a little reply

my objective was simple
everyone is  on a domain email hosted by google
some users have access to the internet
some users have access to the internet using a portal
some users have no access
all users have email using the googlemail settings (ssl in and out)

environment
fw + squid proxy + proxylite + portal
proxy in transparent mode
old P4 (early model) with 1 gig of ram and 40 gig HD

I tried the suggestion to use the new version (as I was still on 1.2.3) as that has white pages for the portal
but that information was not complete (it was well intended)

with rc2, it kind of worked but my users were complaining that often the email gave an error (unresolved address)
then I found out that the white list in the portal was not really meant for what I wanted as google uses multiple IP (and not 1 virtual IP)

then had a heated discussion with no result

downloaded rc3 (last saterday) to try again

then I tried to just open the ports for outgoing traffic for mail (again ssl google definition) while blocking http traffic
but that did not work as I got an error about dns
I opened port 53 to resolve dns problems but problem still happened

whatever I did, email was not going out or in

at the same time RC3 was giving me me grief (machine hung at random times)

I tried many different combinations but all failed on the basic problem : email coming in for all users even when they are not allowed to use the internet

it was a desperate step to even look at other Firewalls
maybe I did not configure the fw correctly but I used the outgoing rules to open ports 53,465,993 and 995 (DNS,SMTP,POP and IMAP for google)
and this for any IP on the lan network with as destination anywhere

when I tried the same with endian … endian was already preconfigured to receive email from those ports , the only ports I had to add were the dns and the smtp port .... and voila it worked
i had to change my requirements : no portal anymore (as the open source endian does not have the portal included)  but hardcoded profiles ... those who can and those who cannot go to the internet ... and all are monitored
I use the proxy in transparent mode 
blocked the proxy for any access from those users who cannot
allowed the proxy for hard coded Ip addresses and for the dhcp addresses xxx.xxx.xxx.xxx/28 (16 addresses)

sorry if I came over harsh but I did receive also a very direct (!) response from your collegue ....

This late in the 2.0 release cycle that isn't likely to happen. We're trying to minimize changes, not tack on more stuff, so we can get the release out.

Look on the bright side, once 2.0 is released, you won't have to recompile for every update, just run with it :-)

It might be considered for 2.1 or later though. Look on http://redmine.pfsense.org and see if you can find a ticket for that. If there isn't one, make a new Feature Request ticket, and put "Future" as the target.

That's typically an issue with the browser. If you re-submit/refresh the form, it's fine.

Does the same thing happen on a current snapshot?

Do you have any Virtual IPs or anything that might be setting that other IP? It must be in the config somewhere or it wouldn't end up on the NIC, especially after a reboot.

Nope nothing special in the setup. I did a fresh install enabled captive portal on the LAN interface an had this issue.

Hi

A little feedback on my problems:

Crash for specific GHz hardware:
I had my solution solved. It was specific for GHz hardware from Applianceshop bought with pfsense 1.x.x and manually updated to 2.0. IF I HAD bought it iwith version 2.0 the crashing would never had occured. Applianceshop guided me to a small modification to make there hardware work with pfsense 2.0 without a saily/weekly crash. The solution can be found here:
http://forum.pfsense.org/index.php/topic,38660.0.html

General crahs when using NAT Reflection for 1:1 mapping:
Later I also added the possibility to use NAT Reflection for an IP address used for 1:1 mapping. Aparently pfsense 2.0 does not support that and the box startet to crash again. Again applanceshop came to my help with a few lines from the manual saying this could not be done. The advise was to downgrade to 1.x.x if this feature was desired.

msix
I have no comments on the msix since I do not know what is is, sorry.

Br. Anders

change my pfsense to failover( tier1 and tier2) and fix my port range hope that will fix my failover problem…thanks

What happens if you don't do that? Does the wizard let you continue? Does the queuing work?

I wrote a mail to my ISP yesterday. And today I upgraded both pfsense installtions to: 2.0-RC3 (amd64) built on Fri Aug 5 20:24:40 EDT 2011

And the problem seems to be gone. So I wonder if the problem was solved by the pfsense upgrade or my ISP. Though my ISP don't answer support tickets during the night and in weekends. Could someone tell me what has changed from:
2.0-RC3 (amd64) - built on Tue Aug 2 22:54:59 EDT 2011
to
2.0-RC3 (amd64) built on Fri Aug 5 20:24:40 EDT 2011?

**Edit: Nevermind, the problem came back when I closed the SSH session from Site one's pfsense to Site two's pfsense and further on to the server. Odd.

The most current snapshots are indeed more stable than anything from July. Upgrade again to something newer, and you will be better off.

It's actually supposed to be automatically rebooting and collecting crash data when it does.

You are using a build that has known issues. Upgrade to a current snapshot (From August, check the sticky post on this board about fixing your upgrade url) and you probably won't have to worry about it.

@focalguy:

@kristiandg:

@pwipf:

Oh, and I can't put the IP phone's IP because we're talking more than one phone.

You can create an alias with your phone's IPs and then use the alias in the wizard.

Yes, but the addresses would vary (DHCP).  No one statically assigns IPs to phones.  That really would only apply if you had an ATA or something (from vonage), I would think.  But thats OK, because I don't really want it to be done that way anyway - I really want it done based on traffic type.

And also, for me, with RC3:

Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-traffic.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U' Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-packets.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U' Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-traffic.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U' Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-packets.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U' Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/ipsec-traffic.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U' Aug  4 22:22:20 roadblock php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/ipsec-packets.rrd N:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 2 data source readings (got 4) from N:U:U:U:U'

I'm guessing because of this, I also can't display the RRD graphs for Traffic or Packets, which generate errors like this:

php: /status_rrd_graph_img.php: Failed to create graph with error code 1, the error is: ERROR: No DS called 'inpass' in '/var/db/rrd/wan-traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool graph /tmp/wan-traffic.rrd-8hour.png --start 1312469706 --end 1312498506 --vertical-label "bits/sec" --color SHADEA#eeeeee --color SHADEB#eeeeee --title "`hostname` - WAN :: Traffic - 8 hours - 1 minute average" --height 200 --width 620 DEF:wan-in_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE DEF:wan-out_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass:AVERAGE DEF:wan-in_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock:AVERAGE DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rrd:outblock:AVERAGE CDEF:"wan-in_bits_pass=wan-in_bytes_pass,8,*" CDEF:"wan-out_bits_pass=wan-out_bytes_pass,8,*" CDEF:"wan-in_bits_block=wan-in_bytes_block,8,*" CDEF:"wan-out_bits_block=wan-out_bytes_block,8,*" CDEF:"wan-in_bytes=wan-in_bytes_pass,wan-in_bytes_block,+" CDEF:"wan-out_bytes=wan-out_bytes_pass,wan-out_bytes_bloc

I'm hoping this doesn't mean I'm about to lose over a years worth of data.

Cheers.

I just tried the newest snapshot:

pfSense-Full-Update-2.0-RC3-i386-20110804-1057.tgz

And I can assign interfaces again in the webinterface.

This is on the same box, only with a full install on a microdrive.
Before it was the same microdrive with a nanobsd install. I will try the newest snapshot on nanobsd tomorrow.

<edit>Tested the microdrive with know working version:

pfSense-2.0-RC3-1g-i386-20110729-1520-nanobsd-upgrade.img.gz
and upgraded it to the latest nanobsd version: pfSense-2.0-RC3-1g-i386-20110804-1327-nanobsd-upgrade.img.gz

And as aspected, all (assigning interfaces) is working fine again.

Thanks.</edit>

CF is so cheap these days you are probably safest to grab a config backup, ditch that CF, and re-image.

Figured I should follow up… This ended up not having anything to do with PFsense. It was an issue with squid 2.6, upgraded to 3.0 (separate box) and everything was stable again.

Thanks cmb, you solved the problem.