@firewalluser: Could this issue with the states also affect the wan connection? No, it's the other way around: dropped WAN causes stale states when it comes back up. One thing I have noticed which I have not seen in previous versions of pfsense ie 1.2  . . . . . . . . this is new hardware and a new isp, I'm still tracking down what exactly is occurring, hence the question about if the states might affect the wan connection? Sounds like you have issues with your new ISP.  What kind of connection is it?

Whats your setup like and what exactly are you trying to achieve? For example do you have a setup like this? 1 Wan to ISP A 1 OPT1 to ISP B 1 Lan to a number of devices like games consoles, computers, tablets, phones via wifi and ethernet? Is one of the ISP's a mobile data provider? If so these networks work differently compared to normal net access due to the way the mobile phone system traffic management works, its more burst like, unlike normal net access which is more continuous and consistent in the transmission of data. This would make sending games console data out over mobile not so good and something to avoid. Some of the fancy things you can do with pfsense is have your games console traffic come in over wan, but send the games console data out over Opt1 (ISP B). Any fixed ip's in use and need to be used? Likewise you could route some traffic to use Wan and other traffic to use OPT1. You can load balance, traffic shape, plus lots lots more. If you know the games consoles mac id's then you can assign it a fixed ip address (Services, DHCP Server assuming you are using a pfsense dhcp server). Then you can add some rules (Firewall, Rules, Lan tab), that sends the games consoles SOURCE ip address traffic to the WAN net Destination or OPT1 destination. If you have many games consoles, consider creating an alias (Firewall, Alias) and add a new alias called Games Console, and add the HOSTS fixed IP addresses. Then back in the lan firewall rule from above, change t he SOURCE ip address to the alias, then the same rule will apply to all the ip addresses listed in the alias. Do you need to restrict access to between certain hours for these games consoles? If so in the lan firewall rule from above edit the rule and choose a schedule from the drop down list. To create a schedule like no internet access after 10pm mon to fri, go into Firewall, Schedule, add a new schedule, name it, select the weekday headers Mon through to Fri and then set the time 6am to 22pm. This will make the rule work only mon to friday 6am to 22pm. If you want to allow different access on a Sat & Sun, edit the schedule and add Sat & Sun plus the couple hours missing Friday night and restricting access from 22pm Sunday night. To have all other devices use the other net access, create a lan rule which NOT allows the alias group access to the wan or opt1 net Destination connection. Dont know if the above is useful or not, it depends on your network setup and what exactly you want to achieve.

If you manage the certificates on another system you could get away with only needing the OpenVPN server certificate private key (not the CA private key or the user certs/keys). You couldn't use the export package, but it would work. In that scenario the only certs on the system (aside from the GUI's cert/key) would be the CA cert, Server cert, and Server key.

I'd setup a linux box with two bridged nics and put it between the internet & the wifi access point(s). tcpdump can do all the packet captures quite easily, you can specify how long timewise each packet capture file is, ie hourly or daily packet captures, and then from there monitor the tcpip data, pulling out what you like! I'd start with the ARP packet to get each unique device and then track the assigned ip accordingly. Unless someone has changed the id in the arp packet, possible but harder than spoofing a mac id, then you should get a good overview of your wifi users usage.  Some of the things you should see is if anyone has attempted to change the unique id given out in the ARP packet. A basic example you can adapt by running on a different linux distro. http://williamknowles.co.uk/?p=16 You'll just need to make sure you have enough disc space to store everything captured and have spare capacity before analysis.

In case you haven't noticed yet: 1. Traffic blocked by the default rule (in other words, traffic which matches no firewall rule) can be logged by selecting "Log packets blocked by the default rule" in "Status: System logs: Settings". Same for bogon and private subnets. This will of course also show any portscans and hack attempts. 2. For each firewall rule, logging can be enabled individually. 3. By clicking the icon on the "Act" column of the firewall log, you can see which rule was responsible for blocking or passing the traffic.

Nice! Hopefully that will help others.  :) Steve

Got it. Used Wire Shark and then plugged it in to the network and saw the ARP request :)

MITM in India? People do that? https://www.youtube.com/watch?v=o66FUc61MvU

I have to say I would always advise you leave outbound NAT set to automatic unless you really need to set manual rules. The suggested rule should work though. @jonfil0130: When I check the Status "Gateway" its only the WAN interface that's online This implies there might be more than one gateway. A common mistake is to add a gateway to the LAN interface which is almost always incorrect. Remove it if you have and then make sure the WAN gateway is set as default in System: Routing: Gateways: @jonfil0130: for WAN there's 2 default rules which are both under "BLOCK". Maybe its something to do with the routing that's why i can't go online thru LAN. The two rules you are seeing 'block bogons' and 'block private networks' are not a problem if your WAN interface is receiving a public IP via PPPoE. Even if it isn't it won't prevent internet access from LAN. Steve

I stumbled upon an interesting article about Windows RWIN auto-tuning that may have answered my question (router does not impact RWIN).  Everyone who uses Windows 7/8 should read these observations: https://www.duckware.com/blog/how-windows-is-killing-internet-download-speeds/index.html

@willdashwood: Hello, I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep grep IP /var/log/snort/snort_igb163179/* So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so? I can see our suppress list is here: /usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6 So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way? Thanks Will Sorry, but no better way.  You have the basic mechanics for part of the process down, but your solution will not be satisfactory in the longer term. That's because there is one big problem there is no solution for.  The text file you found is recreated each time a SAVE operation occurs within the Snort GUI.  It is also recreated each time the rules are updated by the automatic update process.  This occurs by the GUI calling a custom PHP function within the Snort GUI code called "sync_snort_package_config()".  So changing that text file will prove to be very short-lived. You can restart Snort easily by executing the rc script and passing it either "stop" and then "start", or just "restart".  The script lives here: /usr/local/etc/rc.d/snort.sh So something like this after updating that text file you found: /usr/local/etc/rc.d/snort.sh restart As mentioned above, this is really not a long-term solution.  The actual content of the Suppress List is stored as Base64 data within the config.xml file containing the entire pfSense configuration.  The contents of that data is what gets actually updated during the SAVE operation, then it is decoded and written to the text file you referenced. Bill

@jimp: 1- Menu option 13 2- Copy /conf/config.xml I didnt have console access, however I got it figured out :)

Does restarting the GUI and/or PHP-FPM from the console/ssh help? I can't seem to reproduce it here but I'm on a current build.

Unfortunately I suspect the critical funding level will be higher than any bounty can raise in purely economic terms. More likely someone who does IOS apps everyday will find themselves wanting this and just do it. There is already a 'mobile' theme that is triggered by detecting the client as IOS or Android (or by thee browser version?). It would seem to be quite straight forward to have an 'app' send a user agent string that triggers a different theme. It would be nice to have something that didn't rely on the webgui at all. It might be completely impractical, I have no idea. I could imagine something that connected via SSH and edited the config file. Would probably be far more work though. There must be other similar management apps that have solved these problems before, lets not reinvent the wheel here. Steve

Status->Traffic Graph might give you enough info now to get you looking in the right place without installing other packages..

Thank you, Steve.  I appreciate your insight.

Hmm, you've bridged three different types of interface. Does the error appear for all three types? Steve