Yeah, if you're dealing with fibre then you won't want to be trying to cut corners on costs - it will come back and bite you later (from experience).

If you go wireless then you may want to look at a UK company http://www.solwise.co.uk/.  They have a page all about kit for linking buildings and have a PDF document about setting it up.

I have the following in /etc/rc.initial, just before the line /etc/rc.banner:

REMOTE_IP=`echo ${SSH_CLIENT} | awk '{ print $1 }'` if [ "${REMOTE_IP}" = "10.11.12.13" ]; then            /bin/tcsh         exit && exit && logout fi

Replace 10.11.12.13 wit h the IP of the system you want to be able to bypass the menu.

Hello,

You right , pftop is the right tool :)

thanks,
B.

yes, I did (using the web interface): <disablechecksumoffloading>yes</disablechecksumoffloading>

For my system it seems that the options doesn't have to be explicitly activated (as the original code does), but deactivated (what the code did not). At least this was my observation, ymmv of course :)

imwondering if i can use the traffic prioritizer to set priority based on IP range.  then i could set the DHCP scope to be less priority, and the servers and SAP workstatsions to have higher priority (and well, the bosses laptop too).

i was playing with the traffic shaper, and even tho it wasnt listed, when i turn on the catch-all-p2p, ftp is limited as well.  the penalty box feature is kinda cool… is there a way to add more than one computer (or, is just copying the rule and putting in another IP the way to do it) ?

No and this has to be one of the worst security practices ideas I have heard yet.  It's a firewall, leave it be and deploy another server for this task.  No offense.

It's an easy mistake to make, from personal experience :)

you could do it by dns, by adding a entry to 127.0.0.1, se when people try to access www.eviladdress.com they will be redirected to 127.0.0.1, but no logging features support this and it's pretty easy to bypass

These things are not supported.  Have fun :)

AFAIC this is supposed to be done by the switch (if its able to do so) where's pfsense is plugged.

Regards from Rio de Janeiro.

I guess it's possible that the clock was way off to begin with and just hasn't been able to sync with a time server yet.

Usually NTP protocol don't do big jumps in time.  It has some limit to the automatic time change.  If the time shift is greater than XXX seconds / minutes, it will not update.

Have you tried to config the clock manually to the closest as possible and then asked pfsense to then, sincronize ?

Also, sometimes time settings is not change on the fly on some process.  Sometimes it is necessary to restart the service.  If it is something related to kernel, usually a reboot will make the time to be correct (if the hardware clock is correct at boot time).

Regards from Rio de Janeiro.

use the Squid package?

Enable traffic shaping then :)

Please test Your local time server (pfsense) from windows machine. Is it synchronized to upstream servers at all? Stop windows time service, install ntpdate, and do test:

ntpdate -d yourlocalpfsenseserver

I think - better way for company's local time source - to use BSD "stock" ntpd from www.ntp.org, not OpenNTPD. Configure 3-5 reliable stratum1 or stratum2 time servers and keep Your windows machines always happy.

Arnis

My personal take would be to leave the Sonicwall as a standard firewall, put the web and mail servers on non-internet IPs and forward the relevant ports only.

It works

Thanks  ;D

Find the offending device and give it a valid IP address  ;D

Seriously - you can't "fix" this at the pfSense end - you've got to deal with the source of the packet that pfSense is receiving.  The only way to do that is track down the offending box and correct the IP configuration.

Yes he did.  Please stop posting duplicates.  The next time there will be no warning, just a ban.

Locking duplicate thread.