Hello,
I need this to run from a script connecting to pfSense box through ssh via sshkeys, so yes :) I need it unattended!

My config is currently:
<aliases><alias><name>mx1</name>

<address>192.168.241.21</address>

<type>host</type>
<detail></detail></alias>
<alias><name>mx2</name>

<address>192.168.241.22</address>

<type>host</type>
<detail></detail></alias></aliases>

I thought to try a search and replace / regular expression solution:

<address>192.168.241.21</address>

becomes

<address>192.168.241.28</address>

Would a modification be promptly applied?

Or keep several copies of config.xml files to be substituted to the operative one. Will exchanging files trigger the system to read and act accordingly to the new settings?

Cumbersome I guess, but could do for my scenario.

Definitely I hope that pfSense will have a full CLI interface. It's greatness, the web gui, can't be a weakness too :)
At the moment the only important cli feature I can think of is the one of aliases, since I read that pass and block are already active
http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule
http://www.linuxnet.ch/pfsense-important-cli-commands/

Also,
what if i have CARP? (not the case but it is in program), would config.xml editing via regular expressions or if overwritten by other file trigger a sync to the other boxes?

Thanks!

This should work with the tap fix pkg + OpenVPN in tap mode (get the VPN connected, then assign the VPN interface, then make a bridge from LAN+VPN on both sides)

Also works with IPsec in transport mode + GIF tunnel  + bridge w/GIF interface+LAN.

Though I'd never recommend actually doing that in production… you will have far more headaches trying to maintain a common layer 2 in two locations than you'd expect (and not because of pfSense... it's just a bad idea in general)

For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).
When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like:
Source address: IP/s of the clients
Source port: any
Destination address: IP/s of the server
Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI)

and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.

There is a similar discussion here:
http://forum.pfsense.org/index.php/topic,50444.0.html
In that case it's setting MTU rather than connection speed. It ended in a horrible hack.  ;)

Also here: http://forum.pfsense.org/index.php/topic,50563.0.html

Steve

Here's a second opinion from a few years ago:
http://freebsd.1045724.n5.nabble.com/Maximum-ARP-Entries-td4017394.html

Steve

@wallabybob:

Ask your ISP. It is the DHCP server that assigns the DHCP lease time.

This. If you're renewing every 150 seconds, you're getting a 300 second lease. Our dhclient follows the RFC the same as every DHCP client, renewing at half the lease length.

@kishore:

text

Did you check the cables, switches, and other external stuff such as routers, repeaters etc? Maybe something is running in half duplex or a swith has limitations, uses 10Mb or is overloaded etc? I would look outside your firewall first since your hardware is clearly capable. Also If you are using old network cards or brands such as realtek (not Intel) you may want to check that these work correctly and that you have a good and working driver.
Some network cards use other manufacturers circuits (typically realtek) and may have problems, I am not saying that no other NICs than Intel work or work good (they do!) but I have ran into wierd problems a couple of times when the cards did not "work" properly. There are some threats about some of these issues I believe. If you can, try to replace a card for an Intel card (the cheapest desktop pci-cards for example, these work good and have a long life time) and see if the problem is still there. Sometimes you need to fiddle with the drivers and parameters. Did you google the card name?

/E

Its 112.0.0.0/5  to  ..*.0/29 actually its my mistake that the subnet mask i put was wrong  ;)
I don't know how its happened but now the problem is solved.

Hemant

Well for example a minimum set of rules to allow clients on OPT1 to have web access:
Source OPT1 subnet, port any, destination any, port 80.
This will allow traffic out to port 80, HTTP.
You also need to allow access to the pfSense DNS forwarder:
Source. Opt1 signet, port any, destination OPT1 address, port 53.

Steve

matguy,
My hardware is not so good as you describe. I have a pentium 3 800 MHz processor and 198MB of RAM. I think i will not be abble to run several v-machines at the same time.

If you could get your ISP to do MLPPP for you then you could bond 4 dsl lines and get your 3mbps up.

I would guess no it's not possible.
You can only enable dhcp servers on static interfaces. In a bridge configuration usually only the bridge interface is static so you would have to use only one instance of DHCP for the whole subnet. There is no way of filtering leases by source interface, that I know of.
Alternatively you could have all the interfaces static, 192.168.1.1 2.1 3.1 etc, and still bridge them. If you had open firewall rules traffic could go between them. However you would run into some sort of subnet clash. You would want each dhcp server to hand out a subnet mask that included all the interfaces but you can only hand out the mask of the parent interface. Thus you would have to set the subnet masks of each interface to overlap all the interfaces. I don't know if pfSense will allow you to do that, I've always tried to avoid it  ;) Even if it does I would imagine routing problems. Perhaps it might work - hypothetically!

Steve

@marcelloc:

if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions.

Thanks. I'll give it a shot.

Edit: Where in the file structure could I find those files?