Thanks for the reply again :)

Learning to set up VLANs are not a problem for me, it's a skill I was hoping to learn anyways, however I thought my switches supported VLAN tagging, and it seems they do not, so I think a new hardware order is in my future, haha.

Thanks everyone for all your help :D

My BIL gave me the Dell Dimension 2400 I'm using for my pfSense box and 4600 I use for my everyday computer running FreeBSD 9.0. Both were originally running XP but he had taken the HD out of each and had them sitting in his basement.

I had taken the 13.6GB HD out of a Gateway PC and replaced it with an 80GB Seagate around 2000 and used them both for the Dell's. I don't want to jinx myself, but neither have given me any problems over the past 3 months I've been using them since.

because WAN is the only required interface. WAN is the only interface on single interface appliance-type deployments. Nothing prevents you from assigning em1 as WAN and em0 as LAN.

What is your host os/ Dom0? Virtualizer/Emulator/Hypervisor?

Some OSs love to cache. This is good.

@wallabybob:

So nobody takes the previously quoted set of IP addresses as definitive

Yes, re-reading my previous post I failed to make it clear that anyone doing this must do it themselves locally in order to get a useful set of IPs. The IPs used by Youtube (or any large distribution network) will vary geographically. Wallabybob and I are about as geographically separated as possible but you get the idea.  ;)

Steve

Try without squid.

That's fine, empty always means defaults as Steve noted. If a field is required, we force you to fill it in, it'll kick back an input error if you leave fields that must be filled in blank.

Yep that seems to have done the trick for the strange timestamps  ;)
cheers

I am using both manual outbound NAT, but my optimization is set to normal. I am running Cisco phones. I have heard that polycom phones are more forgiving.

@robpal:

Stephenw10as a test i ssh'd into my pfsense with putty and key as usual and then from there pressed F8 for a shell and ssh'd into my linux box - though maybe a key auth for this one is overkill at the mo seen as though you need to get into my pfsense with a key to access the linux box i the 1st place??

Not sure if that's a question but I would agree, no point in having key authentication on the second stage. In fact it's better not to do that. If somneone cracks the key on your ssh session to your pfSense box they would then have the key for your linux box since it would have to be stored on the pfSense box unless you copied it across every time.

The advantage of using an ssh tunnel or just nested ssh sessions is that ssh is pretty much omnipresent in the unix world so it requires almost no setup.
I haven't really researched it in security terms but as far as I know SSH with key based authentication is considered secure. As secure as a VPN? Depends on the vpn encryption used. I'm open to opinions.

Steve

Out of inodes is either something (would have to be a package) has gone wild and created a huge number of small files (usually you run out of disk space before you run out of inodes, unless there is a huge number of small files). The other alternative is what Jim mentioned, a failing HD or CF will at times cause out of inodes messages rather than the more common read and/or write errors.

@jimp:

http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

GOSH… i'm sorry :-X

Thanks!
You saved my day.

I forgot I had it set to Manual and the source was still the old Lan subnet.
Works as a charm now.

/Nicklas

You can add "DEFAULT Auth-Type: = Reject" with the GUI:

You just create a new entry on "Users" and put this in the correct custom-options box.

In pfsense 2.1 - when it is done and freeradius2 package is ready for pfsense 2.1 - you will be able to easy move entries in "Users" using the GUI.

@cmb:

Depends on what kind of scan you're doing. Things that use valid connections (ping scans, SYN scans) will work fine. Things that use scans that abuse TCP by setting flags that aren't valid will be blocked, legit TCP is enforced as with any worthwhile firewall. Just can't use many types of scans if you're behind or on a system with a firewall enabled.

^What he said.

I've got the pf firewall installed on my FreeBSD machines and use nmap to scan them.

It returns some packets being blocked and as the firewall not responding to ping, but if I set the -Pn flag it will continue the scan and show 1000 ports flitered.

sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:?? > 192.168.1.151:?? ?? ttl=59 id=55250 iplen=15360 frag offset=512  (incomplete) sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:48429 > 192.168.1.151:33217 FPU ttl=47 id=42102 iplen=15360   seq=1288232717 win=65535 <wscale 15,nop,mss="" 265,timestamp="" 4294967295="" 0,sackok="">+snip+ Completed NSE at 02:09, 10.00s elapsed Nmap scan report for 192.168.1.151 Host is up. All 1000 scanned ports on 192.168.1.151 are filtered Too many fingerprints match this host to give specific OS details</wscale>

@vassilis:

@jimp:

That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.

Thats exactly what I suspect aswell..

About not respecting the default gateway: Does it not show that its working when I can access the IPMI interface over a site-to-site VPN when the IPMI is not on the firewall itself but on a server within that network?

Yes if you can access it from another subnet, then it is probably using the gateway properly.