There isn't an option to do this (but I think there is a feature request ticket open for something similar) The existing connections will continue to use the second WAN but new connections should go out the primary once it's back online.

No issues here either 2.0-BETA5 (amd64) built on Mon Feb 7 07:42:24 EST 2011

Good one, I think disabling either one should disable the other (as they are linked). Either way, I think this should be added to the docs (whichever way it will work in 2.0).

Well, regardless of difficulty, thank you Jim for sticking with it and figuring it out! I know the fact that multiple people had the problem indicated that I wasn't crazy but it was a tough little bugger, and I and others I'm sure appreciate the fix very much!

Thanks guys, that's useful information.

@fundutzi: I still get this message when trying to access on "https://pub.SomeDomain.eu:TCPport". Then you should, there aren't any issues with it anymore. See info here: http://doc.pfsense.org/index.php/DNS_Rebinding_Protections

Excellent, good to know thanks. Not sure I would have considered downgrading through the upgrade method, but it makes as much sense as anything.

@VitRom: Take for example a recent topics abt a forced packages reinstalling (it's not best but only first example) or something simmilar. What on RCS descriptions can predict this behaviour? Nothing. Wrong - "Reinstall packages on bootup during console. Ticket #1156" is about as clear as you can get. That's the commit log from the change that brought that back on January 5. Almost all of the commit logs are clear whether or not you understand the actual source changes. We're not going to write up a change log on every single commit, we just don't have time for that, those who follow snapshots have to read the commit logs themselves or take chances. Official releases and RCs come with change logs.

No because the update files from snapshots have a diff timestamp than the iso, it won't be an issue on normal releases.

TY!

Thanks for pointing me in the right direction. I have opened a new feature request on the Redmine bug tracker site. It looks like Matt Corallo is working on a better approach to allow custom dyndns to be entered into the GUI. http://redmine.pfsense.org/issues/1241

Reinstalled pfSense on a newer CF card. I have installed the 1GB version onto a 4GB flashcard. Now when doing a df -h command, I have 271MB available on the /dev/ufs/pfsense0 part. I really think that the 512MB flash image has no use anymore then ! Since I have no package installed whatsoever, 512MB images have no means of being upgraded anymore ! Kind regards, Michel

Wouldn't it be a relatively simple process to add a tick box when removing a gateway/interface to give the option to remove all instances from the RRD graphs? Maybe I'll feature request it.

push The systemlog is unusable if igmpproxy is enabled… please move igmp logs to a new tab/log! Edit by GruensFroeschli: adding more pushes the the thread wont help. You can make a feature request on: http://redmine.pfsense.org

Yep…for this reason I actually set up two tunnels on port 443, one using UDP and the other with TCP, and have both configured in my OpenVPN client. I suspect, though I don't use free wifi very often, that many providers are sloppy and if they do lockdown ports, may allow UDP and TCP both on port 443, so the UDP version would still be usable. However, TCP is still available to fall back on. But, another issue might be if they are examining all port 443 TCP traffic for content filtering...on corporate network this is done by pushing a trusted root certificate from the firewall to all company-owned machines and generating spoofed certificates for every secure site so the firewall an inspect and transparently proxy the traffic. I've seen public wireless misconfigured (intentionally?) to do this as well, though you will always see a certificate warning unless you manually install their root certificate (not recommended of course). However, it may prevent access via port 443 TCP using OpenVPN (though UDP could be blocked in any of the above cases regardless). Assuming DNS is not blocked/proxied, you could fall back on using TCP-over-DNS for remote communication, but that has nothing to do with pfSense (though it would be cool if someone wrote a pfSense package for it :-) Or, find another Internet connection to use, which may be the easiest if the network really is this locked down.

Once apinger gets status, it'll kick off a filter reload if any of them are down. If they're all up, it already has them all up. It works as it should, though in the case of an IP change if you do have a down gateway it'll consider it up for 1-2 seconds. That's less than ideal but happens under very rare circumstances and changing that is one of those things that's likely to cause a lot of unintended consequences.

@David: Note that Chris Buechler just updated the Redmine ticket for this bug to report that: the original bug is fixed, and the later issue with non-0 exit status on racoonctl is fixed in ipsec-tools 0.8.0. Looks like this fixes a bug with Downed Peer Detection (DPD) as well. This is great to hear! if you want to try it: http://forum.pfsense.org/index.php/topic,33010.0.html

cmb: Should I setup something on the PfSense or should it support NLB running in multicast-mode out of the box?