Run pfSense and, say, nas4free as vms under the hypervisor of your choice.

Steve

Nice.  :)

Steve

@cmb:

Doesn't have any effect on anything we do or any of our users.

Thanks just wanted to make sure.

http://doc.pfsense.org/index.php/How_can_I_edit_the_PF_ruleset

I would assume you could edit them with pfctl if you wanted - but wouldn't survive reboot, etc.

You can do that, but we run so many things from the web server that it would be functionally no different to allow everything.

"If i was to deploy pfsense on my dedicated web server."

What?  Do you mean putting your webserver "behind" pfsense box?

I would not suggest running a webserver off of pfsense other than very minor sites if you had no other choice.

Ahh, interesting. Thank you very much!

Ah good to know and thanks for confirming.  :)
What would be useful would be to be able use some of the system "aliases" in firewall rules. For example use Private_networks or Negate_networks. As it is I have an alias I setup myself, LOCAL, but I have to remember to update it if I change anything and it doesn't include the WAN IP (though could it?). Negate_networks does that automagically.

Steve

Thanks Jimp, that did the trick nicely.

The ALIX can handle 150 devices generally. I'd be a bit more comfortable with the Netgate 7535 at that scale, or one of the slightly higher end options from Hacom or similar.

My guess on why your DDWRT stops issuing leases is the lease file gets too big for the amount of RAM it has available, and the DHCP server crashes. You can't scale much with the kind of low end hardware DDWRT is generally used with, your average Linksys regardless of what it's running isn't suitable for a 150 device network.

Maybe the first description is not clear for anybody :-) So please see what I would like to do:

concept.jpg
concept.jpg_thumb

Ok, and what about outgoing frame, why this

[2.0.1-RELEASE][admin@midgard.home]/(33): ping -s 2000 172.30.1.50 PING 172.30.1.50 (172.30.1.50): 2000 data bytes ^C --- 172.30.1.50 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss

is not working? Shouldn't pfsense fragment the packet before sending it (like windows does)? 172.30.1.50 is a freebsd9 pc with 9K mtu on interface and frames are properly fragmented before they sent out.

root@freebsd9-storage:/home/alximik# ping -S 172.30.1.50 -s 18000 172.30.1.20 PING 172.30.1.20 (172.30.1.20) from 172.30.1.50: 18000 data bytes 18008 bytes from 172.30.1.20: icmp_seq=0 ttl=128 time=1.270 ms 18008 bytes from 172.30.1.20: icmp_seq=1 ttl=128 time=1.318 ms 18008 bytes from 172.30.1.20: icmp_seq=2 ttl=128 time=1.248 ms 18008 bytes from 172.30.1.20: icmp_seq=3 ttl=128 time=1.309 ms 18008 bytes from 172.30.1.20: icmp_seq=4 ttl=128 time=1.237 ms ^C --- 172.30.1.20 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.237/1.276/1.318/0.032 ms

============================
Checked the capture, the cause is big echo reply. It was pretty stupid. Please close this topic =)

maybe the webConfiguratorlockout rule? (can someone verify)

issue the following command and see if it returns anything.

pfctl -T show -t webConfiguratorlockout

For reference, if you run  "pfctl -T show -t bogons" you should return something similar to:
  0.0.0.0/8
  100.64.0.0/10
  127.0.0.0/8
  169.254.0.0/16
  192.0.0.0/24
  192.0.2.0/24
  198.18.0.0/15
  198.51.100.0/24
  203.0.113.0/24
  224.0.0.0/4
  240.0.0.0/4

Brian

Configuration MIGHT be somewhat easier if your modem-router can operate in bridge mode. I have tried to setup two different ADSL modem routers in bridge mode and failed to get it to work so used a modem instead. If you can get your modem to work in bridge mode then pretty all subsequent configuration will be done on pfSense. However getting your modem to operate in bridge mode could be a frustrating learning experience.

I'll assume you will stick with the modem acting as a router.

If your modem-router supports dynamic DNS registration to no-ip set that up, otherwise configure dynamic DNS in pfSense through Services -> Dynamic DNS/ Dynamic DNS setup on your modem-router is preferred since it can more closely track changes to your public IP address than pfSense can.

You will need to configure your modem router to forward the required TCP (and UDP?) ports to the virtual server IP address and add a static route to the modem-router so it knows to get to your virtual server IP address through the IP address of the pfSense WAN interface.

Looks like that may be normal if the settings were present and then were removed.

Checking the code, it just tests if the settings were ever there, and if they were but the IP is empty, it prints that message.

Damn it,

it seem's that I've forgot to set the trunk port on the switch, because this time everything worked out after the firewall reboot. Thanks for your help!

Cheers,
Szop

So you got the bridge setup ok?

That router appears to have a bridge mode that might work in pppoa. There is almost no description in the user manual though so it's impossible to say for sure.
In 'Interfaces Setup' in 'Internet' select pppoe/pppoa as the connection type and set 'Bridge Interface' to 'activated'.
If that doesn't work the next best option would be to use the DMZ feature to send all traffic to the pfSense box.
Please start a new thread for that though if the pfSense bridge is now working.

Steve

Alright, I'll try with IGMP proxy first. Mostly I would like to prevent unnecessary torrent and file transfer traffic to flood the WiFi. If I manage to get the iptv pass-through working with igmpproxy, then that as well.

not at this time

And how many hosts are you going to forward too?  Thats 1 right - so why do you need an alias?

Why do you need to put something under Wan Address - is that not going to be the destination IP??  What is normally your Public IP, or in your case 10.0.0.3 which your first router will be NAT inbound traffic to, since you put your pfsense wan IP in its DMZ.

No other forwards on your first router - just the DMZ setting is all that is needed.