@Rhavin:

I did find one problem.

I am new to PFSense. I have been running Untangle for about a year, and decided to try something else.
I installed 1.2.1-RC2. If you go to System -> Firmware -> Auto Update, it will download and install 1.2-RELEASE, which as I understand it is the previous version.

That's the expected behavior (though expected behavior that needs to be changed).

I like ALIX and it works really well for home or a small office.  I really wish you guys would support it a little bit better.  ;D  Reflashing every time is painful.

Pretty cool trick within PFSense.  Just make sure you put the original URL back in there otherwise when you want to add packages later it will only show you the ones available from the OTHER site.

Darkk

On more thing (sorry).

If I run a continuous ping through the tunnel, every once in a long while, I get a solitary reply.

When it doesn't work, tcpdump on the WAN interface looks like this. Note the "bad udp cksum" on the response:
15:21:37.183958 00:0b:db:94:4c:3f > 00:13:f7:36:4f:ac, ethertype IPv4 (0x0800), length 142: (tos 0x0, ttl 126, id 49678, offset 0, flags [none], proto UDP (17), length 128) 74.93.31.17.59491 > 192.150.143.211.500: [no cksum] isakmp 4.14 msgid  cookie ->: phase 2/others ? #214[C]: [|#200] (len mismatch: isakmp 2089828598/ip 100)     
15:21:37.220137 00:13:f7:36:4f:ac > 00:0b:db:94:4c:3f, ethertype IPv4 (0x0800), length 142: (tos 0x20, ttl 52, id 28569, offset 0, flags [none], proto UDP (17), length 128) 192.150.143.211.500 > 74.93.31.17.59491: [bad udp cksum dea7!] isakmp 9.15 msgid  cookie ->: phase 2/others ? #138[C]: [|#164] (len mismatch: isakmp 2342990064/ip 100)

When it does work, it looks like this. Note the "udp sum ok" on the response packet.
15:21:48.179080 00:0b:db:94:4c:3f > 00:13:f7:36:4f:ac, ethertype IPv4 (0x0800), length 142: (tos 0x0, ttl 126, id 6906, offset 0, flags [none], proto UDP (17), length 128) 74.93.31.17.59491 > 192.150.143.211.500: [no cksum] isakmp 15.11 msgid  cookie ->: phase 2/others ? #124[EC]: [encrypted #117] (len mismatch: isakmp 2676507093/ip 100)
15:21:48.217091 00:13:f7:36:4f:ac > 00:0b:db:94:4c:3f, ethertype IPv4 (0x0800), length 142: (tos 0x20, ttl 52, id 28678, offset 0, flags [none], proto UDP (17), length128) 192.150.143.211.500 > 74.93.31.17.59491: [udp sum ok] isakmp 8.8 msgid  cookie->: phase 2/others ? #134[C]: [|ke] (len mismatch: isakmp 168770057/ip 100)

It seems like checksums are wrong because of some kind of mangling, but every once in a while the mangled packet checksum ends up actually being right? Just a "monkeys on typewriters" kind of a thing?

http://people.freebsd.org/~yongari/re/re.HEAD.20080607

But like I said this is a FreeBSD 8 patch AFAIK it should work on RELENG_7 but I know no one who has applied it and I don't have any Realtek cards to test it on.
Pyun YongHyeon Did commit some further changes to this driver, again to 8, in September but I really can't remember what they were for.

Sorry, took some time to catch everyone off the wireless. Seems to me that running ifconfig while it wasn't functioning returned that it was using channel 0, but maybe I just read that. Anyway, looks okay now and seems to be working fine. Hope this is helpful.

# cat /tmp/ath0_setup.sh #!/bin/sh # pfSense wireless configuration script. # enable shell debugging set -x /bin/ps awwuxx | grep hostapd | grep ath0 | awk '{ print $2 }' | xargs kill /sbin/ifconfig ath0 down /sbin/ifconfig ath0 mode '11g' /sbin/ifconfig ath0 channel any /sbin/ifconfig ath0 -mediaopt turbo /sbin/ifconfig ath0 ssid 'orion' /sbin/ifconfig ath0 -hidessid /sbin/ifconfig ath0 -mediaopt adhoc /sbin/ifconfig ath0 protmode 'rtscts' /sbin/ifconfig ath0 -pureg /sbin/ifconfig ath0 apbridge /sbin/ifconfig ath0 wme /sbin/ifconfig ath0 authmode open wepmode off /sbin/ifconfig ath0 txpower '99' /sbin/ifconfig ath0 mediaopt hostap /sbin/ifconfig ath0 mtu 1500 /sbin/ifconfig ath0 up /usr/sbin/hostapd -B /var/etc/hostapd_ath0.conf

System -> Advanced, enable bypass filtering for traffic on same interface. You have asymmetric routing, which can't properly be statefully filtered.

I don't believe so. I believe Ermal committed a FreeBSD patch that might fix this in 2.0.

You will have to tweak the nat settings on your asterisk server, and play with things a bit, but you can definitely get this working with pfsense, and I don't believe siproxd will be necessary for your situation.  See here for some static port settings that may help: http://forum.pfsense.org/index.php/topic,12830.0.html and make sure your phones are set to reinvite=no.

tested again, new install and all rules/nat/etc added new.
all ok except dns rules. (dns forwarder enabled)

diagnostic/firewall log:
not any dns log.
(dns rule log enabled lan/dmz/wan, dns(.1.10) in dmz)

states:
..
udp  10.6.1.10:53 <- 10.6.2.254:1196  NO_TRAFFIC:SINGLE
udp  10.6.2.254:1196 -> 10.6.1.10:53  SINGLE:NO_TRAFFIC
udp  10.6.1.2:31073 -> 10.6.1.10:53  SINGLE:NO_TRAFFIC
udp  10.6.1.10:53 <- 10.6.2.254:1215  NO_TRAFFIC:SINGLE 
udp 10.6.2.254:1215 -> 10.6.1.10:53 SINGLE:NO_TRAFFIC
udp 10.6.1.10:53 <- 10.6.2.254:1216 NO_TRAFFIC:SINGLE
udp 10.6.2.254:1216 -> 10.6.1.10:53 SINGLE:NO_TRAFFIC
udp 10.6.1.10:53 <- 10.6.2.254:57060 NO_TRAFFIC:SINGLE
udp 10.6.2.254:57060 -> 10.6.1.10:53 SINGLE:NO_TRAFFIC
udp 10.6.1.10:53 <- 10.6.2.254:1217 NO_TRAFFIC:SINGLE
udp 10.6.2.254:1217 -> 10.6.1.10:53 SINGLE:NO_TRAFFIC

Hey it works!  I just went and changed the Data Query in Cacti's interface. The index value before was vr0. I changed it to re0. I'm not sure why it was vr0 before but at any rate its working once again.

Thanks all for your help! Life is good  ;D

@sullrich:

Not seeing that here?

I don't see this in every rules, but only sometimes…

it is just cosmetic…... ;)

Not a show stopper but its still there on RC2, for me anyway. Could it be because I am only using VLAN interfaces? Other than this strange graph error I can not find fault with 1.2.1.

Thanks for all your fantastic efforts.

2.PNG
2.PNG_thumb
1.PNG
1.PNG_thumb

Will look into it more.  Thanks for the report.

Oops!!! my fault.
overlooked the sdeX.

Cannot reproduce the problem in 1.2.1 with Firefox 3.

Nice work, from what i gather it requires a fresh install, does config backup/restore work?

/F