meh found the solution

on user dn i had put only the username

the right is to put "cn=rad.adm,cn=users,dc=rad,dc=local"

Ok no 1 sorted. No used to having to put the block rule at the top as used to the cheap stuff.  Just need to sort out the content filter and I am home and dry.

Thanks

Gotcha, thank you!  ;D

No I'm talking about their online client that downloads and runs on your machine every time you go to the site, nothing special.
I was just pointing out that of all the bandwidth testing sites out there speedtest.net is the only one I've found that can test multiple connections.

Steve

You are right sorry for not giving this information.
My hardware setup i already explained but the problems are not coming from it.
After i deleted the Snort interface which i setup things work so below you will find a list of the rules i was using :

snort_attack-responses.rules snort_backdoor.rules snort_bad-traffic.rules snort_bad-traffic.so.rules snort_blacklist.rules snort_botnet-cnc.rules snort_content-replace.rules snort_ddos.rules snort_exploit.rules snort_exploit.so.rules snort_finger.rules snort_ftp.rules snort_icmp-info.rules snort_icmp.rules snort_icmp.so.rules snort_misc.rules snort_misc.so.rules snort_netbios.rules snort_netbios.so.rules snort_other-ids.rules snort_phishing-spam.rules snort_scan.rules snort_specific-threats.rules snort_spyware-put.rules snort_telnet.rules snort_tftp.rules snort_virus.rules snort_web-misc.rules snort_web-misc.so.rules snort_web-php.rules snort_x11.rules

Thanks again for any ideas.

Too bad, thanks a lot for this clear answer.

One solution would probably involve having the VPN endpoints on a distinct IP subnet, using NAT on both VPN endpoints and possibly port forwarding depending on how much of each local network you want to expose to the other end of the VPN (e.g. you want each local network to be able to access just a web server on the other network vs each local network has to be able to access all machines on the other local network).

@stephenw10:

I don't think anything definite has been said. It's all a big mystery!  ;D
However I do seem to recall reading that it may not be open source.

To be honest if you have enough pfSense installs that you need a central monitoring system perhaps you should have a support contract.

Steve

I'm an IT consultant and I'm always trying out new things for my clients and I have at least 5 that I can think of that can use this amazing software and at least two would be able and willing to pay for a support plan. I like to support a project that is living and quite well. I just need to run this software for a while and see how stable it is. So far it does not seem too stable, but I blame that on me making all sorts of changes and trying different situations with my box. I'm only on day 2 and I've had to power cycle the box at random for it becoming non-responsive a few times. :)

Hi,

Thanks for your feedback.

I didn't think to try to connect with ssh. I tried to connect to the VPN but it was not possible.

When the problem occured, nothing special. I looked at Cacti but the trafic was very quiet.

It's very strange because this load was very fast (sorry for my poor English).

No other packages installed.

With help, we figured out the causes and solution to this problem.

Cause :
Me and another admin, tried to access the RRD graph at the exact same time. This locked the interface.
PHPprocess was locked.

Solution :
Kill all locked PHP process.
Restart the webConfigurator.

@joegoz:

it's obvious that all of this is way over my head. Too bad it seemed like a fun project and just turned out to be a waste of an entire weekend.

If given details we might have been able to help you. This is a great project and well worth learning. This is for those who want more than assigning a green interface and a red interface.

@miles267:

67.222.132.199 is a non-cached DNS Server

Hmm, I should read more carefully!  ::)

Steve

So it does pull its IP from the RG via DHCP in that passthrough mode, just the public IP? In that case it should act the same as the modem, with a very short lease time and the RG should hand it its new IP when it gets one. That apparently doesn't work right on the RG (damn things are buggy as hell if you try to do anything other than using it as your NAT device, so that wouldn't surprise me in the least). The firewall you put behind it isn't "detecting the IP change", the RG has to assign it the new IP via DHCP and such devices generally do so quickly by assigning very short lease times. If it's not handing out very short leases, it'll take time until the lease is renewed and the new IP picked up. Doing double NAT isn't the best thing in the world, but I would expect that to behave better on the RG, and its regular DMZ mode seems to work fine. There isn't a functional difference between the two.

If I've learned anything in having the misfortune of working with those Uverse RGs on mine and several customers, it's do what works on the RG and be glad it's working. From its crappy stateful firewall that can't be disabled even with a static IP assignment (disable firewall doesn't disable anything), to numerous bugs throughout other things, those RGs suck.

I think see what you were saying in your original post.  Do you have NIC2 on the desktop PC connected to the WAN port of the wireless router?

What model of wireless router are you using?

Sorry I did not make this clear enough,  I suppose you are correct I can setup my cdn (Canadian) users to vpn into my US Pfsense box, currently I installed ccproxy on a windows server on the US side but I prefer not to run apps on the server can I use the proxy on the pfsense to accomplish the same task without a VPN?

Thank You,

Marcelloc - thanks for that - I really appreciate it. I'll check it out.

SPAMD should do what I want but getting it configured nicely is a pain. I've found that some of the spammers have already overrun the grey listing so I switched to black listing instead. It seems that I need to manually whitelist valid incoming connections using the SPAMD whitelist tab rather than the SPAMD Database tab - whitelist buttons.

I think I see the difference in the mechanics at play here. But without a method for working out who's connecting (other than tailing the damn logs and checking the IP addresses) how am I supposed to know what incoming mail to whitelist?

SO - your option may well turn out to be the best choice.

interfaces is not eth# named. those are named with drivers. ath# or em#

easiest way to do it is connect cable to that interface what you want to assign(other end of cable has to be in switch) and press a.

No bridging going on, but it looks like I might have had a breakthrough.
As per my previous thread, we are replacing our linux gateways. So far the pfsense and linux gateway have been active at the same time on one particular vlan. As soon as we disable on or the other gateway, the network stabilizes. There is only one dhcp server on the troublesome vlan. I'm not quite sure what is going on, but at least I have a starting point.