ipfw_context -l    (That's -(ell) not -(one))

and -x "context" needs to be replaced with the captive portal instance name - aka the zone name.

They broke it. :-)

http://redmine.pfsense.org/issues/2942

@xbipin:

i just noticed that if i use 2 WAN connections in a fail over manner, i can create interface groups for them but they dont appear under NAT port forward so cant create port forwarding to both WANs at once, still need to add per interface, is this be design or its a bug?

Hello,

How do you use NAT in multi WAN scenario.
What I want: in case of a failure of one WAN,  the NATing will have to change according to which WAN connection i up.
otherwise the packets leaving the router to the wrong ISP will not be able to be routed by the relevant ISP(wrong nat).

How do you create port forwarding rules from the same LAN private ip to  different wan public ips?
For example: I have 2 WANs with 16 public ips each
                                          In my WAN1 connection I let my LAN users go out from WAN1_StaticIP_10th
                                        and in my WAN2 connection let the LAN users NAT to WAN2_StaticIP_8th
                          I use manual outbound rules for that. I use some 1:1 rules for my webservers in DMZ.
                          Up to here everything works fine. I cannot figure out how to use manual outbound NAT with multiWAN.

1)  You say "port forwarding to both WANs at once".
                  Do you refer  to NAT-forwarding or manual advanced NAT-oubound rules?

Are these 2 manual NAT possible?
                          source                  dest          dest port                NAT address                     
                            LAN                          *                    80            WAN1_StaticIP_10th         
                            LAN                          *                    80              WAN2_StaticIP_8th

Will the above together with a
                        MultiWAN setup (group in TIER1 categories and firewall rule using the group as gateway)
                        work and guarantee that after  failover I will be able to NAT?

2)  What about a Email server in my DMZ (static NAT)? May I have 2 lines for every LAN address in NAT1:1rules  (similar to the above)?
                I have requested to add 2 addresses in the MX records with the same priority (one the WAN1_staticIP_6th + WAN2_staticIP9th).

If (1) and (2) cannot be done should I use second IPs in LAN and DMZ hosts and have
one  for the WAN1 and one for the WAN2?

Sorry in advance for being too verbose or too idiot….
Michail

Well - If you had a stable version of pfsense and you didn't upgrade and you didn't change anything, nothing would just change its self.
Thats why I'm wondering what else may have changed.

Well, good that it works. Other than that, it helps to name the aliases so that they make things more obvious, rather than obscuring them. :D

This thread got TRIM enabled on an AMD64.  Curious if "time" is the best optimization method or if it's even worth looking into.

[2.1-RC1][admin@pfsense.router]/(2): tunefs -p /
tunefs: POSIX.1e ACLs: (-a)                                disabled
tunefs: NFSv4 ACLs: (-N)                                  disabled
tunefs: MAC multilabel: (-l)                              disabled
tunefs: soft updates: (-n)                                disabled
tunefs: gjournal: (-J)                                    disabled
tunefs: trim: (-t)                                        enabled
tunefs: maximum blocks per file in a cylinder group: (-e)  2048
tunefs: average file size: (-f)                            16384
tunefs: average number of files in a directory: (-s)      64
tunefs: minimum percentage of free space: (-m)            8%
tunefs: optimization preference: (-o)                      time
tunefs: volume label: (-L)

I noticed the traffic graphs just crashes the em0 or em1 interface and stops collecting all together when changing the display ip option.
It works fine now, I don't use Vlan stuff so can't confirm if the traffic is wrong/off.

p.s. I'm running a 22-8-2013 build amd64.

Knipsel.PNG_thumb
Knipsel.PNG

@mbartosch:

In my opinion the best way to handle this properly would be to support X.509v3 SubjectAlternativeName mappings (see RFC5280, section 4.2.1.6).
The RFC basically states that a certificate's subject should be ignored in favor of a SubjectAlternativeName if it is present in the certificate. If the SAN exists, the relying party should use this value for authorization purposes instead of the subject.

Needs to go to OpenVPN upstream. Not to mention… policy reason. If you have policy "reasons", they'll just not issue any such thing with SubjectAlternativeName either.

Hi,

Was there any status update on this?

I'm also looking for a FreeSwitch package for 2.1….

Cheers,
Victor

It's actually working properly when modifying the rule redirecting traffic from 10.8.0.0/24 to the VPN gateway by using sloppy state.

Tnks abiatiya, I will try and come back to update.

If user set proxy in Browser, he can access internet without autentication. If not set he is redirect to captive portal logon page.

In Pfsense 2.0.3, "captive portal" patch from squid3 work very well!

OK - I spoke too soon.  It appears this check_reload_status is back again.  It kicked in overnight.

PID USERNAME PRI NICE  SIZE    RES STATE  C  TIME  WCPU COMMAND
  262 root    136  20  3352K  1176K CPU3    3 714:13 84.77% /usr/local/sbin/check_reload_status
68867 root    133  20    0K    8K CPU2    0  0:21 80.57% [snort]
92322 root      76  20 85012K 27740K lockf  1  0:01 77.49% /usr/local/bin/php -f /etc/rc.filter_config
92615 root      76  20  3368K  1248K piperd  2  0:00 52.98% [awk]
91998 root      76  20  3644K  1252K wait    0  0:00 52.69% [sh]
92569 root      76  20  3264K  928K wait    1  0:00 52.69% [xargs]

Seems like squid may not have installed correctly during the firmware update.  Is there any way to manually remove squid but still preserve the settings for when it's reinstalled?  When I uninstlal squid via the packages menu, it still appears as  stopped service on the homepage.

Aug 22 09:24:02 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:24:02 kernel: em3: promiscuous mode enabled
Aug 22 09:24:02 php: rc.start_packages: The command '/usr/local/etc/rc.d/bandwidthd.sh stop' returned exit code '1', the output was 'No matching processes were found'
Aug 22 09:24:01 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:24:00 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:24:00 ntop[71511]: THREADMGMT[t685773120]: ntop RUNSTATE: INIT(2)
Aug 22 09:24:00 kernel: em3: promiscuous mode disabled
Aug 22 09:24:00 ntop[71511]: THREADMGMT[t685773120]: ntop RUNSTATE: PREINIT(1)
Aug 22 09:24:00 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:23:59 php: rc.start_packages: Not calling package sync code for dependency squid of squid because some include files are missing.
Aug 22 09:23:59 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:23:58 php: rc.start_packages: Reloading Squid for configuration sync
Aug 22 09:23:57 squid[55932]: Squid Parent: child process 56393 started
Aug 22 09:23:57 php: rc.start_packages: Starting Squid

I was having similar issues but I read on another post that if you add your DNS server to the allowed IPs then the redirection will work. It worked for me, look under Services->Captive Portal. Choose your zone and click the tab for allowed IP and add your DNS server (probably PfSense). Also be careful with VLANs I am using a untagged vlan on the same NIC that has tagged traffic and this was causing the captive portal to block all traffic for the entire NIC regardless of what VLAN it was on. Jimp has suggested that you don't use untagged traffic on the same interface where you have tagged traffic. I have not had physical access to the network to make the changes to see if this was the issue however the for me was just to add the subnets that were not supposed to be blocked to the allowed IP address tab until I get a change to fix it the correct way.

Ok I've more informations.

I can reproduce the issue when I'm applying a new configuration on my switch (wich up/down the trunk link).

My pfSense box is as flow 2 NICs : 1 WAN / 1 Trunk with 5 VLAN, with 256MiB of RAM (actually 30% used during normal running).

Here is the ps when the issue occurs, I have a lot of php scripts eating memory and I have also duplicate processes like dhcpleases (12 process with same parameter in the same time, my host file is corrupted).

PID  TT  STAT      TIME COMMAND     0  ??  DLs    4:41.97 [kernel]     1  ??  SLs    0:00.24 /sbin/init --     2  ??  DL    0:00.04 [g_event]     3  ??  DL    0:24.44 [g_up]     4  ??  DL    0:16.71 [g_down]     5  ??  DL    0:00.00 [crypto]     6  ??  DL    0:00.00 [crypto returns]     7  ??  DL    0:00.00 [sctp_iterator]     8  ??  DL    0:02.98 [pfpurge]     9  ??  DL    0:00.00 [xpt_thrd]   10  ??  DL    0:00.00 [audit]   11  ??  RL  1961:55.42 [idle]   12  ??  WL    7:52.43 [intr]   13  ??  DL    0:00.00 [ng_queue]   14  ??  DL    0:22.93 [yarrow]   15  ??  DL    0:02.57 [usb]   16  ??  DL    0:43.31 [pagedaemon]   17  ??  DL    0:01.01 [vmdaemon]   18  ??  DL    0:00.01 [pagezero]   19  ??  DL    0:00.47 [idlepoll]   20  ??  DL    0:01.07 [bufdaemon]   21  ??  DL    0:40.67 [syncer]   22  ??  DL    0:01.05 [vnlru]   23  ??  DL    0:01.30 [softdepflush]   36  ??  DL    0:04.14 [zfskern]   66  ??  DL    0:03.88 [md0]   261  ??  RNs    2:03.06 /usr/local/sbin/check_reload_status   266  ??  IWN    0:00.00 check_reload_status: Monitoring daemon of check_reload_status   272  ??  Is    0:00.69 /sbin/devd   407  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 7387  ??  DNL    0:01.64 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan10 7434  ??  Ss    0:00.61 sshd: root@pts/1 (sshd) 7996  ??  SN    0:01.61 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan11 8230  ??  Is    0:00.44 /usr/sbin/sshd 8530  ??  Is    0:00.07 /usr/local/sbin/sshlockout_pf 15 10114  ??  Ss    0:05.17 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -f /var/etc/syslog.conf 10242  ??  Is    0:00.16 dhclient: vr0 [priv] (dhclient) 10713  ??  DNL    0:01.66 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan13 10715  ??  IWs    0:00.00 /usr/sbin/cron -s 10946  ??  SN    0:00.07 /usr/local/sbin/dnsmasq --all-servers --rebind-localhost-ok --stop-dns-rebind --dhcp-hostsfile=/var/etc/hosts --dns-forward-max=5000 --cache-size=10000 --local-ttl=1 12084  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 13940  ??  SWN    0:00.00 /bin/sh /var/db/rrd/updaterrd.sh 17973  ??  Ss    0:00.32 dhclient: vr0 (dhclient) 30395  ??  IWs    0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh 30521  ??  Is    0:00.14 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf 30945  ??  IW    0:00.00 minicron: helper /usr/local/bin/ping_hosts.sh  (minicron) 31043  ??  IWs    0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /etc/rc.expireaccounts 31405  ??  IW    0:00.00 minicron: helper /etc/rc.expireaccounts  (minicron) 31560  ??  IWs    0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /etc/rc.update_alias_url_data 31938  ??  IW    0:00.00 minicron: helper /etc/rc.update_alias_url_data  (minicron) 34793  ??  Ss    2:08.74 /usr/local/sbin/apinger -c /var/etc/apinger.conf 34903  ??  DL    0:05.10 /usr/local/bin/rrdtool - 35403  ??  Is    0:00.00 /usr/pbi/avahi-i386/bin/dbus-daemon --system 40592  ??  DNL    0:01.14 /usr/local/bin/php -f /etc/rc.linkup stop em0 41469  ??  DNL    0:01.06 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan100 41612  ??  DN    0:01.12 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan5 41888  ??  DNL    0:01.11 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan9 41901  ??  DNL    0:01.14 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan10 42414  ??  DNL    0:01.13 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan11 42764  ??  DN    0:01.12 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan12 43259  ??  DNL    0:01.14 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan13 43648  ??  S      0:14.36 avahi-daemon: registering [pfsense.mydomain.fr] (avahi-daemon) 43732  ??  DNL    0:01.09 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan14 44147  ??  DNL    0:01.26 /usr/local/bin/php -f /etc/rc.linkup start em0 44452  ??  DNL    0:01.15 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan100 44606  ??  Is    0:00.22 /usr/local/sbin/sshlockout_pf 15 44730  ??  DNL    0:01.23 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan5 44978  ??  DNL    0:01.18 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan9 45827  ??  DNL    0:01.05 /usr/local/bin/php -f /etc/rc.linkup start em0_vlan14 50780  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 53667  ??  Ss    0:23.46 /usr/local/bin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid 56131  ??  SNs    0:00.02 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em0_vlan11 em0_vlan10 em0_vlan12 em0_vlan13 em0_vlan5 em0_vlan14 em0 57537  ??  SWN    0:00.00 sleep 60 58259  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 58487  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 58868  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 59044  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 59901  ??  DNL    0:00.13 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em0_vlan11 em0_vlan10 em0_vlan12 em0_vlan5 em0_vlan14 em0 61613  ??  DNL    0:00.03 /usr/local/bin/php -f /etc/rc.dyndns.update opt1 63450  ??  S      0:00.01 sh -c /usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' 63610  ??  IWs    0:00.00 sshd: Cyril [priv] (sshd) 63665  ??  DL    0:00.15 /usr/bin/netstat -mb 63840  ??  DL    0:00.05 /usr/bin/grep mbuf clusters in use 63914  ??  S      0:00.02 /usr/bin/awk { print $1 } 63973  ??  DNL    0:00.01 /usr/local/bin/php -f /etc/rc.dyndns.update opt4 64109  ??  DNVL  0:00.00 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan5 64253  ??  DNV    0:00.00 /usr/local/bin/php -f /etc/rc.linkup stop em0_vlan12 65617  ??  S      0:51.72 sshd: Cyril (sshd) 66017  ??  Ss    0:01.78 sshd: root@pts/0 (sshd) 74148  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 75414  ??  SWNs  0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 86460  ??  S      0:01.26 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf 86721  ??  IWs    0:00.00 /usr/local/bin/php 90029  ??  S      0:14.95 /usr/local/bin/php 90502  ??  SWs    0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 96303  ??  SWs    0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d mydomain.fr -p /var/run/dnsmasq.pid -h /var/etc/hosts 26909  v0- S      0:06.05 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 27253  v0- S      0:01.50 logger -t pf -p local0.info 44049  v0  IWs    0:00.00 login [pam] (login) 44966  v0  IW    0:00.00 -sh (sh) 47221  v0  I+    0:00.02 /bin/sh /etc/rc.initial 8782  1  IWs    0:00.00 -sh (sh) 9267  1  IW    0:00.00 /bin/sh /etc/rc.initial 15575  1  I+    0:00.26 /bin/tcsh 64287  0  R+    0:00.02 ps -axf 66359  0  IWs    0:00.00 -sh (sh) 67169  0  IW    0:00.00 /bin/sh /etc/rc.initial 69773  0  S      0:00.25 /bin/tcsh

I hope this could help…