Huge fan of running pfsense virtual - but why not just put say esxi on the hardware and then run pfsense as a vm, and then whatever other os you want to host your website, etc. As to running services out of the house - other than playing/learning there is little reason to host your own site.  You would be be much better off just hosting the site offsite.  The electric alone is going to cost you more than hosting it somewhere most likely.  You can get low end vps for like $15 a year that can host up websites for example.  I have 2 of these low cost vpses – they make great endpoints for vpn, they are perfect for testing from other locations and other networks for network issues, etc.  I have a honeypot running on one for example that I host up a website I can access to get info about the honeypot, etc. etc. But if for learning experience I really love doing pfsense off a vm!! [image: websiteofflowend.png] [image: websiteofflowend.png_thumb]

@djoyce: Very helpful. From the research I've done it looks like DansGuardian is ~$100 for commercial depolyment and free for home and non-profit. I think that's a one-time fee, right? So, if I've put this all together correctly, the only costs to get a firewall, multi-interface, content filtering, domain filtering box is the cost of the hardware plus DG if I need a paid version, plus any donation to pfSense, right? So, in most cases I'll be out about $250-450 depending on hardware. Am I on the right track? Now, for support. Can I purchase one block of hours as my business and use it for pfSense deployments at more than one customer or do I have to purchase for each customer? Thanks for your help. We're a registered charity, so as you say there was no cost for DG.  The base charge for pfSense support is $600/year.  That includes 5 hours of support, extra 5 hour buckets @ $500 per, and if the support relationship is between you and pfSense, I don't see an issue with using that bucket of time for multiple sites - but as the other poster suggested, you can always connect with them for further clarification. I think if you want the end-user/company to be able to contact pfSense directly, then a separate agreement may be required per company.  If you are always the one initiating the support case, I imagine there isn't an issue.  The automated backup is supported for multiple sites/firewalls, but be aware that each site can see the other's backup file(s) from within the GUI, so if the client has access to manage the firewall, you might want/need separate accounts. P

Perhaps you were running samba on your dd-wrt platform?  Even if you were not serving any files stored on your dd-wrt platform, samba may still have been acting as a domain controller (or 'domain master' in earlier terminology?). If you still have your old platform, try plugging its LAN port into your switch.  Look around for the samba configuration, analyze it and figure out your next move.  But ptt is right, it's not a pfSense issue; it's local to machines on your LAN.

@charliem: Your ISP should be out of the picture, right?  Your cable modem is the one issuing the address, if I understand correctly.  So, cm notices link to ISP is down, cm hands out a dhcp address for 192.168.100.x. I think that is correct– stupid cm trying to be a NAT router or something. @charliem: Or do you have two issues: one being a local address from the cm when the link goes down, and two being an incorrect IP coming from the ISP when the link comes up? I think only one issue– the DHCP being picked up and used by the pfsense when the interface is set to static-- possible sometime in the period of flapping around when the connection resets. Therefore-- exacerbated by the internet connection's current instability.

You have some other access except via VPN? If not, pretty much tough cookies.

Makes sense.. checking this morning the number of errors on WAN has not changed at all.  So fingers are still crossed. thanks for sticking with me on this weird issue.

If you keep all of your tunnel networks in a close range you can add a manual accept filter for the entire larger subnet which includes the smaller tunnel networks. For example if you have 192.168.22.0/30, 192.168.22.4/30, 192.168.22.8/30 and so on for tunnel networks, then you can setup an accept filter for 192.168.22.0/24 and I believe that should work OK.

Yep, what Phil said.  :) The default LAN rule will block that because the source is outside the LAN subnet so if you haven't changed it or added more rules that traffic won't be allowed. Steve

How have you installed it? Are you running the Live CD? Steve

Thank you very much! It worked. I just needed to unassigned interface before I start LAGG configuration. Thanks again.

@stephenw10: The default firewall rule on LAN only allows traffic from within the LAN subnet. So if your traffic has been routed from some other subnet (VLAN 10) then it will be rejected. Alter or add rules to allow this. Steve Ugh, how could I have missed something so obvious. Thanks so much for your time – this was my issue!

Usually after saving new config, there will be Apply Changes button, if you did apply, it should work.

Great software! Thank you very much Steve

^ Exactly. The re-seller arrangement is currently being revised I believe so there's not much info on the website. Just contact ESF directly, I'm sure they can sort you out. Steve

Isolated the problem yesterday to a machine on my network with an IP address and matching MAC address that was the "spoofer" … Even though I know there is a machine on my network, I do not know where the machine is. Will be onsite going from machine to machine looking for the spoofing system. From what I have read over the last few days, there is really no way for pfsense to stop this type of attack. Many say that it must be done through a managed switch or to statically assign the network parameters on each workstation in the building. It would be nice if there was a way that pfsense could stop this from happening. Anyone ever run across this and what solution did you use? Thank you Kell