Nice.  :) Surprised it didn't cause a flood of complaints. Steve

Hi wallabybob, unfortunately with mounting pressure from the users I needed a solution for "now" rather than a solution that was "right", so I have restored a backup from 2 weeks ago which seems to have fixed things for the most part. It irks me that I don't know what the actual problem was and printing is still slow from the other subnet. Looks like I'm going to solve that in a different way now. To answer your questions: How do users in LAN D attempt to access the printer in LAN O? Printer drivers were installed on each PC in LAN D. At the time of installation the driver setup was able to communicate with the printer which configured an appropriate printer port on the client PC. What happens when they attempt such access? The print job sits in the print queue on the client PC indefinitely Does the access attempt get reported in the firewall log? I enabled appropriate logging and saw PASSes noted in the firewall log, however running a packet capture on the LAN O interface of pfSense I did not see any matching packets. Does the printer allow access from LAN D? Yes. Does the printer respond to pings from LAN O? Pinging from a client on LAN O to the printer was successful. Pinging from the firewall interface LAN O to the printer was NOT successful. Does the printer respond to pings from LAN D? No. Firewall Logs show PASSes but again, nothing in a packet capture from LAN O interface Please post a screen shot or other full specification of the firewall rules on the LAN D interface. Sorry, as I've restored from backup the rule is the now the same as when it was failing. What i have now is: [image: NZhdqC3.png] I've highlighted the rule that should allow access to the printer (and the file server) on LAN O The OfficeResources alias contains the IP addresses of the printer and the file server only. However when the firewall was allowing nothing out its LAN interfaces I had removed all the rules but the last one, which was copied from the LAN O (the "LAN" inferface asopposed to the "OPTn" interfaces) rule and then modified to relate to LAN D. I hope that's clear, reading back there's a lot in there and it may be moot given I have restored to a backup. I'm also looking at dropping LAN D and combining the clients with the LAN O. Just need to convince management that the separate LANs are causing more problems than they are solving. Thanks, Lee.

Check the "mailreport" package: Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.

You probably need to do a packet capture to be sure, but rsyslog would have to be the suspect.

I do the same for firewall on CentOS. Maybe the dev team can take this into consideration and create a fail-safe button that restores settings after a specified time if user doesn't acknowledge by clicking on fail-safe button. 1- Fail-safe can be ENABLED or DISABLED when needed - so the admin can use it ONLY when needed. Maybe OFF by default 2- Fail-safe allows for time setting as in 1 minute, 3 minutes, 5 minutes, 10 minutes…. 3- Fail-safe Restore DOES NOT apply or roll back the settings if user presses "ALL GOOD" button after the change is done within the kick-off time. Any other suggestions? Thanks everyone for input - I hope this gets picked up by Dev team! Vote here please

since I'm under a tight deadline, and it is out of business hours here and I have a relatively small amount of machines here, I have refreshed all the PC's and they are all using the new gateway, 192.168.1.2. This is a hotfix that has worked for me, hopefully I this will not be an issue anymore, but it is an odd one at least.

@mastry0da: could you point me at a reference for reading the log format? if not could you possibly break down this example packet for me? pf: 00:00:00.306610 rule 1/0(match): block in on msk1: (tos 0x20, ttl 40, id 33721, offset 0, flags [none], proto UDP (17), length 58) They are standard pf logs, so OpenBSD may have some documentation. Or: Use the source - https://github.com/pfsense/pfsense/blob/master/etc/inc/filter_log.inc#L136

The pfTop shell command can give a display of current top users of bandwidth through the firewall.

Yes i Understand  .. Thank u Bro

I don't know if you still need an answer but I managed to install the packages. I actually did it according to same person's another post: http://forum.pfsense.org/index.php/topic,47086.0.htmlhttp://forum.pfsense.org/index.php/topic,47086.0.html But I changed all of the packages according to stephew10's post (I picked all of them from 8.4 release). This are the packages I've installed (by the way I'm using pfSense 2.0.3 too) : (Install all of the packages in this order.) pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/php52-gd-5.2.17_13.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/t1lib-5.1.2_2%2c1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libX11-1.4.4%2c1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXpm-3.5.9.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libxcb-1.7.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXau-1.0.6.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXdmcp-1.1.0.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libpthread-stubs-0.3_3.tbz pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/mysql-server-5.1.68.tbz pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/mcrypt-2.6.8_1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/php52-mcrypt-5.2.17_13.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libltdl-2.4.2.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/php52-gd-5.2.17_13.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/t1lib-5.1.2_2%2c1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libX11-1.4.4%2c1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXpm-3.5.9.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libxcb-1.7.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXau-1.0.6.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libXdmcp-1.1.0.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/libpthread-stubs-0.3_3.tbz pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/mysql-server-5.1.68.tbz pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/mcrypt-2.6.8_1.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/php52-mcrypt-5.2.17_13.tbz pkg_add -rfi http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.4-release/All/jpeg-8_4.tbz (After installing these packages continue from the post above because the touch commands and everything else is the same) I've added the last pakage myself because  ' /etc/rc.php_ini_setup  '  said that it was missing. And also I have came across the exactly same ERROR as you. It was because I tried to use ' /etc/rc.php_ini_setup ' command from the webGUI's command prompt. Don't do it :P It really breaks the pfSense. You can use the webGUI's command prompt for pkg_add and touch commands but when it comes to '/etc/rc.php_ini_setup' use the shell !

If you want to do something slightly more custom you're probably better off using tcpdump directly from the CLI: http://doc.pfsense.org/index.php/Sniffers,_Packet_Capture I'm not too familiar with it, I'd usually read the man page every time  ::), but perhaps something like: tcpdump -i fxp0 -c 500 port 25 or port (your second port) >> capturefile.log Steve

WOW, thanks a lot guys really helpfull, will install at the weekend and keep you all posted, thanks again. Steve

see this http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

try to look out more info, like the interface went down or lost conn with some other if, and post it here! cheers!

sorry bro! i was outsite town on some "Vacations trip" so not laptop allowed o any smartphone xD, ok if you gonna treat like a switch you does not have to have any special config, just trunk, trunk and ready to roll on the layer 2 sw, if it gonna be a firewall/router, you should prepare ir like a dhcp relay agent to work, this is gonna be in almost case the setup PFSENSEBOX –->> MikroTikBox(as firewall or router with dhcp relay included) --->> layer 2 sw, please check out this document of mikrotik, http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Relay and related, with a mikrotik cheap? more than pfsense? lol i love the product even in some case have failed me

Thanks for continues respons If i don't use the pf sense ( pf sense dismantle )my gmail,ym and yahoo be OK,i can access internet with normally. for disable squid i will try later and i will share the resul with you, Thanks and regards

You will have no problem accessing the outer box from behind the inner box. I'm typing this to you from behind two pfSense boxes right now. The default setup there would be both boxes NATing the connection which is considered bad but almost everything will work just fine. Steve

Was wondering about this. Have got 24 PPPoE ADSL's that i would like to load balance. Gateways would unfortunately be the same for all from service provider. Would be a problem to find 24 different ip's to monitor. The other problem is the gateway ip is the ip that would be pinged to test latency. Saw a lot of times people say set up PPPoE on modem, but this will break fail over. If PPPoE on modem is down, PF Sense will se the ip to the modem and you cant use ping because of above mentioned ping problem. So sad, to bad. :-)

Good to know, I had no clue as you said.  ;) So I take it you disabled local logging because you were using an external syslog server and expected that to continue to function? Steve