@sforsythe: Ok, I was able to set up a test network and rules and it does work if you manually type it. But still I believe it is a bug in the autocomplete functionality which I believe is giving me a list of all 'valid' aliases that I can enter (and the network one doesn't present) … that and the text in the type=host(s) should be changed if you in fact should not be able to enter a subnet. I am seeing the same issue, if I create a new alias with type Host, when I type an existing alias the autofill only shows Host aliases. If I were to choose alias type network the autofill will only show network aliases. If we want to create a group alias of both existing host and network aliases the autofill is not useful. I am trusting above that manually typing a mixture of host and network aliases into a new network alias will still consider IPs for the child aliases in question. Some clarification on this matter would be very much appreciated. I second this is a bug that should be fixed.

That's squidguard.  I'm asking about squid. [image: squid-local_cache.png] [image: squid-local_cache.png_thumb]

Hi - Thank you for your post - it was really helpful. I figured out how to update the BIOS to .99m.  It does in fact show .99m when booting the ALIX2d3. So, first issue sorted out. I was still getting the weird characters upon booting PFSense, but after fiddling with the serial port settings - putting both my terminal program and ALIX to 11500 (whatever it is) I got text. Last error message was about long mode. I downloaded the i386 2.3 dev version (latest) threw that on my cf card and everything works perfectly! Thank you! :P

pfsense doesn't support L2 firewalling, I think Also, when your vm's have the ISP as the default gateway, you're out of luck and need to redesign your routing to allow all traffic to flow through pfSense, but i can't tell you with any sofifistication how to do that without knowing your exact setup.

The physical layout is as you describe and it matches up with the labels etched on the case. The first two ports use a different network chipset which probes in a different order than the other four ports. Thus is goes 1, 0, 2, 3, 4, 5.

Yes, I'd also like to read some instructions on how to do that. How to clone the whole repo from pfSense's main website?

That self generated cert is going to throw errors at you.  If you want to use https I would also suggest you take the time to gen a new cert with valid fqdn and SAN so you can use name or IP and trust the pfsense CA so your browser doesn't throw errors at you or have you create exception, etc.

You would lagg the connections, depending on switch maker terms might be etherchannel, or port channel or teamed.  All pretty much same term for doing the same thing binding connections together for loadsharing. This provides you with multiple paths for a failover issue while also allowing you to leverage more bandwidth between the switches for loadsharing.  In a typical setup you might even connect switch 2 to 3 to allow for another path if your homerun to your main switch went down you would have another path to the switch via the connect.  You would leverage spanning tree (stp) to block that connection so you don't have a loop unless the home run connection to the main switch when down.  That connection would then come up in forwarding vs blocking. So for example is that fiber connection only 1 gig?  If just using it as failover with 1 connection only being used all your devices on switch 2 for example are limited to this 1 gig uplink to anything on switch 1 or switch 3 or internet.  Not sure where your servers are for example. Typically in a case with location that has need of that many ports you would have way more than just 2 network segments/vlans.  Without understanding your environment and amount of data flow between devices and where they are connected its hard to say what your best setup would be. How are you leveraging those 4 wan connections?  How fat are those pipes? What other types of devices do do you have? Servers, printers? Voip phones? In a typical smb setup you might see say 5 vlans for sure..  Depends on what you want to isolate for security, what your using as your routing for intervlan.. How much intervlan traffic your going to have, compared to security concerns.  For example you might just have a data vlan and you would put all your servers/printer/users/networking infrastructure management all on this data vlan.  If you have phones this normally would be on a voice vlan, and then your wifi normally atleast 2 1 for internal use of known users and devices that need access to your other stuff, and then just a guest that has just internet, etc. Typical you might have infrastructure Data users voice wifi wifi-guest All as different vlans.  With data possible broke up even more into servers/printers/production/etc/dmz and then depending on the number of users or different types of users you might have multiple user vlans.  This might be office users, engineers, management, sales, finance, kiosks or plant floor.. Shoot in my home I have 7 different segments and vlans for gosh sake ;)  If anything that number would just go up.

Possible? Yes. Recommended? No. On the one hand, it could lead to a more secure environment because it would update automatically. On the other, the process is not without flaws and valid objections based on security/authority of the upgrade and potential outage concerns. Even if it were an opt-in feature, we'd likely see a chorus of complaints. Automating that sort of task is risky at best.

It's safer to assume that all upgrades require a reboot unless we say otherwise.

@jimp: I, more than most, am happy to see FreeBSD finally have a way to deal with the extension ordering in PHP. I've been ranting about it being broken (and advocating to get a fix in) for over 10 years now (as of yesterday). Happy Anniversary :)

seems to be working yes… thanks for the update..!

Post a Bounty!

Glad my not-so glamorous 2 day troubleshooting experience with this helped you out :-) When this happened, I had just moved my equipment from a shelf to a rack on wheels in my basement (due to construction of french drain). My guess is that the pfsense/equipment was down for long enough time (full day before I rigged a consumer grade router to get temp Internet), that the ISP decided to put me on a different subnet when I reconnected. This drove me crazy as, with the move, I didn't introduce any new variables, but there was a physical change, none the less. The symptoms would be that once I was able to turn things back on, I would get Internet connectivity, but then, once I would download a file and semi-saturate the link, the gateway monitor would check the old gateway from the original DHCP subnet that I was part of (I knew my IP could change at any time, but never imagined that they would also change your subnet). I saw a bunch of WAN dropped packets in the managed switch that I use to connect everything, so I followed that route for an afternoon and changed cables, RJ-45 couplers, etc.  I was almost to the point of suspecting AC interference due to the new cable routing!    Of course this was simply because the WAN would reject packets while the NAT states were being reset, but I had no idea of that yet. It was not until the weekend when I was able to do more testing and debugging, that I realized what was happening. This never came up when I did the upgrade to 2.3, as my WAN gateway had not changed, so I just could not imagine what could have changed from the equipment being on a static wooden shelf, to being on a mobile wire shelf :-). Good lesson, just hope I don't get more of these crazy ones! @ironashram: Gateway monitoring indeed was my problem, we have nexus 9000 in our new setup and they bring this fantastic feauture thak makes gateway respond to ping only sometimes :( Thanks pppfsense for pointing me in the right direction.

I had the same problem a few hours ago for a while. Now it works properly.

First, ensure that the traffic you are suppose to see, is there. tcptop won't tell you much, or anything, if the rules are not there to let the traffic in/out (use tcpdump). It should be straight forward to mirror a port in any managed switch, but you should ask in the ubiquiti forums. Now, think about this, if the mirror config is correct, and the date is being sent to the WAN in pfsense, WHY would pfsense do ANYTHING with that data if it is NOT addressed to it? You may be able to see traffic with tcpdump if you put the interface in promiscuous mode, but if pfsense doesn't have an address on the WAN and it is not routing/handling the information, it will not go through it. What you want is to put pfsense in series with your current network. Add it as a router and simply use an rfc1918 address to link the Internet to your current setup. I am sure there is a way to convert the IPS in pfsense to an IDS, but that's not the design/purpose of pfsense, so you are on your own there. @bbuchanan99: snort/suricata….I have gone into my ubiquiti unifi switch and mirrored port 1 (Router uplink) to port 19 (Mirror port).  The pfsense is then connected to port 19 via opt1.  I don't seem to be getting any traffic on the port, tcptop shows nothing on the opt1 interface.  Anyone know how to mirror a port on a ubiquiti switch?  seemed really straight forward but something does not appear to be working.

The act of working to understand why it almost certainly won't work isn't in itself a waste of time. Maybe you'll be inspired to learn FreeBSD and create a driver. It would be nice to see a response on the other thread though.  ;) Steve