No, it doesn't work that way. For one, because there is no compiler on pfSense, and also because upgrading various components could lead to breakage as often config file formats and behavior change between versions that would be unexpected. The system is released as a whole because it's tested and known to work. If there is a compelling (e.g. security) reason to upgrade a tool such as lighttpd, it may warrant a new release or get upgraded in the development version. If you want to try to build an updated version, you can do so on another FreeBSD box or VM as described here: http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso

@scottnguyen: FREEBSD works fine with unetbootin Is that from a FreeBSD ISO, or by selecting FreeBSD from the menu.  Because, when you select FreeBSD from the menu, you get a "packaged" version of FreeBSD, that someone has specifically built to be usable in unetbootin. Cheers.

Same problem with my DC5850 and latest livecd (pfSense-2.0-BETA1-20100308-2107.iso.gz ) Also the same on HP DC5750 Any help appreciated JClausen

Bear in mind that I have not tried or tested this, but here is a sample pfi.conf file from the server. It just shows available options and such: ####################################################################### # $Id: pfi.conf,v 1.10 2005/07/09 00:07:07 cpressey Exp $ # Defaults for pfi.conf. # A space-separated list of what services to restart when we are done # changing options.  The services are the base names of RCNG scripts # (i.e. without the "/etc/rc.d/" prefix.)  Note that these must be # given explicitly in the same order they would normally be started # by rcorder during RCNG (e.g. "netif dhclient sshd"); they are not # automatically ordered by their dependencies here. pfi_rc_actions="" # Determines which installer frontend to use.  Defaults to "curses"; # other legal options are "cgi" and "none". pfi_frontend="curses" # Determines which installer backend to use.  The standard backend # is now the Lua backend, but this can be changed, to start an # alternate backend.  (See example #4, below.) pfi_backend="/usr/local/bin/lua50c51 /usr/local/share/dfuibe_lua/main.lua" pfi_backend="$pfi_backend option.booted_from_install_media=true" # When using the curses frontend: # Set the amount of time, in milliseconds, which must pass after # the 'ESC' key is pressed, in order for it to be recognized # as a plain 'ESC' keystroke, and not part of an escape code. pfi_curses_escdelay="150" # A password to set as the root password on the LiveCD, if any. pfi_set_root_password="" # Control corresponding sshd options.  To make sure sshd restarts with # these options, add "sshd" to pfi_rc_actions. pfi_sshd_permit_root_login="NO" pfi_sshd_permit_empty_passwords="NO" # An script to run before the installer.  It is assumed this script is # located on the pfi media.  While it is run, the media's root directory # is mounted on /mnt. pfi_script="" # A program to run before the installer.  It is assumed to reside on # the LiveCD; /mnt is not mounted. pfi_run="" # What transport layer the DFUI in the installer should use.  Valid # values are currently "caps", "npipe", and "tcp". pfi_dfui_transport="tcp" # User to automatically log in as, or "NONE". pfi_autologin="NONE" # Command to use to reboot.  "shutdown -h now" is typically used # interactively, to give the user a chance to eject the disk, but # "shutdown -r now" can be used for headless operation. pfi_shutdown_command="shutdown -h now" ####################################################################### # EXAMPLES # To use one of these examples, extract it to a text file and remove the # leading pound-signs.  Copy this text file to the file "/pfi.conf" # on a floppy disk or USB pen drive (hereinafter referred to as "the pfi # media") and have that media inserted or attached to the computer while # you boot from the installer CD-ROM.  The installer will attempt to # locate this file and, if found, will use the variables present within it # to configure the installer boot process. # This file has the same syntax as /etc/rc.conf, and it can contain any # setting which is meaningful in /etc/rc.conf as well.  Any rc.conf # setting which is given will only be obeyed, however, if the RCNG script # to which that setting applies is named in pfi_rc_actions. # EXAMPLE 1: # Boot the installer headless, configure the network interface dc0, # and start the CGI frontend. # # ifconfig_dc0="DHCP" # pfi_rc_actions="netif dhclient" # pfi_frontend="cgi" # pfi_autologin="installer" # pfi_shutdown_command="shutdown -r now" # EXAMPLE 2: # Boot the installer headless, configure the network interface rl0, # and allow ssh'ing into the box as root with the password "sekrit". # # ifconfig_rl0="DHCP" # pfi_sshd_permit_root_login="YES" # pfi_set_root_password="sekrit" # pfi_rc_actions="netif dhclient sshd" # pfi_frontend="none" # pfi_autologin="installer" # pfi_shutdown_command="shutdown -r now" # EXAMPLE 3: # Boot the cd and setup a PXE/TFTP/DCHPD server environment # so that clients can boot from the network and enter the installer # # Enable tftp and NFS services with pxeboot and a kernel available via # tftp and the CD's root mount available via NFS. # # pfi_boot_tftp_server="YES" # pfi_boot_nfs_server="YES" # pfi_boot_pxeserver="YES" # pfi_boot_ipserver="YES" # pfi_option_subnet-mask="255.255.255.0" # pfi_option_routers="10.0.250.1" # pfi_filename="pxeboot" # pfi_ddns-update-style="none" # pfi_option_domain-name="domain.com" # pfi_option_broadcast-address="10.0.250.255" # pfi_option_domain-name-servers="192.168.64.3" # pfi_server-name="DHCPServer" # pfi_server-identifier="10.0.250.50" # pfi_default-lease-time="7200" # pfi_max-lease-time="7200" # pfi_subnet="10.0.250.0 netmask 255.255.255.0" # pfi_next-server="10.0.250.50" # pfi_range="10.0.250.29 10.0.250.250" # EXAMPLE 4: # Revert to the traditional, C language backend. # # pfi_backend="/usr/local/sbin/dfuibe_installer"

Ok I have just bitten the bullet and installed the latest upgrade. As tommy said the update just happened the system re-booted and voila an up to date pfsense. All rule sets in tact everything as it should be. Great stuff people not to mention I now have access to a reactive snort package which seems to be working very well. I really am as happy as a pig in sh"! (pun intended)  ;D If someone is using snort could they tell me if adding just my trusted wan ip's to the white list will restrict vpn access to just those ip's. I couldn't find a way to do it from the pptp page (see my post in the pptp list). Regards Sam

i was since you were the only one helping me. Its burned you twice huh, doesnt sound too good. I still think this is related to my upgrade as it didnt do this on 1.2.2, I will ask it on the snort board. Thanks for your help at least the connectivity issue is solved, if i cant use snort im not going to worry as it isnt critial to me.

Thank you for answering my question. I am not able to change the far side of the tunnel at all. How would I supply multiple 'peer' addresses? would authenticating to the IPSec as a seperate users on each of the WAN's do that?

Hey dfarquharson, Did it work out OK? Would be nice to get some feedback on system used, obstacles, etc…if you're still around...

I have option B (cisco) running and so I definitely recommend that. :)

Yes, as clarknova said it's already installed.  Just go to VPN/OpenVPN in the GUI.  Also, there is a forum dedicated to OpenVPN here… http://forum.pfsense.org/index.php/board,39.0.html

using RELENG_1_2_3_RELEASE commit seems to solve the problem. thanks.

If space is at a premium, Netgate ( http://netgate.com/ ) has some outdoor cases and even some marine gear I think, that would let you mount a router pretty much anywhere (above the water line) and save some space that way. :)

@EddieA: I currently run pfSense as a VM on ESXi. My cable modem goes to one NIC, on the ESXi server, where the pfSense WAN is the only VM connected.  The pfSense LAN goes to a separate virtual switch, where other VMs connect, and also to a second NIC, and a physical switch, where the rest of my network is hooked up. I'm quite happy with this setup, and it works perfectly well.  But, as can be seen in another post here, I just picked up an HP Thin Client, where I'm going to run pfSense, to sit between the cable modem and "relegate" the ESXi server to being just another machine on my network. Cheers. This is what I plan to do.  Maybe in the future run a physical box.  Are you using this method as solely a firewall?  Any other features? tnt

Mister wallabybob: I've installed the system PF Sense to the stage for a final gave me wan -192.168.0.13 and 192.168.1.1  lan -worked prepare for because 192.168.0.10. Knowing that I am currently working Maikarotik system. But when I open the browser and type the IP Address 192.168.0.10 does not open my pFSense. Note that the local network there by a yellow triangle. A. In your opinion, why not call and thank you

@clarknova: I was hoping to catch a lead on cheaper PCI expansion. $80 on ebay Sorry, can't help there.  Although, when I was looking, by trying different search terms, I did find others selling the expansion, and I seem to remember one Canadian, I think, seller had a bunch, at around $25 each, although right now I can't find it again.  Here's a cheaper one: http://cgi.ebay.com/PCI-Expansion-Module-Hp-Compaq-t5720-Thin-Client_W0QQitemZ330390809465QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item4cecd3ab79 That's exactly why I waited for a box that came with one already installed.  I paid less than $80 for the complete setup. Cheers.

We're very open to feature requests in general, but in this case if you're going to request the ability to add on top of a stock FreeBSD release, that's going to go to the "needs patch" pile, i.e. it's not going to get any attention from us. pfSense is a customized OS in itself, there are a few dozen patches to FreeBSD to make it behave better as a firewall and router. The rc system would break everything on a stock FreeBSD. For those reasons, amongst others, we won't ever have the ability to install on top of a stock FreeBSD. There's just way too much difference between the two for that to be remotely reasonable.

To build images and such, yeah, those steps work great – but that's done from a FreeBSD box these days and not from within a "Dev ISO" environment.

This is really embarrasing.. it was just an broken nic… so i bought a new one and it works like charm! What confiused me was the fact that i could ping from pfsense to my pc but not the other way around but what wireshark told me that the wan interface was pinging me... so i switched the network cables... en i could go to the network interface!! Thnx!

Thank you all for the suggestion I had a very drastic approach: I built a spare firewall with new mobo, new HD and new NICs. I loaded pfsense 1.2.3 and my configuration. In office non-working hours I plugged in and tested / stressed for few hours with no problem at all from various workstations. I even increased the download speed to 15/20 MB/sec (depending from the OS of the workstation). Yesterday I definitively changed the firewall with the new one. The old firewall (Pentium III 800EB + shuttle mobo) has been on 24/24 from 2001, working as a PC, as a little server, as a Winroute server, as a monowall firewall and lately as a pfsense server. It still seems operational, but probably the NICs have suffered most. Max

There is no way to duplicate a nic card. They are physical cards in the machine. I'm not sure I'm following what you're saying you did.