:P :P :P :P

Me being an absolute twirp.  This server was used in the DMZ before and it was still connected to the old juniper firewall on the DMZ port!!!

What a T*T !!  :)  hehe

Works fine now.

Probably solved but…
It happened to me several times. It had to do with my DVD drive. If you burn and install with the "same drive" your problems "should" go away. It worked for me, after several hangs I tryied the drive witch I used to burn the cd and the problem went away. If you still have problems installing try to burn the cd with low speed settings.
Hope it helps someone

The trouble is that the driver you're referring to is specific to the underlying version of FreeBSD.  To get it you'll either need to back-port it (not necessarily simple) or update the entire of FreeBSD.

I've currently given up on my ide connection, I have no idea as to why it stopped working… now it doesn't even identify the laptop drive in bios... I wonder if there was hardware besides the resistor missing on the board (I soldered on the ide connector & added a resistor to select master (as mentioned in the alix documentation), but that went really smoothly...other than the not working bit ;) )...

Onto the current problem.

I would love to use a cf to just boot from a notebook drive that's connected via usb, but I can't get the default freebsd boot-loader to see the drive and I haven't been able to try with grub, as it just fails to install grub on the cf while hooked up to a desktop.

(if anyone could offer ideas as to how to get grub working, it would be appreciated)

Not being able to get grub working, I decided to just mount the usb drive at boot, and run the more disk intensive stuff from it (squid definitely doable...would be possible to send all logging there?)

But...of course... it still fails to find the drive (this early in the boot process)...

Welcome to pfSense 1.2.2 on the 'pfSense' platGform... EMounting filesysOtems...M_LABEL: Label ufs/pfSense removed. mount: /dev/da0s1 : No such file or directory done. Creating symlinks......done. Launching PHP init system...umass0: <western 0="" digital="" external="" hdd,="" class="" 0,="" r1<br="">da0 at umass-sim0 bus 0 target 0 lun 0 da0: <wdc wd60="" 0ve-00hdt0="" 0000=""> Fixed Direct Access SCSI-0 device da0: 40.000MB/s transfers da0: 57231MB (117210240 512 byte sectors: 255H 63S/T 7296C) done.</wdc></western>

Running mount /mnt works fine once its started up. Here's my fstab:

Device        Mountpoint      FStype  Options         Dump    Pass# /dev/ad0s1a     /               ufs     rw,noatime      1       1 /dev/ad0s1b     none            swap    sw              0       0 /dev/da0s1      /mnt            ufs     rw              1       1

If I can't even get this working on bootup… what would be the easiest way to run mount /mnt later during the bootup process.

Any thoughts/ideas/suggestions at this point would be greatly appreciated.

Issue may have been related to KVM/VM, but solution would be by re-scanning for changes in interfaces.

Seems somewhat OK in standard standalone box

-J

Assuming you've already tried another download in case it was just a bad ISO file?

1.2-Release works perfectly at DL360/DL380.

Ok, just reinstalled system. not really way, but works…  ::)

By 5. I mean being able to assign URL/Port/Protocol policies to groups of users based on, as your suggestion was, RADIUS user groups.

I'll look into the package combo and do some more reading. Thanks.

N/M tried a different HDD, the first was bad

OK - thanks.
I'll try a manual firmware upload on Friday and also check out the BIOS.

loader.conf contains:

utoboot_delay="1"
vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
kern.ipc.nmbclusters="0"

Once more with feeling… pfSense uses FreeBSD - FreeBSD is NOT Linux.

Once more, again, with feeling… just because your hardware meets the minimal requirements doesn't mean it'll work.

I'd start with a fresh install - it sounds like you either have some broken hardware, or you changed settings you don't understand.

It might work, but:

a) It isn't supported

b) Running your gateway and firewall as a virtual host isn't a good choice for security (see the Virtualisation forum)

** Quick update at the bottom **

Thanks for your reply mhab12.  I didn't intend make it more difficult.  Partly, my pfsense boxes are not the most robust machines and I've noticed that there are limits to what I can have running on one box at a time.  For instance I have had to limit what rules are running on snort using one box and compensate the snort on the other box, kind of splitting the load in a sense, so that one box covers certain rules and the other box the rest.  There are some rules in snort that cause my service to stop if I have too many selected.  I don't have the best boxes with the up to date components, but I wanted to make it still secure enough and not overwhelm one boxes resources.
Thanks for the heads up on the reverse proxy, I may give that a shot since my web box is not that great either and it would be less for it to deal with if one of the pfsense boxes to could handle a little of the load.  I think what I was finding is too much on one machine slows things down, but sharing resposibilities between boxes will lower the load on the computer and also give me more security on my home network as a perk.  I hope I didn't sound psycho about having two pfsense for security, I'm just better at visualizing things and this made sense for troubleshooting and, for some reason, give me a quick way to get the internet back up if one box goes down.

@mhab12:

Couple of thoughts:

1 - You mention binding squid to WAN.  This will not do what you're thinking and cache the outbound data from a 'slow' web server.  Doing this will require something called reverse proxy.  The squid package in pfSense will do it, yes, but it requires additional configuration beyond the included GUI.

2 - It sounds to me like what you're explaining could be accomplished by just adding an extra NIC to the first pfSense box.  By creating an OPT interface (likely OPT1), you can effectively have two LANs, LAN and OPT1, one will be 1.1 and one 2.1  You can setup firewall rules to prevent/limit access between them, setup bridges, anything you need.  If you do not trust the firewall rules well enough and chose to have two boxes for that reason, that's another issue.

** Update for my setup **

Just letting everyone know that I now have 1.1 running snort with rules split between it and 1.2 network pfsense boxes.  This is the main reason I wanted to set things up in this way, because I don't have the newest boxes and only 512mb ram in each.  I guess if I had a nice firewall box then it would be unnecessary for my setup, but I'm using what I've got…  my ram usage on 1.1 is at 62% with snort and squid running, and my ram usage on 1.2 is 68% with snort running 2 main rules and 2 empty rules.  I may end up swapping rules on the machines and see if I can balance them a little better, but for now I have backdoor and netbios running with the largest rules and then the two empty ones local and experimental.  The rest of the rules are running on the 1.1 pfsense box, but since it has a faster processor I may end up squeezing more out of these rules if I swap the rules between the two boxes.  We'll see how things go.

Just FYI.

It turns out that there was a configuration error upstream, so nothing was getting to the firewall from the outside at all. I'm sure there's some tuning to do, but I'm extremely happy with the job that pfSense is doing now.

Van

I would bind squid to any interface that is going to have users doing browsing.  I think for you that is all except WAN.  Make sure you've switched your GUI to run on HTTPS so there are no port conflicts on port 80.

As for caching windows update, there is nothing special to do.  Just make sure you set the 'Maximum Object Size' to something like 262144 (256Mb) if you want to grab items like windows update.  I've noticed this helps a lot across the board with any updates, not just MS (think AOL, AIM, P2P programs).  That said, I was having some issues with the most recent version of Squid not serving anything from cache, but that's another issue.