Thank you for the pointer to the script, I also found this http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso both of which should get me started.

Meanwhile, if anybody is interested in using the binary tar file I built, please follow the link to my Google Drive folder:
https://drive.google.com/folderview?id=0BynKhKMPo3RbMVRfeGVoR1VzZ0E&usp=sharing

Installation:

pfsense# mv freeswitch_071813.tbz /usr/local pfsense# mv freeswitch.sh /usr/local/etc/rc.d pfsense# chmod a+x /usr/local/etc/rc.d/freeswitch.sh pfsense# cd /usr/local pfsense# tar xvjf freeswitch_071813.tbz pfsense# pkg_add -r ncurses jpeg jbigkit

Last step is important as freeswitch depends on couple of additional shared libraries that are not part of the pfsense 2.1 RC0 dist. You can verify that there are no missing libraries by:

pfsense# cd /usr/local/freeswitch/mod pfsense# ldd ./mod_spandsp.so ./mod_spandsp.so: libfreeswitch.so.1 => /usr/local/freeswitch/lib/libfreeswitch.so.1 (0x800f2c000) libthr.so.3 => /lib/libthr.so.3 (0x800875000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8012a5000) librt.so.1 => /usr/lib/librt.so.1 (0x8013c5000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8014ca000) libm.so.5 => /lib/libm.so.5 (0x8015ed000) libjbig.so.1 => /usr/local/lib/libjbig.so.1 (0x80170d000) libz.so.5 => /lib/libz.so.5 (0x80181a000) libutil.so.8 => /lib/libutil.so.8 (0x80192f000) libssl.so.6 => /usr/lib/libssl.so.6 (0x801a3f000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x801b94000) libncurses.so.5.9 => /usr/local/lib/libncurses.so.5.9 (0x801e36000) libjpeg.so.11 => /usr/local/lib/libjpeg.so.11 (0x801f55000) libodbc.so.2 => /usr/local/lib/libodbc.so.2 (0x80208b000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x8021fb000) libc.so.7 => /lib/libc.so.7 (0x800648000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8023f8000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x802607000) libtinfo.so.5.9 => /usr/local/lib/libtinfo.so.5.9 (0x802715000)

Maybe I'll work on that.  Already have some similar code running for the custom type to select a specific ca (either file or from ca manager), for instance a self-signed ca that is not in the systems bundle, and enable/disable peer and host verification option.

My AMD FX-8150 at a remote site with aes-ni absolutely smokes my Intel CPUs without aes-ni in these openssl tests.
Its not even close.

After thinking about it more I am sure the rules will over-ride the hidden rules.  I don't really need to restrict the destination though.  All traffic is allowed out from the firewall itself already in another hidden rule so why spend processing checking the destination.

I for some reason was getting confused and thinking the most specific match will apply (the route-to would somehow be a match criteria when it is an option) when I know that is not the case.  The last rule that matches the traffic is what applies with the exception that a match action rule can add things to it (like queues) if before the pass rule.

@asterix:

Who in the dev team can rectify this? Can't believe I am the only one testing this package on 2.1

Most of us use Open-VM-Tools and not Open-VM-Tools-8.8.1

The problem is that 8.8.x isn't in FreeBSD's ports tree, and that package isn't maintained by us. It probably shouldn't even be on the list for 2.1. As far as I can see, the person who added it hasn't submitted a pfPort to the pfsense-tools repo so that we can build it ourselves, and since it's not there or in the ports tree, we can't make a PBI.

I'm ashamed

But

On FW 1 the ipv4 ip was xxx.xxx.xxx.14
            the ipv6 ip was xxxxxxx:xxxxxx:xxxxxxx::14

On FW 2 the ipv4 ip was xxx.xxx.xxx.13
            the ipv6 ip was xxxxxxx:xxxxxx:xxxxxxx::14

Yes same ipv6 on both firewall

I'm going to crawl under a tree

@ermal:

You have to give more information rather than just asking what it is.
That means that the firewall device is busy doing some other transaction and cannot process your existing one.
That means that your rules were not loaded at this time.

This would happen for example when another daemon is doing some operation already adding/removing a rule, or some package is trying to update a table or so on….

Can you check on your system log what was going on at the time?

I'll see what I can do, when it happens again. The reason why I didn't provide more, because this happened to be in the notification area (the thing at the top of each page in the web adminstration interface), and in that place, there's not more information than that precise message I copied and pasted.
Chances are, that by the time I notice that notification, whatever may have been in the syslog, got already pushed out of the view.

I was way off on this one. I use PfBlocker alias function as part of my firewall rules for OpenVPN. PfBlocker was not enabled and that was causing my problem.

;)

Jake

I just wanted to followup and give the group a post-mortem on this issue. The culprit behind these seems to have been a backup cell phone we keep around the house in case one gets broken, which I turned off around the time of my previous post. I have roughly 3 or 4 devices on wireless in my house and to be honest, I thought this would've been due to one of the 18 wired drops I have throughout the house (poor wiring, bad NIC, etc.)

I have actually pulled the battery from the phone for the time being but I'm thinking about finding some kind of packet sniffer for Android to see if I can clearly see the packets in question. Interesting exercise.

In the past couple days of searching though, I never found any way to identify the source interface of these runt packets within Pfsense; am I missing something? If not, would it be logical/practical to add something like that to the System Logs?

EDIT: Could a mod move this out of the 2.1 Snapshot forum, since this doesn't directly relate to functions within 2.1?

Thanks.  Yes, I had both NICs on the same subnet, so that was probably the trouble.

@rcfa:

@razzfazz:

Actually, it looks like this is a known issue for LAGG interfaces:

http://redmine.pfsense.org/issues/1630

Indeed, removing the lagg and assigning the em0 to WAN, and the interface shows up.. Bummer that the two can't work together.

It's funny though: lagg does not support ALTQ, but we have patches to make VLANs support ATLQ. Make your switch tag the traffic on the LAGG and then use a tagged VLAN interface, and you can get ALTQ again.

e.g. LAGG on the switch set to both ports with a native VLAN of 10, change that to trunk/802.1q tag of 10 on the switch, and then add a VLAN on the LAGG on pfSense, so you'd assign laggX_vlan10 rather than laggX as the interface.

I got that question wrong also…  Its kettle right? ::)

I will post further findings/results here: http://forum.pfsense.org/index.php/topic,58819.msg350741.html#msg350741

@bartwiggers:

I simply disconnected the wan connector for a few minutes

Thanks, that's useful information.

@bartwiggers:

and discovered that the states were not cleared.

OK, but what did you see that caused to conclude states were not cleared? Perhaps pftop reported 10 active states or Diagnostics -> States reported 12 active states or a partially complete FTP transfer didn't report the connection broken or …

I don't know your configuration but a few minutes would be long enough for (say) a system on your LAN to attempt to create connections to a system on your OPTx interface and create states.

Ok, would be great to have that in the future.

In my case i use different certificates but same username (ldap user) but i want to give different options for each connection, for example: home pc - one IP / latop - other IP and different routes, etc…

I just found the problem.

I had "dev tap0" on my configuration file, my linux server was configured with dev tap, i copied the configuration file and forget to change it to dev tun. :(

Thankx all for the help anyway.

@doktornotor:

Unfortunately no - since I cannot see how to create such rule in the first place without nuking firewall functionality. Floating rule for what? Creating the rule with allowopts on LAN has no effect as the traffic gets blocked on the tunnel WAN interface. I obviously do NOT want to create "allow any" IPv6 rules on WAN.

I'd really appreciate some ideas on how to prevent pf from dropping totally legit traffic…

Yes, NanoBSD+VGA has those enabled already.

Enjoy it ;)