I have to admit, this is the single biggest gripe I have with pfSense. Many times, I install pfSense inside a virtual machine for testing with no other LAN connected hosts. While you can easily enable SFH via the console window, getting into the web GUI is a different story. In fact, you need a host with a GUI running on the LAN network in order to access pfSense to create the necessary rules to allow WAN clients access to the web interface. ARGH!

Luckily, we have an easy workaround.  Here is what do to:

Install pfSense  on your target machine

Unless your WAN gets a DHCP address, you will need to manually assign the IP Address of the WAN interface:
 –> Get to the CLI (option 8 )
 --> Type "ifconfig en0 10.20.30.40 255.255.255.248" (substitute en0 for your WAN interface and use the correct IP Address/Mask)
 --> Type "route add default <default-gw-ip>"
 --> Type "pfctl -d" to temporarily disable the packet filter

Point your browser to your WAN IP address then login as admin/pfsense

Once you have done your initial configuration, MAKE SURE to enable the packet filter again (CLI --> "pfctl -e")

Note - you may have to disable the packet filter a few times because changing GUI options will automatically enable the packet filter. In fact, I just installed pfsense in a new virtual machine today and did the exact steps above.

Hope this helps...</default-gw-ip>

@wallabybob:

Danswartz: …my take on why someone might be interested in this: Suppose you are on a restricted budget

!!! come on, say it…'if you're a cheap skate u might want to do this'...  ;D @wallabybob:

and you have a wireless modem to cable or ADSL. You have discovered the limitations of the cheap versions of such modems and have scrounged a system to run pfSense and like pfSense.  But you still need wireless access and because of your limited budget (money, slots, equipment, whatever) you want to know if its possible to use the wireless hardware support in the modem you already have but want pfSense to have some control over the wireless traffic.

Well there are many scenarios… I am a cheapskate often <oh dear,="" my="" secret="" has="" been="" exposed="" in="" first="" post="">, but not with hardware. If I have no budget, I go old over good rather than new but crap.  I do prefer minimal hardware and smart config (a bit too much I do admit) too, as this is a way to improve one's code (and waste days aimlessly hacking...).

The absolute reason in this case is: I don't want to have a built-in WiFi interface as the box is a ESX host and won't support it probably, pass thru USB would suck and have to be in the DRP.  Another wireless router in addition to the ADSL gateway... no, because it uses more power to load the UPS, generate heat and add ongoing cost and dependability.  (I like to have two of everything- so I don't want 4 commodity routers if instead I can have 2)
@wallabybob:

Or, maybe you are fairly new to networking and just want to see if you can make the suggested configuration work - as a learning exercise.

Indeed. There are a few reasons…
@wallabybob:

… using the ADSL modem with wireless support would have allowed the wireless connected systems to bypass the pfSense firewall

Hmm.  If they were on a VLAN it'd be harder, but yes security here is a major compromise.  For me, the reason is less the WiFi AP. The more I thin about it, the more I'd like to use the Billion's VoIP gateway… for others it might be USB NAS, or VPN... Anyway, you know 'what they say about justifications and statistics!'

I'll report again once I can get a decent night's hacking done :)</oh>

You can't create a directory on a ro filesystem, but you can mount to an existing directory (make sure it's empty first). Or you may be able to temporarily mount your rs read-write. I'm less familiar with BSD's mount, but you could try something like 'mount -oremount,rw / && mkdir /mnt && mount -oremount,ro /'

No, it doesn't work that way.

For one, because there is no compiler on pfSense, and also because upgrading various components could lead to breakage as often config file formats and behavior change between versions that would be unexpected.

The system is released as a whole because it's tested and known to work. If there is a compelling (e.g. security) reason to upgrade a tool such as lighttpd, it may warrant a new release or get upgraded in the development version.

If you want to try to build an updated version, you can do so on another FreeBSD box or VM as described here:
http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso

@scottnguyen:

FREEBSD works fine with unetbootin

Is that from a FreeBSD ISO, or by selecting FreeBSD from the menu.  Because, when you select FreeBSD from the menu, you get a "packaged" version of FreeBSD, that someone has specifically built to be usable in unetbootin.

Cheers.

Same problem with my DC5850 and latest livecd (pfSense-2.0-BETA1-20100308-2107.iso.gz )
Also the same on HP DC5750

Any help appreciated

JClausen

Bear in mind that I have not tried or tested this, but here is a sample pfi.conf file from the server. It just shows available options and such:

####################################################################### # $Id: pfi.conf,v 1.10 2005/07/09 00:07:07 cpressey Exp $ # Defaults for pfi.conf. # A space-separated list of what services to restart when we are done # changing options.  The services are the base names of RCNG scripts # (i.e. without the "/etc/rc.d/" prefix.)  Note that these must be # given explicitly in the same order they would normally be started # by rcorder during RCNG (e.g. "netif dhclient sshd"); they are not # automatically ordered by their dependencies here. pfi_rc_actions="" # Determines which installer frontend to use.  Defaults to "curses"; # other legal options are "cgi" and "none". pfi_frontend="curses" # Determines which installer backend to use.  The standard backend # is now the Lua backend, but this can be changed, to start an # alternate backend.  (See example #4, below.) pfi_backend="/usr/local/bin/lua50c51 /usr/local/share/dfuibe_lua/main.lua" pfi_backend="$pfi_backend option.booted_from_install_media=true" # When using the curses frontend: # Set the amount of time, in milliseconds, which must pass after # the 'ESC' key is pressed, in order for it to be recognized # as a plain 'ESC' keystroke, and not part of an escape code. pfi_curses_escdelay="150" # A password to set as the root password on the LiveCD, if any. pfi_set_root_password="" # Control corresponding sshd options.  To make sure sshd restarts with # these options, add "sshd" to pfi_rc_actions. pfi_sshd_permit_root_login="NO" pfi_sshd_permit_empty_passwords="NO" # An script to run before the installer.  It is assumed this script is # located on the pfi media.  While it is run, the media's root directory # is mounted on /mnt. pfi_script="" # A program to run before the installer.  It is assumed to reside on # the LiveCD; /mnt is not mounted. pfi_run="" # What transport layer the DFUI in the installer should use.  Valid # values are currently "caps", "npipe", and "tcp". pfi_dfui_transport="tcp" # User to automatically log in as, or "NONE". pfi_autologin="NONE" # Command to use to reboot.  "shutdown -h now" is typically used # interactively, to give the user a chance to eject the disk, but # "shutdown -r now" can be used for headless operation. pfi_shutdown_command="shutdown -h now" ####################################################################### # EXAMPLES # To use one of these examples, extract it to a text file and remove the # leading pound-signs.  Copy this text file to the file "/pfi.conf" # on a floppy disk or USB pen drive (hereinafter referred to as "the pfi # media") and have that media inserted or attached to the computer while # you boot from the installer CD-ROM.  The installer will attempt to # locate this file and, if found, will use the variables present within it # to configure the installer boot process. # This file has the same syntax as /etc/rc.conf, and it can contain any # setting which is meaningful in /etc/rc.conf as well.  Any rc.conf # setting which is given will only be obeyed, however, if the RCNG script # to which that setting applies is named in pfi_rc_actions. # EXAMPLE 1: # Boot the installer headless, configure the network interface dc0, # and start the CGI frontend. # # ifconfig_dc0="DHCP" # pfi_rc_actions="netif dhclient" # pfi_frontend="cgi" # pfi_autologin="installer" # pfi_shutdown_command="shutdown -r now" # EXAMPLE 2: # Boot the installer headless, configure the network interface rl0, # and allow ssh'ing into the box as root with the password "sekrit". # # ifconfig_rl0="DHCP" # pfi_sshd_permit_root_login="YES" # pfi_set_root_password="sekrit" # pfi_rc_actions="netif dhclient sshd" # pfi_frontend="none" # pfi_autologin="installer" # pfi_shutdown_command="shutdown -r now" # EXAMPLE 3: # Boot the cd and setup a PXE/TFTP/DCHPD server environment # so that clients can boot from the network and enter the installer # # Enable tftp and NFS services with pxeboot and a kernel available via # tftp and the CD's root mount available via NFS. # # pfi_boot_tftp_server="YES" # pfi_boot_nfs_server="YES" # pfi_boot_pxeserver="YES" # pfi_boot_ipserver="YES" # pfi_option_subnet-mask="255.255.255.0" # pfi_option_routers="10.0.250.1" # pfi_filename="pxeboot" # pfi_ddns-update-style="none" # pfi_option_domain-name="domain.com" # pfi_option_broadcast-address="10.0.250.255" # pfi_option_domain-name-servers="192.168.64.3" # pfi_server-name="DHCPServer" # pfi_server-identifier="10.0.250.50" # pfi_default-lease-time="7200" # pfi_max-lease-time="7200" # pfi_subnet="10.0.250.0 netmask 255.255.255.0" # pfi_next-server="10.0.250.50" # pfi_range="10.0.250.29 10.0.250.250" # EXAMPLE 4: # Revert to the traditional, C language backend. # # pfi_backend="/usr/local/sbin/dfuibe_installer"

Ok I have just bitten the bullet and installed the latest upgrade.

As tommy said the update just happened the system re-booted and voila an up to date pfsense. All rule sets in tact everything as it should be.

Great stuff people not to mention I now have access to a reactive snort package which seems to be working very well. I really am as happy as a pig in sh"! (pun intended)  ;D

If someone is using snort could they tell me if adding just my trusted wan ip's to the white list will restrict vpn access to just those ip's.

I couldn't find a way to do it from the pptp page (see my post in the pptp list).

Regards

Sam

i was since you were the only one helping me. Its burned you twice huh, doesnt sound too good.
I still think this is related to my upgrade as it didnt do this on 1.2.2, I will ask it on the snort board.

Thanks for your help at least the connectivity issue is solved, if i cant use snort im not going to worry as it isnt critial to me.

Thank you for answering my question. I am not able to change the far side of the tunnel at all.

How would I supply multiple 'peer' addresses? would authenticating to the IPSec as a seperate users on each of the WAN's do that?

Hey dfarquharson,

Did it work out OK? Would be nice to get some feedback on system used, obstacles, etc…if you're still around...

I have option B (cisco) running and so I definitely recommend that. :)

Yes, as clarknova said it's already installed.  Just go to VPN/OpenVPN in the GUI.  Also, there is a forum dedicated to OpenVPN here… http://forum.pfsense.org/index.php/board,39.0.html

using RELENG_1_2_3_RELEASE commit seems to solve the problem. thanks.

If space is at a premium, Netgate ( http://netgate.com/ ) has some outdoor cases and even some marine gear I think, that would let you mount a router pretty much anywhere (above the water line) and save some space that way. :)

@EddieA:

I currently run pfSense as a VM on ESXi.

My cable modem goes to one NIC, on the ESXi server, where the pfSense WAN is the only VM connected.  The pfSense LAN goes to a separate virtual switch, where other VMs connect, and also to a second NIC, and a physical switch, where the rest of my network is hooked up.

I'm quite happy with this setup, and it works perfectly well.  But, as can be seen in another post here, I just picked up an HP Thin Client, where I'm going to run pfSense, to sit between the cable modem and "relegate" the ESXi server to being just another machine on my network.

Cheers.

This is what I plan to do.  Maybe in the future run a physical box.  Are you using this method as solely a firewall?  Any other features?

tnt

Mister wallabybob: I've installed the system PF Sense to the stage for a final gave me wan -192.168.0.13 and 192.168.1.1  lan -worked prepare for because 192.168.0.10. Knowing that I am currently working Maikarotik system. But when I open the browser and type the IP Address 192.168.0.10 does not open my pFSense. Note that the local network there by a yellow triangle. A. In your opinion, why not call and thank you

@clarknova:

I was hoping to catch a lead on cheaper PCI expansion. $80 on ebay

Sorry, can't help there.  Although, when I was looking, by trying different search terms, I did find others selling the expansion, and I seem to remember one Canadian, I think, seller had a bunch, at around $25 each, although right now I can't find it again.  Here's a cheaper one:

http://cgi.ebay.com/PCI-Expansion-Module-Hp-Compaq-t5720-Thin-Client_W0QQitemZ330390809465QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item4cecd3ab79

That's exactly why I waited for a box that came with one already installed.  I paid less than $80 for the complete setup.

Cheers.

We're very open to feature requests in general, but in this case if you're going to request the ability to add on top of a stock FreeBSD release, that's going to go to the "needs patch" pile, i.e. it's not going to get any attention from us.

pfSense is a customized OS in itself, there are a few dozen patches to FreeBSD to make it behave better as a firewall and router. The rc system would break everything on a stock FreeBSD. For those reasons, amongst others, we won't ever have the ability to install on top of a stock FreeBSD. There's just way too much difference between the two for that to be remotely reasonable.