Thanks for your help. For those who experience something similar: Resolution turned out to be a vhid conflict - unrelated vhid's shared on the same network segment caused all kinds of problems.  Once I changed the vhid to be unique, the problems went away.

@jimp:

Setup dyndns on the remote site and refer to it by hostname instead of IP address. That will update automatically and reconnect even when the IP changes. (Provided that the dyndns client on the remote side updates properly, of course…)

Good idea. Works great!

okay jimp .. lemme try that .. thanx :-)

Solved by moving the MPLS gateway into its own subnet/interface

might be but i usually i look at the snapshot builder log and when i see it end and new files available, then only i start the upgrade

I have created Feature Request #1482 for you.
Richard

This is for pfsense version 1.2.3 and not related to 2.0. Please move back to proper board.

Or, do you want to say that Penalize IP is broken totally in pfSense 1.2.3?

Regards,

I don't agree….... in Italy you pay for the TIME you stay connected, not for generated traffic!
All known routers supporting 3G modems work like I am asking for.....

I opened a feature request:

http://redmine.pfsense.org/issues/1388

This fixed my issue!

GW_OPT3 IPTV dynamic dynamic Interfaceopt3dynamic gateway

Thank you, very much!

I was initially surprised, but then realized that I shouldn't be.

I think the problem is that users may not understand the scope of packages - where does pfsense stop and a package begin?

It is easy to just make the assumption that everything on the machine is hidden and requires authentication via username / password combination.  I'm not suggesting that it needs dumbing down, just pointing out that the assumption I made can be made by others (case in point, the above post from Liath.WW).  I have no good ideas on how to make it more clear either, other than pedantic warnings everywhere.

I'll ask around, see what it might take.

Interfaces –> assign --> Bridges

I fix computers with my dad, and sometimes we get either knowingly or unknowingly infected machine that sends out bulk mail/spam/worms/other and gets us in trouble with our service provider, but we need a network connection to access the fileserver and the pxe server. We also share the pipe with video conferencing and voip phones and our pipe is limited to 10 down 1 up. Plenty of download not enough upload.

Captive portal on 1.2.3 works great for this, blocks the connection and leaves pinholes for fileserver and pixie and when we need to connect to the web for tools or updates, the simple authentication works fine for us, and the bandwidth limits prevents machines from hogging the upload and shares the bandwidth with other devices on the network.

anyways…

So here are the snippets for the command you asked for.

I disabled CP first and then the bandwidth restriction but it didn't show anything different so I re-enabled and copy this snippet
When I was screwing around trying to troubleshoot it and I set it to 1024 initially.
CP bandwidth download set 5120.

$ ipfw pipe show 20004: 1048.576 Mbit/s    0 ms burst 0 q151076 100 sl. 0 flows (1 buckets) sched 85540 weight 0 lmax 0 pri 0 droptail sched 85540 type FIFO flags 0x0 0 buckets 0 active 20005: 1048.576 Mbit/s    0 ms burst 0 q151077 100 sl. 0 flows (1 buckets) sched 85541 weight 0 lmax 0 pri 0 droptail sched 85541 type FIFO flags 0x0 0 buckets 0 active 20006: 128.000 Kbit/s    0 ms burst 0 q151078 100 sl. 0 flows (1 buckets) sched 85542 weight 0 lmax 0 pri 0 droptail sched 85542 type FIFO flags 0x0 0 buckets 0 active 20007:   5.120 Mbit/s    0 ms burst 0 q151079 100 sl. 0 flows (1 buckets) sched 85543 weight 0 lmax 0 pri 0 droptail sched 85543 type FIFO flags 0x0 0 buckets 0 active 20002: 1048.576 Mbit/s    0 ms burst 0 q151074 100 sl. 0 flows (1 buckets) sched 85538 weight 0 lmax 0 pri 0 droptail sched 85538 type FIFO flags 0x0 0 buckets 0 active 20003: 1048.576 Mbit/s    0 ms burst 0 q151075 100 sl. 0 flows (1 buckets) sched 85539 weight 0 lmax 0 pri 0 droptail sched 85539 type FIFO flags 0x0 0 buckets 0 active

Wasn't sure if you want another pipe show or just show so I posted both.
CP set to 0
Now it's different.

$ ipfw pipe show 20004: 128.000 Kbit/s    0 ms burst 0 q151076 100 sl. 0 flows (1 buckets) sched 85540 weight 0 lmax 0 pri 0 droptail sched 85540 type FIFO flags 0x0 0 buckets 0 active 20005: 1048.576 Mbit/s    0 ms burst 0 q151077 100 sl. 0 flows (1 buckets) sched 85541 weight 0 lmax 0 pri 0 droptail sched 85541 type FIFO flags 0x0 0 buckets 0 active 20006: 128.000 Kbit/s    0 ms burst 0 q151078 100 sl. 0 flows (1 buckets) sched 85542 weight 0 lmax 0 pri 0 droptail sched 85542 type FIFO flags 0x0 0 buckets 0 active 20007:   5.120 Mbit/s    0 ms burst 0 q151079 100 sl. 0 flows (1 buckets) sched 85543 weight 0 lmax 0 pri 0 droptail sched 85543 type FIFO flags 0x0 0 buckets 0 active 20002: 1048.576 Mbit/s    0 ms burst 0 q151074 100 sl. 0 flows (1 buckets) sched 85538 weight 0 lmax 0 pri 0 droptail sched 85538 type FIFO flags 0x0 0 buckets 0 active 20003: 1048.576 Mbit/s    0 ms burst 0 q151075 100 sl. 0 flows (1 buckets) sched 85539 weight 0 lmax 0 pri 0 droptail sched 85539 type FIFO flags 0x0 0 buckets 0 active $ ipfw show 65291  0     0 allow pfsync from any to any 65292  0     0 allow carp from any to any 65301  0     0 allow ip from any to any layer2 mac-type 0x0806 65302  0     0 allow ip from any to any layer2 mac-type 0x888e 65303  0     0 allow ip from any to any layer2 mac-type 0x88c7 65304  0     0 allow ip from any to any layer2 mac-type 0x8863 65305  0     0 allow ip from any to any layer2 mac-type 0x8864 65306  0     0 allow ip from any to any layer2 mac-type 0x888e 65307  0     0 deny ip from any to any layer2 not mac-type 0x0800 65310 52  6791 allow ip from any to { 255.255.255.255 or 192.168.1.1 } in 65311 97 83269 allow ip from { 255.255.255.255 or 192.168.1.1 } to any out 65312  0     0 allow icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0 65313  0     0 allow icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8 65314  0     0 allow ip from table(3) to any in 65315  0     0 allow ip from any to table(4) out 65316  0     0 pipe tablearg ip from table(5) to any in 65317  0     0 pipe tablearg ip from any to table(6) out 65318  0     0 allow ip from any to table(7) in 65319  0     0 allow ip from table(8) to any out 65320  1    40 pipe tablearg ip from any to table(9) in 65321  1    44 pipe tablearg ip from table(10) to any out 65322  8   384 pipe tablearg ip from table(1) to any in 65323 22  1056 pipe tablearg ip from any to table(2) out 65531  5   652 fwd 127.0.0.1,8000 tcp from any to any in 65532  5   635 allow tcp from any to any out 65533  1   229 deny ip from any to any 65534  0     0 allow ip from any to any layer2 65535  0     0 allow ip from any to any

Today I finally had time to re-flash a clean image to the CF and then upgraded and it survived the reboot.  So it was either a bad update or fluke but things seem to be working normally now for me.

@nothing_fr:

I have corrected manualy the file /usr/local/pkg/open-vm-tools.inc to get it work on ESXi 4.1 / PfSense 2 RC1 AMD64.

Thank you.  :)

Adding a semi-colon at the end of line 22 fixed the "Checking for nat PF hooks in package /usr/local/pkg/open-vm-tools.inc…" issue for me. I couldn't see a space at line 13 though.

I was so impressed by the speed of the fix, even if you were a bit odd about my offer to help, that
I got together all the hardware I would need to test, and it works!
Thanks for that. I'd like to see CheckPoint or Cisco move that fast!
Richard