@e3ctsc: @Renato: Could you guys check ownership of /usr/local/lib? I saw the same issue on a system with squid3 installed, and noted the directory ownership was changed to proxy:proxy, what caused check_reload_status not to be loaded and cause sshd not being started. It was the file permissions. I compared file ownerships with an older backup and saw following files changed complete /usr/local with all files, subdirectories and symbolic links was proxy:proxy instead of root:wheel /etc/ssl/openssl.cnf was proxy:proxy instead of root:wheel /dev/pf was root:proxy After chowning them back I had to reboot to get it working again (perhaps there had been a better way than rebooting) Thanks! I pushed a fix on squid3 package, version 0.2.6.

@LennySh: Hmmm… What else is changed? ;D Quite a bit… the "grouping" screen essentially replaces the DHCP screen but it removes most of the settings that are on that screen. It also assumes some specific names for the groups - which are setup as IP aliases.  It's really designed to allow you to assign static IP's to groups within one DHCP instance that assigns addresses for the LAN. I added a group element to the config.xml for each static assignment. I haven't changed anything that keeps the original DHCP screen from working - but the original screen wouldn't update (and will drop) the "group" element in the config.xml. If you want the code for the screen, let me know and I'll post it.

I didn't know that was in there.  Thank you.

@cesjr: It appears " There are no packages currently installed." and in the available package , there is no package of snort. My pfsense version is 2.0.1-RELEASE . You must upgrade your pfSense version.  Snort is no longer supported on anything older than the 2.1.x series. Bill

You might be able to export your settings and modify the xml file that way before restoring the edited backup? Have you also seen Status: System logs: Settings tab… Filter descriptions Show the applied rule description below or in the firewall log rows. Displaying rule descriptions for all lines in the log might affect performance with large rule sets ? The default is not to show the rule descriptions which can make it harder to workout what rule is blocking or allowing when troubleshooting what rules are being acted upon. Personally I log everything that way I can see when settings have changed/been reset on workstations due to updates or some other activity, even though I dont use ipv6 I still log it.

How are they remote? Are they coming in direct from the wan or getting in via a vpn before being redirected to the proxy? What version of pfsense are you using?

One thing I do with all firewall rules is switch on logging of all the rules, this way I can see what is being blocked and not. In Status: System logs: Settings tab, there is an option to show the firewall rule being applied, rather than just having ip addresses/ports with their corresponding block or allow status. This can be useful for finding out what rule is causing problems, but the default is not to show the rule descriptions. Filter descriptions Show the applied rule description below or in the firewall log rows. Displaying rule descriptions for all lines in the log might affect performance with large rule sets.

I use browser automation to check webpages when I cant get info/alerts/errors/warnings. IE allows you to control the DOM, but if you dont use windows & IE and do a bit of coding, this might be an alternative solution. http://www.seleniumhq.org/

Thats my bad, I should have realised it was regex cant remember last time I called it "regular expressions" so I was trying logical expression ie =+-<>& The thing that threw me, is there are only 35 chars for the ip addresses which isnt enough space for ipv6. Anyway for anyone else interested in how regex works, the link has some good examples to explain. http://www.proftpd.org/docs/howto/Regex.html or a quick overview can be seen below. ^ caret matches the start of a string, eg ^192 will match all entries that start with 192, ^10 will match all entries that start with 10, although not relevant on this page, but in other applications ^&foo will match all entries that start with &foo and ^@domain will match all entries that start with @domain $ dollar sign is similar but the opposite to caret in that its used to match the end of a string, eg 10$ will match all entries that finish with 10, @domain$ will match all entries that finish with @domain. . period matches any single character eg 1.2 will match the 3 digit numbers  112, 122, 132, all the way up to 192, s.f will match any 3 letter word that starts with s and ends with f, eg saf, sbf, scf, sdf and so on. open and closed square brackets will match any one or more entries containing the numbers, characters & symbols encapsulated in the square brackets. EG [192] will find all entries that have 1 and/or 9 and/or 2, [abc] will match all entries that contain a and/or b and/or c. Numerics in square brackets can also contain a range eg [0-9] will match all entries that one or more of the numbers in the range specified inside the square brackets. | Vertical pipe/bar is an either or operator eg ^192|21$ will match either all entries that start with 192 or all entries that finish with 21. \ Backslash is used to prevent the special meaning of operators eg . will make . (period/fullstop) behave like a period/fullstop and not a single char match, hence the . in the example Jimp provided. ^ will prevent the caret operating as a match the start of a string eg ^foo will find all entries that contain ^foo. ? question mark will match once or not at all, eg 19?2 will return 192 and 12 only, he?llo will return hello or hllo asterisk will match as many times as possible or not at all eg 192* will return 192, 19, 1922, 19222 and so on. will match at least once 192+ will return 192,1912, 1922, 1932 and so on. *, +, ? are acted upon first, followed by any concatenations and then finally | fwiw.

Time zone mismatches can cause problems with other systems or flag up alerts, less so with Windows as it doesnt record time properly in the first place which is why you'll never see windows being used in High Frequency Trading platforms which rely on fractions of a second to carry out trades, but even this years leap second will cause some problems if the programmers are not aware of it.

Thank you Derelict

A fix will go in for 2.2 that will correct the issue.

ok well i might have answered my own question.  i reset pf and the modem, disabled ip passthrough.  The PF wan nic got a 192.6i.15 address, i plugged my laptop into the switch where the pf lan nic is uplinking to, i pulled a dhcp ip from pfsense however i cannot ping out. am i screwed with the idea of using pfsense in this situation?  i need and want to loadbalance these lines. i sit here not totally sure of what the actual problem is. right nbow pf only has 1 ipdsl line pluggedd into a wan nic, and since i reset pf to defaults there is no other config confusing it.  it has 1 wan and 1 lan and i still cannot get outside.  WTF am i doing wrong here?

@Derelict: I would do a couple things: First, /24s are fine and everyone expects them. I would pick something at random like 172.24.0.0 then split that into /24s. 172.24.0.0/24 172.24.8.0/24 172.24.16.0/24 172.24.24.0/24 172.24.32.0/24 … That way you can increase any of the subnets if you want later.  You can cover everything with 172.24.0.0/16 if you want. If you're going to renumber, just get off 192.168.0.0/24, 192.168.1.0/24, and 10.anything/anything.  Your likelihood of having a collision over a VPN with the above 172.24.0.0 networks is pretty slim. No need to go nuts.  Main thing is to get off the common networks to avoid future collisions. I lied. I forgot an interface/VLAN. It's actually this: Current Setup: WAN1 - 5x Static IP's from ISP1 WAN2 - DHCP from ISP2 LAN - 10.x.x.x/24 OPT1 - 10.x.x.x/24 (wifi) OPT2 - 10.x.x.x/?? (VLAN to kids/family wireless router) OPT3 - 10.x.x.x/24 (VLAN to ESXi Cluster1) OPT4 - 10.x.x.x/24 (VLAN to ESXi Cluster2) OPT5 - 10.x.x.x/24 (VLAN to ESXi VMkernels) I see your point with the 10-dot Class C's… but it is what it is at this point and I/we have used these numbers for years so they correspond to things and would be a PITA to change. The only thing that will EVER be attached to that VLAN is that one wireless router. VLAN's are easy enough to create and/or modify anyway. Unless anyone has reason not to I'll just give the thing a full Class-C and be done with it. Thanks.

If it were me I'd take a backup of the config, install fresh, and put a minimal config on it (just WAN/LAN/NAT, no snort, no packages,etc.).  If it still does it, you've pretty much eliminated pfSense and can start looking elsewhere. You can always restore the config and be back where you are now.

@donaldo: so is the warning something to be concerned about? It'll cause GUI display issues and the error pasted by OP because of the PHP bug linked earlier in this thread. Things that actually use the certs though should all be fine as none of that is dependent on PHP.

I think, you have some trouble with network classes. A class A net has the CIDR /8, a class C /24. https://en.wikipedia.org/wiki/Classful_network 192.168.1.10 /255 is no possible network. A class A net for wifi??? You will need thousands of APs to serve the clients. But this is your beer and not the topic. If you don't remove the default allow rule on LAN interface or add a block rule for your local network on the top the wifi clients will also be able to access your local hosts! So the firewall will have no effect! To access the 192.168.1.10 WAN IP at first you have to remove the check at "Block private networks" at the interface configuration tab. Then you have to add a rule (Firewall > rules > WAN) to allow traffic on WAN interface to WAN address and the Webconfigurators port (by default 80 and 443 > therefor you may use an alias). You may also restrict the source to allow access just from a view IPs.

@doktornotor: @TyMac: Also, I still cannot actually log in with the AD admin user. Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD. Post some logs/info, nothing to work with here! Can't log in to the pfsense web admin page with the admin AD user I created that works with the bind credentials parameter.  What log do you want me to post?

Thanks for coming back with that useful info. Must be quite a few people that have been hit by this. Safari 5.0.1 was released in 2010 though so almost everyone using would be affected you'd think. Steve