Chrome is nice it just caches too aggressively. You didn't need to reinstall chrome, just empty the cache and/or force a reload of the page (hold shift + click refresh button)

nobody has an idea?

I forward (WAN side) port 80 to port server 1 port 80 (LAN side).

Port 81 goes to server 2, port 80.

Port 82 goes to server 3, port 80.

Port 443 goes to server 4, port 443.

I access all other boxes via an IPSec VPN.

Ashish, I fixed bandwidthd so it should run OK on nanobsd Alix systems. Did you install the latest version 2.0.1.4? and it takes a few minutes to make the first graphs.
Edit: You were still on 2.0.1.3. I updated bandwidthd and set the parameters back to the defaults (it will update usage every 2.5 minutes) plus selected output_cdf and recover_cdf so it will reload everything when bandwidthd restarts.
Note: At the moment on nanoBSD the bandwidthd cdf data files are not saved anywhere - they are lost on reboot. Tonight I will try and add the code to save the data periodically to the CF card.

Edit: Oh, I'm sorry, you mean Monitor IP. No, all different on all interfaces (2 WAN, 2 VPN). But both VPNs have the same gateway IP.

Never mind.. Turns out it was a coincidental browser error, and clearing cache fixed it.

:-X

@phil.davis:

/tmp and /var are memory disks on nanobsd. They get created from scratch by the boot scripts. Whatever is in them at shutdown goes in the bit bucket (things like RRD data can get saved at regular intervals to the real CF card).
So it doesn't matter how big your CF card is!
There have been some mentions of making the /tmp and /var memory disk sizing settable from the WebGUI - that would help people who have plenty of memory in their nanobsd system, they could get more space in /tmp and /var.
At present you have to find where it is set in the boot scripts and edit the magic numbers.

Thanks. I've found it in /etc/rc.embedded.

it's called tmpsize.

It seems from your description that you have already setup more than one 'LAN' interface. Do you mean multi WAN?

If not please describe your network and what you are trying to achieve.

Steve

I don't think you can, but you can always try it and see. Post the results in here.

@Gi4usa:

I am new to PFSense. I did not see anything in the documentation section on web hosting.  I need information on how to securely host a web server, Win Server 2008 with IIS 7.0 using PFSense.  Can anybody point me in the right direction?

Hello Gi4usa,

Here is a link to the screenshots that I looked at, I have the same concern however, I did look at the firewall screenshots and it is good fit for what I need to do. I am not sure if these will help you but they helped me. http://www.pfsense.org/screenshots/ If you need help just send me a private message and I think I can help ya.

Good Luck,
Michael

I agree with asterix. While the Aironet APs are not the most admin-friendly on the market (I vaguely remember issues with setting up roaming correctly), they work reliably. Unlike the "Linksys by Cisco" AP stuff, which reliably fails.

Concerning Layer7 filtering: it increases CPU usage, but does little to increase security. I prefer not to use it, but your bosses might have a different point of view. If management decides that they want Layer7 filtering, your hardware requirements will rise by order of magnitude.

In my opinion, overly restrictive firewalls will only teach better "hacking skills". Especially in an school/university environment, where information about circumvention of restrictions are commnicated very efficiently (among the users, not towards the administration).

Virus scanners on the firewall doesn't make sense if users are allowed to bring their own hardware into the network. If there has to be traffic between the Guest WiFi network and the "production network", you should concentrate you efforts on this interface. However, this access path doesn't really need to be more hack-proof than from the public internet.

I tried that, but I can't make unbound listen on any alias - they won't show up on unbound's configuration page and can't be selected as  "listening interface".
Ideally we could configure aliases for the anycasted IPs on the loopback interface, but the loopback doesn't show up under "interfaces" either.

The vNIC trick applies to virtualized environments, but obviously that won't work with a pfsense running on bare metal.

http://forum.pfsense.org/index.php/board,37.0.html

SSH has a serious design flaw so I have SSH disabled to the outsides world. Any known user can connect an infinite number of times. SSH leaves it up to the OS to manage this.

SSH tunneling on a mac and windows both require administrative privileges to create the bridge interface as it's on-demand and not an OS level service. On top of that I need all the devices using the same VPN system and ssh tunneling can only be done with a jailbroken iOS device or with OpenVPN which is horrible on iOS and is not able to work on cellular for proxying.

I may just have to resort to installing Server on the mini and just using pfsense for firewall/proxy. With OS X Server it's much easier to use profile management on apple devices and force settings but I would rather just have one border device.

@star_tiger5, basically every TP-Link switch that is not unmanaged supports vlans. (web smart, managed, jet-stream)
Switching speeds and total capacity differs per product iteration.
So, if you are looking for the best performance, get the switch with the highest switching capacity for the number of ports you need.

tl;dr, get any tp-link switch in the jet-stream or web smart product lines.

Hey Guys

It think this situation is related to another post I got resolved as per this post.

http://forum.pfsense.org/index.php/topic,59608.msg321277.html

Wasca

The first rule (except antilockout rule on LAN interface and block bogon networks) of every interface is :

id   proto   source   port   destination   port   gateway   queue   schedule
      *           *             *         *                    *        *             none

When I set up the HTTPS port on a different port, WebUI is still unavailable.
nc -t -l 443 on the pfsense box and nc -t 192.168.1.1 443 on the LAN1 works in both ways.

@S(y)nack:

All my VMWare ESXi interfaces are "flexible". I added one more interface with the "E1000" type and put it on the same network as my web UI interface.
I've been able to access the web ui with this second interface, although it was crashed (again) on the first one.
So could this possibly be a problem linked to the type of interface within ESXi ?
I'll wait and see if this second interface crashes too…

Interesting. I remember having serious issues with the e1000 interface; a change to flexible solved my problems. However, this was with FreeBSD 6.4 under VMWare Server 2.0. Maybe it's the other way around with the FreeBSD 8.1 and ESXi 5.1?

If your clients use DHCP, you can also communicate a specific SHCP server via the "NTP servers" option.

Of course, this is not as bulletproof as the "sneaky approach". It's also less geeky ;)

I got it to work :D

As it turns out, there was no problem with PAP. So the information in the thread linked above is probably outdated and no longer true - it certainly had me confused. The actual problem was much simpler: The shared secrets on PPPoE server and FreeRADIUS didn't match. Other then that, PAP works out of the box.