working for me also

OK. I will check and update redmine with feedback.

Fixed in latest code.

@jimp:

smartmontools has specific code to get data from 3ware, areca, and some others.

ah, learn something new every day :)

oh, thanx! What a quick response! I'll try again.

in that case all you need to do is ask your ISP to move one of your connections to a different subnet.

Roy…

Clarknova, here's the output from /tmp/rules.debug
rules.debug: unmodified: line 1
WAN = "{ pppoe0 }"
LAN = "{ vr0 }"
DMZ = "{ vr2 }"
#SSH Lockout Tablepn }"
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort2C table

Gatewaysasesot>

set loginterface pppoe0poe0 XX.XX.XX.XX ) "
set loginterface vr0

I tried enabling SSH on the snapshot from last night, and the behavior is normal. Nothing is exposed. This whole thing was strange. Sorry for over-reacting last night; I was kind-of freaked out.

PJ2, good call on using grc.com for scanning. That proves much more reliable that using a mobile network.

…I imagine this was user error like everything else. ;)
cheers,</webconfiguratorlockout></sshlockout>

What is displayed in the boot log when it pauses for that long? Or does it stick in any one place?

Hmm i can give you some classes on pfSense online

OK. How much?
But first I must lern to count. :)

1. What are the exact routing rules? Does the states table control the routes?
2. Why does packets, which leaves wan1 have (spoofed?) source ip 2.2.2.2?
3. How to create rules, that packet with source ip 2.2.2.2 which leaves wan1 changed to source ip 1.1.1.1?
3. How to create rules, that packet with source ip 2.2.2.2 leaves wan2?

Do you think 3 and 3 is possible?

Google Chrome doesn't work with roaming profiles.

Why blocks the pfsense fragmented psh packets?
Or is there an other reason? Small packets with psh will pass.

1249669.492 X DATA[1414]       0000: 00 00 45 00 05 84 0b d1  20 00 40 06 bd be 0a 13  ..E..... .@.....       0010: 76 29 0a 13 01 96 00 50  c6 29 00 1a 50 ef 41 9e  v).....P.)..P.A.       0020: 21 f0 50 18 05 a6                                !.P...             IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP             Fragment:  ID 3025  bytes 0 ... 1391             TCP-Message, sourceport 80 destinationport 50729                           sequence number 1724655                           acknowledgement number 1100882416                           offset 5 flags ACK PSH                           window 1446 checksum 0x2809 urgent 0 1249669.500 X DATA[0096]       0000: 00 00 45 00 00 5e 0b d1  00 ae 40 06 e2 36 0a 13  ..E..^....@..6..       0010: 76 29 0a 13 01 96 69 64  74 68 3d 22 39 38 25 22  v)....idth="98%"       0020: 3e 0d 0a 3c 74 72                                >..<tr<br>            IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP             Fragment:  ID 3025  bytes 1392 ... 1465</tr<br>

I will forward wan:23 to wan:22. But wan has a dynamic ip.
I don't want to forward wan:23 to lan:23 because it's the first step thru the firewall.
It would be nice to have a drop down box like sorce ip in rules.

Works great on todays build thanks.

Probably should have a note that they are placed before interface-specific rules.  This is something that is enforced at the code that parses the rules and generates rules.debug (I've looked).

A side note – interface groups probably need a clearly defined position where the rules will go.  Currently their placement is simply determined by the name of the interface group.

Here is a screenshot of the IPSec rule

We want all traffic to be able to pass through this VPN (we know the risks etc) so that's why I have basically a pass all rule.

If IE8 is automatically going into compatibility mode, it may be necessary to disable the automatic switch to compatibility mode in the IE8 options (last tab in the settings window) - if you must use IE.

As in a one of several reasons it doesn't work as it stands now. The starting reason (or main reason)

BTW, the reason I am using arping is because my ISP recently changed its arp cache timeout setting from a few minutes to a several hours. I discovered this recently when I swapped out my production router and replaced it with an identically configured test router (identical except for the interface MAC addresses). After doing the swap, the test router no longer received ANY packets where the destination IP was a virtual IP (i.e. CARP and Proxy ARP).

I was pulling my hair out, thinking that I misconfigured something on the test router because we've done similar router swaps in the past and never had problems with VIPs.

After waiting several hours, the ISP's arp cache finally cleared and the test router was again receiving packets with VIP destinations.

After searching the pfSense forums, I found the post Virtual IP Proxy Arp Not Working?, which was very helpful. In the post, Jimp suggested use arping -S. The original poster said that arping -S did not work for him. However, it DID work for me (thanks again Jim!).

In my case, I had to add the -i switch to specify which interface to send the arping out. Specifically, here is the syntax that worked for me and forced my ISP's arp cache to be cleared immediately:

arping -i <interface name="">-S <virtual ip="" address="" that="" i="" want="" cleared="" from="" arp="" cache=""><ip address="" of="" isp's="" gateway="">For example:

arping -i sis2 -S 192.168.1.50 192.168.1.1

I hope that helps someone else.

Side Note #1: I'm not sure if the -S switch causes a "gratuitous" arp packet to be sent out or if something else is happening under the hood. There is a good discussion of this here (scroll down to the "ARP Cache" section). If you're curious, version 2.09 of the arping package in pfSense version 2.0-BETA4 appears to use Thomas Habets' arping and not Alexey Kuznetsov's arping. If you were using Alexey Kuznetsov's arping, I think the magic switch for gratuitous arp is -U.

Side Note #2: In my case, my virtual IPs were CARP VIPs. However, I would imagine arping -S would probably also work with Proxy VIPs. I'll leave that as a proverbial "exercise for the reader". (Please leave a comment here if you tested it with Proxy VIP!)

Side Note 3#: Physical IPs (i.e. real interface IP, not virtual IP) seem to get automatically cleared from the ISP's arp cache immediately without using arping -S. (You might have to reboot or it might be enough just to bring the interface up. Can't remember in my case.)</ip></virtual></interface>