AoN has nothing to do with the link you posted. And i dont think what you want is possible with IPSEC. At least not according to the other 5+ thread to this problem :) Why dont you give OpenVPN a try? IMO the argument that "IPSEC is a more accepted standard" is invalid. It's just a more up to date VPN solution than the in its age IPSEC.

Could it technically run them?  Yes.  Should you run squid, which is a notorious resource hog and something which by design reads and writes data to the disk a lot?  Well, you should probably just answer this one for yourself.

Thanks for your response. I totally agree with you but unfortunately this is a security requirement from my company and I need to find something to make them happy. Can ARPwatch log the MAC addresses for a certain amount of time?

Maybe if you followed the instructions here the additional configuration options may get you there. http://www.i-hacked.com/content/view/27/71/

You are absolutely right. The more applications you add to an appliance the chances for failure increases. As long as you understand the security risk involved go ahead and run it. If you are really worried about performance and security then separate your services to different appliances. You can search the forums and find that people don't like it when someone asks how to turn pfsense into an ftp server or NAS device but using pfsense as a cache server and traffic management is idealy the same thing, a risk. You are adding additional services that will lower security. Now please also understand that running squid and snort and traffic management of the pfsense box is most of time necessary to get the functionality of the above mentioned examples. If you want traffic going in and out of the box to be monitored then you have no choice but to run snort on the box if you want that functionality on the network. Same thing with squid. How will you transparently cache data if squid is not running on the pfsense box? It’s a two sided argument. Just know the security risk when you install a service. If you run SSH on pfsense then also run Denyhost (Mcrane and I should have a denyhost package soon)

pfSense is a firewall.  You're trying to pound a round peg into a square hole and you're unlikely to find anyone here willing to help you do it.

It looks like your torrent clent has found a client in Norway.

Since we're both former Tomato users (I still use it as a wireless 5 port switch), which of the those did you choose or know which replicates most of Tomato's Bandwidth stats? From my understanding, they require full installs, I'm not using a microdrive or a hdd, but a CF card and the newest 1.2.3 rc2 nanobsd requires the packages to be re-written to be fully compatible.  I tried an early 1.2.3 rc2 for embedded had issues and I had to drop back to 1.2.2. I'm on an Alix 2d3 board, can't stand using an old noisy pc for pfSense.  :-)

cant beat the 800 days uptime. Nothing broken so reboot scheduled after stable nanobsd release is released :) [image: pfsense.PNG_thumb] [image: pfsense.PNG]

Hi, I know exactly what you mean. After you connect to the ftp server and the messages indicated you are being connected but it won't show the Directory listing. In my Wan to Lan ftp rules, sources is  *  and Port is  *  and the Destination is Lan net and Port  is  21 Or you can try the source port is 1024 - 65535 and the Destination port is 21 For outgoing Lan to Wan, I just set Destination port to * Funny enough after i do a fresh install the whole box couple of times. The error messages of the static port went away and people can access our ftp server. I had such problems over one months since i created the topic but did not get any answer. I tried the update snapshot method to see if it could fixed the problems. But it crashed my box beyond reboot. I do not know if the follow could work, you can try to download the 1.2.3 RC 1 from the Germany Mirror site and restore all your configuration (If you do have the time to test). The problems might go away. It is not a scientific way, since I am not yet a subscriber member, this is how i solved the problems…. :'( Good luck.

Yes/no/maybe  ??? Do you want to prevent one particular device from connecting to the Internet, or one device on the Internet connecting to your network? Take into account the fact that you only know the MAC addresses of devices that are on directly connected networks, and that it's trivial to change the MAC address of any computer.

You would need to install Squid, configure it to log all requests and then force people to use it.  There are a number of tools for reviewing squid logs.

Looks like there are other plugin options for IE as well, listed here: http://en.wikipedia.org/wiki/Scalable_Vector_Graphics

Nope, you just start dropping connections.  Fast.

@ryates, BTW, finally just built myself a new PFS box, and copied over the /var/db/rrd directory, worked like a charm, thanks!! -M@

Thank you :)