On pfSense 2.0.1 and earlier, the log files were always wiped/reset at bootup.

On pfSense 2.0.2 and later, on a full install the logs are kept at bootup.

On NanoBSD, the logs are kept in RAM and would be wiped after each reboot no matter what.

If you need to keep logs indefinitely, setup a syslog server and have pfSense send its logs there.

@rabbyweb:

It's showing it's block our IP.

What is showing this? Where?

It's unlikely you will have multiple public IPs. You would have to have paid for these from your ISP.

Steve

@cmb:

Judging by this (I have no 10G equipment at all), the Intel 10G driver in FreeBSD 8.1 must be somehow broken with VLANs. I would try 8.3-based 2.1 from snapshots.pfsense.org.

I had severe problems with VLAN with Intel 1 Gb (Intel® Pro 1000 network, em0 & em1) NIC's also. Upgrading to FreeBSD snapshot solved the issue.

BR, Tommi

The llinfo error means that it's trying to send a packet to that IP (typically that's your gateway IP) but it can't be located on that interface. That can happen if the interface IP changes via DHCP on WAN, or if you manually change it, and there are still states referring to the old/previous gateway.

The apinger error can be ignored - it's meaningless.

The hotplug event means what it says. lan was unplugged and plugged back in, but since lan has a static IP, nothing was done.

You can set a domain override for facebook.com pointing to a non-sense IP.
(I usually set it the an unused ip in the local subnet when i "block" a domain like this).

However with such a setup it's not possible to change the behaviour for one/multiple specific IPs.

You might want to look into a "proper" solution to block domains.
(eg. squid guard).

@stephenw10:

Hmm interesting question. There are a few ISPs using MPoA in the UK, perhaps most notably SKY are switching users to it and require a special dhcp option.
Adding a virtual static IP in the modem signet seems like the way to go. As you suggested.

Steve

Thanks again Steve :)

If we carry on this way instead of a beer I'm gonna have to buy you a holiday in Madagascar ;)

Ok!

Thanks for ur answers Steve, i hope this thread may help some other lost soul in the future.

Yes, i copy my lcdexec.conf from some guy which i dont remember the name, but im able to reboot, shutdown, reset webgui, interfaces, etc.

When im done with my box ill post pictures of the case.

Well if your going to want to isolate more of your network in the future - then I would suggest moving towards smart/managed switches.

But switches that support vlan on both sides of your wireless bridge and you shouldn't have any issues - your wireless bridge just passes all info it sees right.  So this would contain your vlan tagging.  Can you just bridge your trunked connection as another way to put it.

Wireless bridge does not seem like a great way to connect buildings to me - what is the speed of this connection?  Users in the other building all sharing wireless link sounds slow to me for internet access.  And then now your going to have users coming the other way for file access?

@thepccentre:

so the allowed ip is the ip of the destination, i thought this was the clients ip address and it by passed the portal for that client.

The Allowed IP addresses tab discusses TO IP addresses ("flows"  TO those addresses bypass the portal) and FROM IP addresses ("flows"  FROM those IP addresses bypass the portal).

Did you tried to reload script on Firefox config screen? Close and reopen the browser?

It is possible!
How complex it might be to do it is another thing.  ;)
I've never used WHS so I can't speak from personal experience but I would start by seeing what sort of settings are in uTorrent/eDonkey for doing this.

You first want to change the VPN connection settings so that it doesn't become the default route when connected. Then maybe try running a socks proxy setup to send traffic via the VPN and set your application to use it (if they support proxies).

There's probably many ways to achieve this.

Steve

Edit: Looks like in emule you can just use the BindAddr option to make it use the VPN interface as linked to by Dreamslacker above: http://forum.emule-project.net/index.php?showtopic=143867&view=&hl=BindAddr&fromsearch=1

Hello I can't believe that nobody nows that

there is no pppoe in the path. the router ends a synchron leased line and the pfSense
connected to the router's lan interface. I really do not know what the problem can be.

my LANs are various tenants, and most of the traffic is tenant to tenant. For lan routing i can use my a L3 core switch, but what I'm looking for regulating traffic between lans.
I also have multiple wans in my setup, so my choice is to separate wan part from lan part.
Today I tested the vpn part and with openvpn is workin as expected (vpn machine is behind nat). Once tested ipsec I'll start deploying stuff on esxi environment in production.

I certainly agree that it's important to have internal servers respond via the same WAN they receive traffic. Opening a new connection that appears to come from a different IP could cause all sorts of trouble.

However, as you say, the incoming WAN connection is determined by hostname resolution and port forwarding rules. If a firewall rule is in place to direct new connections via the same WAN that should not be problem.

I guess if you had multiple hostnames on multiple WAN connections all forwarding to the same internal server that could be a problem.  :-\

Am I missing something obvious.

Steve

This needs to be added as a sticky or FAQ. I haven't read this anywhere else and it must be plaguing plenty of users. I don't actually have any Win7 machines myself.

Steve

I have seen similar wierd things before. If you are sure your config is correct, try asking the user to connect via a different firewall (at their side), for example if it is a lap top, ask the user to connect via a smart phone, the WLAN service in the cafeteria or the local Internet café or similar. If it works I would suspect that the firewall does something that your firewall(s) does not like, such as silently dropping some tcp packets or similar that results in the client (software) not beeing able to connect. Could be a bad port in a switch or a "broken" switch as well but not as likely. Try replacing one thing at a time and you'll probably find what causes this. If it does not work, try using a dirrefent client software or similar service such as VNC etc at the client side (temporarily disabling software firewalls could be worth trying as well).

If all other clients can connect it should be something this client does differently and the explanation is probably hidden in there somewhare.

If you find what causes the problem, please write it here for future referenses.

cheers,
/e

Are those gateways routing only? If they are NATting, then it will not be possible. But under a routing, you can allow that IP to allow all or to white list it in squid. When you white list, I don't think it caches. Is that what you are looking for?