The limit would be at what point the XML gets so big it causes performance degradation. That's so high that it's WAY beyond what any sane network would have in static routes, I've seen systems with hundreds of static routes on slow hardware with no impact, could easily do many thousands. Beyond a few hundred you probably aren't routing very optimally, or should be using a dynamic routing protocol. People run the BGP package with multiple full Internet routing table feeds, that's over 350,000 routes in the routing table, and 2-3+ times that in BGP.

@dreamslacker:

@nearones:

Can some one guide me how to make rule for mime type in pfsense, i had gon through many docs, but all r on SQUID

You don't.  You use the MIME blocking for Squid installed as a package in pfSense.  However, this will block normal browsers from viewing youtube as well.  That's that.  No buts.

Short of actually sniffing traffic and writing your own layer7 patterns to block YTD, you're out of luck.
Even so, I believe that YTD, like most download software can spoof normal browser traffic so you would be out of luck there as well.

What you have isn't a network policy problem.  It's a system policy problem.
If you want to stop YTD, get on the systems and actually amend the GPs to prevent it from installing or running to begin with.  Alternatively, use a software firewall on the system that simply drops traffic originating from the YTD software.

You use the MIME blocking for Squid installed as a package in pfSense.  However, this will block normal browsers from viewing youtube as well.

What u said is also the good method to block some other websites like onlinegames, porn websites. But how can i do that in pfsense.

@SGTR:

Hi,

For your case you should check out link http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Accounting_with_Captive_Portal You might be put your printer different VLAN. You should check your switch conf. or port. Have you done nat rules for your clients ports? What is your nat rules? You can use traffic shapping for this.

SGTR

Hi SGTR,

I fixed everything by just changing my setup a little. It now looks like this:

Clients –-- switch ---- pfsense ---- switch ---- router ---- internet
                                                    |
                                                  server
                                                    |
                                                  printer

This setup also allows me to apply stronger security on our clients.

Now the only thing is trying to get daloRadius to read the FreeRadius sql hidden somewhere in pfsense, hope your link can help with that.

http://forum.pfsense.org/index.php/topic,47594.0.html

There appears to be a bug in my version of PfSense.  On the WAN interface, set for PPPoE, it does not allow you to save a "0" setting for "Idle timeout."  You can save such a setting if you enter the value via the Setup Wizard, however, editing the WAN page appears to dump the setting.  One can imagine what kind of problems this bug creates.

:(

Thanks for your feedback.
If we do change things anyway, it would also make sense to send a hostname or IP address within the syslog header to make it more RFC compliant.
Would you like to add that to your feature request?

You have decompressed the image. The md5 is generated from the original compressed version present on the server.

Yes we do, the patches are all in the tools repo.

That type of deployment is amongst the most common we do. We've done in excess of 100 datacenter setups similar to that for customers, and there are probably thousands of others out there that we've had no involvement in.

It's a feature, we're not fans of Microsoft.  ;D

No seriously, sounds like it's not a firewall-related issue. You're getting to some web server since you're getting a 404, and unless you put in an override in the DNS forwarder, it's sending you to whatever IP your configured DNS servers are responding with. What IP does bing.com resolve to?

i'll give that a shot.. what exactly does that do?

"If" i'm not wrong (i'm not a networking expert)

DHCP server "BOOTPS" have as src port 67, then if you block ANY (0.0.0.0/0) traffic coming from your Clients to the WLAN interface of your AP,  from port 67, then you are Blocking ANY external DHCP server.

About MikroTik, i can't help you. We are only using it as "Access Concentrator" (fancy name for a PPPoE server) and giving our customers "Static IPs", so i have no experience with MT and DHCP server / DHCP Relay  :-[

Also we are planning to take out the MikroTik PPPoE Server from our network (due the fact that Ubiquiti cant do QoS on encrypted traffic) and use Static IPs on the CPEs (in Router mode), and connect our APs (in Bridge mode) directly to the  pfSense server.

@marcelloc:

@luke240778:

Can you possibly tell me first how i can using vi edit the config.xml so i cna change the WAN and LAN ips on the box before i do the upgrade via shell?

use viconfig to edit config.xml on console/ssh.

Just in case, create a backup file before edit: cp /conf/config.xml /root/backup_before_upgrade.xml

Thanks for your reply, but that part i have already done, but it still has no network connectivity at all, can't ping anything.. so i am still stuck at how to get hte upgrade image onto it to try the upgrade

Each interface filter set ends with an explicit Block & Log rule, in my case. Apparently the tftp-proxy anchor is inserted after the user rules in the interface filter set. Thus, the block & log rule is hit prior to the pass rule for the tftp-proxy traffic. Eliminating the block and & log rule allows the traffic to pass the tftp-proxy rules but at the expense of not being able to log the blocked traffic on the interface.

I'm not real comfortable with this and will look for some clarification from the developers to understand if this is by design or if its appropriate to issue a bug report.

Filtering appears to have been added in V0.7, the most recent version.

Steve

@databeestje:

Can you submit patches?

No. Collaborative software development always seemed like rocket-science to me. If someone else figures out how to integrate this into mainline, it would be nice.

No. /var is a RAM disk.

Feedback.

I use vmware serial + named pipe proxy to test pfsense serial support.

The problem I met is that telnet client in windows automatically send newline character resulting `read' command feeds nothing, so is the Putty client.

Finally by turning off 'return key send telnet new line instead of ^M' option in putty, it solved my problem. Hope this will help others meet the same problem.

Thx for the suggestions, but I will not do something that will compromise even a little bit of security.  We're here to make rock-solid firewalls, and that's all that matters  ;)

I swapped the 250GB for an 80GB I had lying around.  So I don't care about the extra space anymore.  I can always hook up the 250GB in my server comp and access it from there…much safer ;)

Thank you all. I will post a diagram soon.

I have only VLANs in this NIC (tagged traffic)

Best

Kostas