When you setup your new OPT1 interface, it will likely come with the standard Anti-Lockout rules (unless you have disabled these). Asides from that, all traffic will be blocked unless rules are explicity set to pass it (as is the default configuration of just about any firewall on the market – default block all). To allow traffic to host(s) behind the OPT1 interface, you will have to add rules manually. So say you setup a FTP server and you want it to be accessible, you will need to add a rule to allow this host. The parameters you'd use would be: Interface: OPT1 (packets must come in on this interface to match this rule) Source: Any Destination: Single host or Alias <ip address="" of="" the="" ftp="" server="">- Source Port Range: FTP Save & Apply. So you won't have to worry about firewalling off the bat.</ip>

I got it working – the issue was the firmware I was running on my modem (3.7.5.2) has a bug with PPPoE. Using firmware version 3.7.5 I was able to get it to work.

Thanks, but I don't have access into the GUI at all.  Thats why I wanted to know if there was another way to disable the REFFER check. UPDATE: I got this solved by going by using the following command:  pfSsh.php playback disablereferercheck The info was from here:  https://forum.pfsense.org/index.php?topic=56956.0

did you put gateway on your lan - this seems to be common issue.. Why users do this have no idea, but it seems to come up quite often.. Can you client on the lan ping pfsense lan IP?  Did you alter the default lan rules?

Hi, disabling "State Killing on Gateway Failure" , doesn't change this behaviour. Even more.. it seems that not apinger is reloading anything hourly. as far as i can see , also apinger IS restarted hourly. Currently i'm investigating radvd logs (routing.log) As i'm running ipv6 prefix delegation. Jul 26 09:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 10:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 10:13:25 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:23 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:23 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:24 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:24 pfsense radvd[40496]: resuming normal operation Jul 26 11:13:25 pfsense radvd[40496]: attempting to reread config file Jul 26 11:13:25 pfsense radvd[40496]: resuming normal operation is it possible that this has someting to do with this BSD option : net.inet6.ip6.rtexpire: 3600 Any help would be appreciated Kind regards, Roel

Yeah not sure how these questions are related to pfsense.  Is pfsense going to be gateway of every vlan?  Are you asking how to do that?  And its not really a cisco EA6300, is a linksys home wireless router that can be had for like $100.  I don't even think it supports vlans.  And don't even see dd-wrt support for it. So not sure how you expect to put different wireless users on different vlans?

What is before that part of the sniff.  I have to assume it resolved something to that IP..  What exactly are you doing to generate that traffic?  BTW that is not an error,  that is just some info about the packet - if your thinking chksum bad is an error that would prevent communication or your error? So fix your issue on why the box is trying to go to to 10.0.1.1 if that is the not correct IP for where your trying to go.  What IP are you trying to go to?

1.  From the definitive guide, it says that Quick is enabled by default on all rules except floating rules.  I don't know if that means it doesn't work or if Quick is not desirable.  And., honestly, I can't even dream up a scenario where I create rules and then want them last-matched.  Who does this, and what good is it?  I tend to stick with hat's originally suggested.  If the wizard-created rules use MATCH, I use MATCH. You mean that quick option should work with match action otherwise it doesn't make sense or this makes settings very confusing. I always try and test my configuration after i set new rules because funny things could always happen. I tested match action with quick option. I doubled ("add a new rule based on this one" button) an existing rule and i changed second rule's queue with another queue. I set both rule's action to "match". Then i've found out that traffic goes to second rule's queue. Then,for second test, i set first rule's action to "pass" then i tested again, traffic goes to first rule's queue. In my opinion, this trial and error method proves that match action doesn't work with quick option or there is a major bug in there. I use 2.1.4 version-p16 which seems to be latest as for today

Ok then! Then you will have to filter out the traffic. Did you try with the ports specified on the Apple document? You can also monitor the state table while on a call. Or better, assign a fixed IP address to your iOS devices and deny them access to the remote networks (unless you need that access for other reasons, of course)

@spiritfly: I never realized that the nanoBSD is a different version. I thought that guide is taking me to the same mirror links for the same image. Oh well.. I've already installed it to my USB flash disk using another USB flash drive to put the installation on it. Then booted from it and chose to install on the first (empty flash disk) and it installed correctly. I would caution you that the nano version has optimizations for flash that will preserve the life of the USB stick. Otherwise you might find it dying in less than a year since the standard version will write to it as though it were a hard disk. https://www.pfsense.org/about-pfsense/versions.html Flash memory can only handle a limited number of writes, so the embedded version runs read only from flash, with read/write file systems as RAM disks. Switching versions is actually quite painless. Save your configuration to your computer from Diagnostics: Backup/restore: Download Configuration, install the nano version to the USB stick, then upload your configuration back to it. Another alternative is that you can manually configure the full version to behave mostly like the nano version. @spiritfly: One question about this though. I've noticed that when booting from the USB flash when it is connected on some of the USB ports on the back of my PC, an error showed up just before pfSense was supposed to boot and the following command line came up: db> If I take and connect the same USB thumb on the front it runs perfectly. Weird.. I think all USB ports are USB 2.0 front and back. The MB is Asus M2N-MX if it means anything. My guess would be that the drive numbers are changed when you move it to a different port. The simplest solution is to have it in it's final port when it's installed although you can reconfigure if moving is necessary.

@Cmellons: " [Snort] Server returned error code 422…" Nothing to worry about. They are just updating on their end. It should be back to normal when they are finished. What about Squid and Snort rapidly stopping and starting and pfBlocker reporting "no… action during boot process"? I haven't seen these logs before and it seems unrelated to the Snort update process.

the destination is always 80, that is http, so i need to leave it. and it was my fault to block it :)

You could do it easily with Squid. http://blog.wains.be/2007/06/07/blocking-internet-explorer-with-the-squid-web-proxy/ Don't edit directly the Squid config file. Use the Custom Options text area on Services / Proxy Server menu on pfSense.

i have the luck that the average age here is 50+ most off them only know how to turn on the computer and do some surfing :) i keep it in mind. and are going to try pfsense 2.2 when it is released

If you have all that then use it.  :D I bet it cost a fortune when it was new! It should work fine. Steve

If you have to do so many dns queries that your ISP is cutting you off ;)  Why don't you just run your own, and have ti query either roots directly or any of the other public dns out there. Pfsense is either going to query ALL the servers in that list at the same time, or sequentially query them if they don't answer - this does not seem like the best solution to me from your description.  I would just just grab bind and let it query the roots for you.  Then you have no issue with anyone cutting you off no matter how many queries you do - your only limit to number of queries you could do would be your machine horsepower that bind is running on and your internet bandwidth.

You can use any interface you like as admin access. If you think that the http/s webgui is interfering with your port forward it shouldn't. The webgui listens on all interfaces so changinb which one you use shouldn't make any difference. Are you seeing the pfSense wegui when you try to access your port forward? You can change the port the webgui uses. Did you try the change I suggested above? Steve

I hear what you're saying about Google. As long as you accept that's what they're doing then what they offer in return seems quite a good deal. It just works better than anything else I've tried. Better than Hotmail anyway, or whatever they've re-branded it as these days!  ::) Can you force users to use a limited set or servers by using a DNS overide for gmail.com? Does the connection immediately get redirected to countless other servers? That might not matter since you would have caught the traffic in the firewall rule and redirected it through the appropriate gateway by that point anyway. What are you hoping to achieve by using a separate connection for gmail? Do you need to match this traffic 100%? Steve