The moral of the story then being that if you want your outbound ack packets to match a firewall ackqueue, then you need to make a floating rule that will match packets coming in on the WAN. For example, for an http download, make a floating rule that will match packets from source TCP/80 and ackqueue/queue to ackhttp/http or something like that.

Now, if I could just figure out how to set up my queues…

Version 2.0 has earned!
Through usb hub, on a straight line to t5520 (http://www.computerland.kiev.ua/uploads/imgs/58734.jpg) does not wish to work.
As occurs and with 3G modem.
In version 2.0 all works only through usb hub.

This should be fixed now.  Either try a snapshot build from tomorrow or later (assuming one builds) or you could manually apply this change: https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/f23e63638af309ec317dc924794c34dd1c68fecc

The one that is currently building was started before this change went in.

@cmb:

No it's not. All WAN rules have routing information in them via pf's reply-to, you don't need any routing. There has been a whole lot of flux in the past couple weeks with interfaces and multi-WAN though, best to give it a few more days until all the fallout has been resolved (though I think the next snapshot should fix the last remaining issue, that remains to be seen).

That's what I was planning. Try one of the snapshots next week. See what has changed and see how it works in my environment.

@jimp:

What browser are you using? I can't reproduce this in Firefox.

Looks like IE does this.

Surely I was editing with ie 8 on win7

Packages required by the inspector is not there, so while this is not possible to install inpector ..

@dustinlw1987:

That worked for the uninstall.

However, install of imspector again yields this:

**Downloading package configuration file… done.
Saving updated package information... done.
Downloading imspector and its dependencies... done.
Checking for successful package installation... of imspector-0.8 failed!

Installation aborted.**

@ermal:

Can you please file a bug on redmine with the correct values?

I've done

Yeah it was a code problem. It should be fixed now though, it's put out a new snap since yesterday.

@GruensFroeschli:

Just because it's a PSK doesn't mean it's not SSL/TLS.

When using a PKI for site-to-site you also have to create on the server a client specific configuration telling which subnet is behind which client.
Check out the sticky in the openVPN subforum for a howto.

But i generally find it's better to use a PSK for a site-to-site and a PKI for roadwarriors.
So in your case i would set up two servers.
One for the site-to-site and one for the roadwarriors.

Interesting reading.., however it is not worth it for a site to site between only 2 pfsense boxes. As suggested I will stick with psk. Thanks for the replies.

Hmm, well loader.conf and loader.conf.local should be removed from new snapshots. I'll have to look at it again tomorrow to check since the snapshots were broken most of the day today.

yeah just saw the other thread… doh!

Committed, thanks!

Yep I figured as much.  All settings matched.  The one that broke it was "Negotiate compression" on the IPCop.  When I disabled that it worked.

I committed the fix at about 9am yesterday. I don't know why it wasn't in the snap from yesterday afternoon.

Hopefully the next one up will be OK.

Another area where it isn't supported is NAT. pf will always nat to 1 IP, by default the main IP of the interface. You can update the rule to the one in the added virtual subnet, but it does not happen automatically.
So for fail over purposes this is not usefull at the moment, let alone loadbalancing.

This requires quite a bit of work I guess, if at all possible, I'm not an expert on pf. It might work with tagging packets with pf and based on the tag choose the route and nat rules later on. No idea if this is possible in some round-robin way.

For now I'll just go with VLAN's. Thanks for the input.

thank you .

@ermal:

You need to learn about pfSense i think.

You can assign openvpn interfaces and can filter them one by one.

Wow. Thanks, I didn't know that was now possible in 2.0.

The assignment of logical Interface to actual tun device is fixed. ie. OPT3 to ovpnc1 or OPT4 to ovpnc1. How does pfsense treat the ordering of the ovpn devices if you have more than one tunnel during a reboot?

Second, there is a (default) tab of OpenVPN in the firewall rules. How does this differ from an assigned interface?

same problem here with latest snapshot (2010/06/15-13:02) on osx 10.6.3 virtualized with vmware fusion 3.1.
latest working snapshot for me is from (2010/06/13-20:36)..

system is unreachable and responds with
Initializing…...................                                             
Parse error: syntax error, unexpected ')' in /etc/inc/gwlb.inc on line 398

during boot i wasn't asked if i want to assign interfaces too..

That did it! It was flashing the line error to quick to see it. But now all back online. Thank you!