I'm still having trouble with this and I do not have the answer.
Does someone know or can tell me in which way seeking ?

Airy

@Phonebuff:

I appeared to loose all DNS resolution and specifically the CBeyond DNS as the SIP registry went away.

–---------------------------------------------------------------------------------------------------

Did I miss something in my configuration(s) ?

JMS.

I see you mentioned Asterisk later in the post.  The fact you lost all SIP registrations to the server is a very well documented Asterisk problem.  If your Asterisk server loses DNS resolution (sounds like you have a SIP trunk as this bug doesn't affect TDM devices from what I've heard), then it will fail to respond to SIP registrations itself.  There have been many attempts at work arounds (dns caching and such) but it will still always fail eventually.  It sounds like you got your DNS issues sorted, so you probably noticed your phones started to register at that point too…

@al1x:

OpenSSL? crypt? pam? I haven't looked at them in depth but they would seem to be relevant.. no?

crypt applies strictly to DES hashing, which we don't use anywhere. The PAM one isn't applicable to anything we do. The OpenSSL one, we got a private heads up related to that which I can't discuss, but it's not something that's applicable in our use cases and there are other reasons it's been delayed until now (like the additional one on sysret, though local priv escalation generally isn't applicable either). Now that the sysret one is settled with the updated advisory this week, we'll have 2.0.2 out shortly.

We have a good relationship with the FreeBSD security team and are always on top of security advisories. If/when there is ever a reason for a quick update, we'll put one out immediately.

If you're running from live CD (or memstick, which is the live CD for USB flash), you can't install packages. If you're running full time from USB flash, use nanobsd on it, not memstick.

Take a look at this: http://doc.pfsense.org/index.php/Multi-Link_PPP_%28MP/MLPPP%29
This is only the client side however.

For the server you will have to look elsewhere.
Don't really know where. Google.

@virtualliquid:

it does not break and I now have nothing to play with :(..

:D
I feel your pain!
External syslog server and analyser? That's something I've been meaning to setup for a while now.

Steve

I can ping all of the Google DNS Servers.

Server is HP Proliant DL580 G4
Quad 3.6Ghz DC w/ 64GB
Running 2K8 Datacenter

I have 3 more exact servers arriving in the next few days along with 4 PCIe Mellanox cards.
The Idea is to set them up as a cluster.

Anywho…
Apparently it didn't want to use the DNS servers untill i supplied it for them in the IPv4 config.

Thanks Steve for all your help

what about setting up a captive portal on pfsense ?
captive-portal connected to freeradius. if they use their username/password on the switch or on CP. Would that make any difference ? CP is always active on pfsense NIC.

If you enable CP + 802.1X then you must add a pass-through for the switch on CP so that the switch cans end access-requests through CP to freeradius.

Since it has been about 6 months since the stats were last posted, is there a newer estimate of the number of live pfSense installs?

Thanks!

Thx a lot. One of the strenghts of pfSense really is that forum, too!

thanks for helping  ;D

hello you can use this tutorial and skip the capive portal if you dont need captive portal!

http://blog.stefcho.eu/?p=754

I forgot you just have 2 nics, maybe you could use a usb nic for the third one?

If you can get an SSH session to a box behind the the pfSense firewall,  Then you can configure a tunnel for 127.0.0.1:xx80 to your pfsense:80 using the standard putty features.

Connection / SSH /Tunnels

Source port xx80  Destination pfSense:80 Add Apply.

Good luck ..

I have one of these, and couldn't be happier:

http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances/FW-7535

I got this sub-model: FW-7535F: Pineview D-510 CPU 1.6GHz; w/ 1 x SO-DIMM slot, 1 pair bypass, fanless

Saturating a 20Mbit/s link doing 256bit AES IPSec barely registers on the CPU scale…

I put 4GB RAM in the box, and recently replaced the CF card with a 60GB SSD from intel, which I got for $60 at NewEgg.
The thing is now fast, and doesn't have any moving parts, since it's passively cooled, too.

@stephenw10:

Nice!  :)
pfSense still shows the correct interfaces in the dash etc?

Yep.  :)

Not pretty but if it works…

Indeed…

It should be possible to do this in the webgui IMHO. There was a change to the way bridge interfaces are handled that would seem similar to this problem. Previously the bridge itself could not be assigned as an interface. It seems to me quite likely that if you need to create a lagg to increase bandwidth you might also want to use jumbo frames. Something for the future perhaps.

Steve

Tried to edit in GUI, but it hung on "Save", and wouldn't refresh the page. Probably a browser thing on my end.
I don't see why it wouldn't work to edit /cf/conf/config.xml in the GUI.

Also, this may well work with the preferred <shellcmd>tags rather than <earlyshellcmd>. I tried "Early" first, and it worked, so I quit winners.  :D

I think the "glitch" is systemic with ifconfig(8), and originates in ifconfig not having the capacity to pass a flag for persistence across boots. The FreeBSD ifconfig(8) man never even considers it, but it's common enough knowledge so that we pretty much all know we have to make an entry in rc.conf, either manually or via sysctrl, by the time most of us develop the courage to pop the hood on pfSense.

But pfSense is hardened, and so it can't work like that.
This is the definition of an "ugly" hack in that it has to destroy and recreate something after the fact, but what the hell, it works.

</earlyshellcmd></shellcmd>

@Efonne:

If the remote site that has the public IPs is set up so you route the public IPs instead of directly assigning them to WAN, you could do this with purely routing and no NAT.  The remote site's router would need a static route for the public IPs with the gateway IP being the tunnel endpoint of the local router and the local router could have an interface that directly uses the subnet for those public IPs.  The local router would likely need a firewall rule to force traffic sourced from the public IPs to use the remote site tunnel endpoint as the gateway.  The tunnel endpoints themselves could use private IPs, no public ones there would be necessary.

Okay, I think I understand what you are suggesting. I though the static routes were more for telling traffic where to go, not controlling inbound traffic.

So on the remote router I would do something like this (assuming my tunnel endpoints are 10.100.6.2 (remote) and 10.100.6.1 (local)
Dest Network: Public IP2 (Assuming Public IP1 is reserved for the Wan interface itself)
GW: 10.100.6.1
Then repeat that for IP3 through IP_n.

On the local router I would set up an interface with those same IPs.
A few questions: what kind of interface should I be using for this, VLAN? Something else?
And would I set it up as Public IP1 with a size of /29(assuming that is the network size at the remote site)? If so How does it know that Public IP1 does not need to be routed over the tunnel (since IP1 is the target IP for the tunnel itself)? Can I simply do that with a static route or does it need to not be part of the subnet, and if that is the case do I need to do this with a subnet that is smaller than the subnet at the remote site?

Finally, how would I know that traffic was sourced from those public IPs (to know to redirect it out there)? Would I just need to make sure that it went to specific IPs on my local network (e.g. 10.100.10.200-10.100.10.220 would only be get traffic coming from the remote site so I could create a rule on the LAN to use 10.100.6.2 as the gateway for those IPs.

Thank you very much , i am working on my lab tests now and i will post my results.