It is a wireless backhaul…i think i got my problem figured out...I have too many outgoing connections for the amount of bandwidth that I sepcified. I increased my upload to 3.5Mbs and download to 3.5Mb s and it solved the problem. I just some wireless delay when I start pushing over 3Mbps on outgoing traffic.

There are a few other ways to discover (or guess) the number of PCs behind a box. At first you did not mention if and you you setup NAT on pfSense. If you have not configured snmp (and I think you did not from the outside) there are other ways to manage that. E.g. IP-ID scanning the traffic coming from your router. For thats sake it is the provider and if sth is easily able to "log" your traffic, its him. I would guess he uses some kind of ip-id scanning (some ISP in germany had done so) and if you are using many boxes with weak random ip-id implentations (like windows or some linuxes, too), you can paint a diagram and match it against the ip packets and their ids to draw some kind of picture which shows, how much boxes are active behind the NAT. For an example, look here: -> http://www.cs.columbia.edu/~smb/papers/fnat.pdf I don't know if freebsd's implementation of pf matches the one of openbsd completely, but there you could use the keyword "random-id" as a key in the NAT clause to scramble all IDs leaving your network to behave really random and to blur your internal structure.

if you want to manage it coming from an external ip it should be an external IP. If you only want to manage it from another machine in the same subnet like the WAN IP or from a seperate management interface you can choose something else.

And of course, 10Mbit is slower than the 30Mbit or so you were getting before which means your backups will take even longer!  No, you really really want a bigger box ;) –Bill

You have to try it from a client behind the pfsense or at wan. the filter block connections incoming on an interface. if you ping from the pfsense itself it's outgoing traffic which will be always allowed.

OK If this can be in future - i very glad. Thks.

@Grey: As I haven't seen authpf in pfsense until yet (a pity, but I don't know how hard it would be to implement, but it sure would be a nice addition to captive portal), I'd say you could do it, if you map your users to a definite IP each and configure rules for that IP. You could e.g. use DHCP with their MACs and so map User A to IP x.x.x.a and user B to IP x.x.x.b. IP-based filtering is not that nice, I know, and far from being fool proof. But I am curious if there are other methods already in pfSense (perhaps HEAD)?! :) No.  Patches accepted.

At the moment quick workaround: Login via Shell or Console and change dir to /tmp. Edit rules.debug and delete the "ng0" part in makro "pptp" (right on top of the file). Then reload the filter rules via "pfctl -f rules.debug". Worked for me this far and immediatly shut down the unwanted access from outside to web and ssh port. Thanks for filing, hoba :)

@Aderium: Could I just disable the rule instead of removing them ? It would be annoying to remove and recreate or backup and restore …. Same difference. –Bill

@Aderium: So bottom line you cant change configurations from the shell ? Correct.  The shell is there for debugging, not for modifications to config files. –Bill

We just recently fixed this problem.  The block rule for the overflow table was not in place. This will appear in beta4.

Keep in mind that if this traffic is routed to you for what reason ever it takes away some of your bandwidth. So if this starts to become more you might have problems using all your bandwidth. However, this is not a pfSense issue but related to your ISP having something missconfigured.

wow. it seems to work great! :o my traffic cuts to halves and my browsing seem to be faster than ever. i think this is better that traffic shaping itself tnx alot! rex

"cvs_sync.sh releng_1" syncs your box to what can be found at the web. It's the latest of pfSense developement. It's recommended to upgrade to the latest official release and then run this command on top if you encounter any problems or you encounter a bug that is already fixed in the codetree but there is no image/update for it yet.

@unit3: I'm maintaining an OpenBSD firewall, but there's some concern at the moment that if I get hit by a truck, nobody else here knows enough about *BSD to keep it going. I've been looking at pfSense, and it looks pretty fantastic, so I'm thinking that moving our firewall to pfSense would be a reasonable plan. However, I have a pretty large and heavily tested pf.conf already, is there an easy way to translate this into the XML format that pfSense wants for its configuration, so I don't have to manually migrate all the rules? Need a job?  Ever considered that the truck might be someone hiring? :) –Bill

@hoba: In pfSense 1.1 you will be able to let the pfSense resolve the URLs by adding an URL-Type Alias but for now (v1.0) you have to do it based on the IPs. Even then, it'll be limited to what DNS returns.  If yahoo (to continue the example) uses a DNS load balancer such as F5's 3DNS (now GTM) product, it's unlikely that two queries will result in the same answer.  Using DNS to resolve hostnames can be useful and I can see the alias name being populated with a dns entry where there's a checkbox or such that allows pfsense to auto-populate the IP, I don't however, expect us to update the alias automagically. –Bill

Hello Guys, I tried it on a hardware and  it partially worked. this what I have noticed; 1- All the interfaces has no IP address so I had to set the IP for the bridge interface manually. 2- For testing sake, Out bound/In bound was allowed but the client still did not get the IP address through dhcp so I set it manually and was able to surf. 3- For unknown reason I was only able to surf for a few minutes then it goes dowan and up again in a matter of 30 seconds more or less. 4- I could not access the mangement interface from the LAN side  but I was able to access it from the WAN side 5- When a reboot was made, the LAN , WAN interface has an IP address and the Bridge did not have an IP. I will give it a thorough test over the weekend and post the results. I guess I should learn about FreeBSD.  ;) Al

For success activate bridge IFCONFIG - all interfaces must be status active (check this) interfaces must be plugin to active lan hardvare interfaces cant plug to one switch or make cirkle sheme In bridge0 all members must be forwarding state. Need add procedure to webgui for test bridge problem (for begining – with writen me) Next time i test Firewall with bridge & possoble write about

Yep it has. The releases after beta-2 had that bug in the webgui removed. If you choose the "port" option in the alias menu, now every single lines second dropdown with the bitmask is greyed out - not only the first one as it was in beta-2. So (as far as I see) it is truly and finally fixed :)