gateway group with only 1 WAN in it. But it does rewrite the server.conf file. I will have to try a real WAN unplug again and investigate why it didn't seem to work for me early this morning.

I do most of what you're asking for using squid and squidguard.

Squid appears under "Proxy server" in the menu system, I forget which top-level menu but about 4th from the left.

Squidguard appears under "Proxy filter", just above squid's entry.

I use access control lists in squidguard filtered by IPs. I set up static IPs for kids' devices in the DHCP server for the wifi interface.

It's a steep learning curve, but powerful once configured.

Firewalls the BANE of users ;) heheeh

Glad you got it working - and maybe learned a bit in the process of tracking it down..  I am a big fan of going to the sniff for validation..  If you would of done the sniff you would of validated that pfsense was putting the traffic on the wire, and you just wasn't getting an answer..  This would of forced you to look at the host closer.

Thanks for clarifying how it works today Phil!

I also checked out the source code so I understand the principle.

The problem is that the table is in reality a DNS resolver cache so it really needs the same functionality. It needs to keep track of TTL values and count them down so the resolved IPs in the table expire when they should. And of course keep the pf table structure updated so it just contains IPs that hasn't expired.

That way all IPs would always be current and it would hold onto the IPs as long as it should.

I don't know how or if there is an OS level DNS cache in freebsd or if getaddrinfo() could use the DNS forward cache in pfsense. It would be elegant to use resolves IPs that way if it works.

Anyway, that for a future release of pfsense I guess :-)

Thanks again,

Pete

The default rules for lan would be allow any any from lan net..  And pfsense by default would also do NAT from lan to WAN (internet)

Did you modify the default rules?

Can you post up your lan rules and we can see what might be the problem.

You can reset the IP from the console with menu option 2.

So how is your VM host setup? How does the pfSense VM connect to other machines? Where are you trying to connect to the LAN from?

You said that it was working until you added the static WAN address. That implies that you have an IP conflict of some sort. However in that case I wouldn't expect you to be able to connect via SSH.  :-\

Steve

check out this cool video which will help you.

http://www.youtube.com/watch?v=Usi195rK35I

YOU ARE GREAT  ;D ;D finally it works !
big thanks to you, you made my day !

If you compile a working kernel module against FreeBSD 8.3 then the procedure for adding it would be the same yes.
I'm going to suggest it's not an AR813x or AR815x since those should be supported by the alc(4) driver in FreeBSD 8.3.

Steve

Would be nice with a feature on the pfSense to bring interface up and down if there is no traffic…  Anyone tried creating a custom script for this ?

If each app is served internally from a different IP address it doesn't matter if they all use port 80.

Steve

Sorry made a mistake, already amended the post:

System -> Advanced -> Firewall/NAT
NAT Reflection mode for port forwards: Disabled

I think this problem is resolved.

Please kindly see this thread for a more troublesome problem:
http://forum.pfsense.org/index.php/topic,70483.0.html

i had a similar issue. time warner cable modem to a desktop i turned into a pfsense box. the desktop had dual NIC built into the mother board. I used one of them for wan and one for lan. Had it constantly not passing traffic to the internet and could not access the web gui from the lan side. could only fix it by restarting the pfsense box. Finally installed a new pci nic into it and plugged one of the cables into the new nic and reconfigured the interaces and viola! its been running steady without a reboot for over a year now.

Come to find out after I released the supplied KVM, that night 'something' happened and the system was down.
The wonderful times when you know you have things setup correctly and cannot connect, but no way to connect top the machine in question to find it's down.

The issue with raid cards continues on and I should have known better.

Ah, sorry about that.  :)
It's often a delicate balancing act, here on the forum, between coming across incredibly patronising or spouting indecipherable code. Either one can be insulting or confusing or both!

Can you show us a screen shot of your firewall rule?
If it's working OK for you then don't worry about it.

I'm not sure any of the filtering solutions in pfSense will meet your requirements as you have described. All of them would require logging into pfSense and manually making changes, some admin work. I have almost no experience with on device content filtering, none at all on the iPad, but it seems more likely to work in your scenario.

Steve

Valid point!!!

If doesn't have the ability to do span/mirror ports on his switch - can just install say wireshark on the machine in question to see other traffic it might be sending that is not dest internet.