So apparently my additional nics just got incremental em names.  All of my existing rules, etc stayed the same.

@phil.davis: There is not a way to easily "guess" the bandwidth of an interface at present - many people will have a 100Mbps ethernet cable between their WAN port and frojnt-end modem device. The front end connection to the internet will usually be much slower than this (depending what their hardware does and what they have paid for from the ISP). It would be easy enough to add an attribute to the Interface configuration page that lets you define the expected real throughput speed for the interface. Then, if something was set in there, things like Traffic Graph could start scaling at that rate. If things like this are done, then it would also be good to have a "Save" button on the Traffic Graph page so users can decide what graph settings they want as default. Exactly. I would enter, for example, that opt2 (or wan2) should be maximum with 16.000 kbit/s. If the real Bandwith never reaches this limit, its totally ok. I just want to see, what percentage of the technical-maximum is reached at the moment. For a LAN-Interface this would be 100 Mbit/s or 1 Gbit/s. I may be ablt to code that into the pfsense-GUI, but for saving this setting to the pfsense-harddrive, i may neet to look into it more deeply. PHP is one thing, but the saving-functions and the config-db…. well, i would love to have this coded into pfsense by one of the pfsense-programmers themself. So i dont need to learn, what they already know and so everyone can have this option in the next update. What about it, PFsense-team? :)

@necron: First of all, thanks for the clear tutorial! Question though, how do you guys handle admin accounts when authenticating with AD? For instance: I have the default admin and another two admin accounts created. I then made the AD link which works fine, but when I log on with one of the two custom admin accounts the 'no page assigned' error appears. Default account keeps working though, but that one has a huge random password :) Add a group. Click the group and add privileges :)

pfsense console option 8 allows you to drop to a standard unix shell and run all sorts of diagnostics. You can run from the basic ifconfig to check if the interfaces are correctly configured, to ping to check for connectivity, up to tcpdump (which however requires some technical background)

Yes, you manage pfSense from the LAN interface by default. You can of course change that.

@tim.mcmanus: Are you power cycling the cable modem each time you connect it to a new device?  Some of those cable modems have a habit of grabbing the first MAC address they are connected to and refuse to talk to anything else until you power cycle them.  That's the first thing I'd try to do.  If it still doesn't work, reply back. Right after I posted this I tried that and it worked! Before I just unplugged the modem for 30 seconds but, I needed to unplug the modem and take out the battery and unplug the server and take out its power supplies. After about 5 minutes with them off, I turned it back on and It got an IP right away and it works great!

did you edit the default lan rules on pfsense?  By default there should be a rule that allows anything on the lan subnet to go ANYwhere.

Are you going through some kind of proxy? Something is definitely intercepting and interfering with the HTTP requests made by the firewall, those responses don't appear to be coming from our servers. Doing a search on "ipdiags.ha" yields some interesting results… http://forums.att.com/t5/Features-and-How-To/sometimes-universe-adds-quot-cgi-bin-ipdiags-ha-quot-on-all-my/td-p/3041327

@dmauld: Bonus question: Will pfSense work with the Alfa USB AWUS036NHA? It appears to be a "high powered" USB WfI adapter using an Atheros chipset. I have seen "high powered" devices on eBay but using the supported Ralink RT3070 chipset.

Look at your :R :FA, etc Firewall will pass traffic based upon state, if you get a state mismatch then traffic can be blocked.  If traffic shows FA, TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR Its a Fin Ack - but if firewall does not show correct state for the session then it would block that sort of packet. if you reboot pfsense, or clear the states then yeah you can see those quite often.  Or wireless can happen too if you drop packets and then get packets with wrong state on them, etc. Common to see such traffic.

You might be able to do this using VLANs but it would be far easier to add a second interface to the VM host machine. Use the second interface to connect to your wifi device. That device is a wireless router but you want it to act as an access point only. So you need to disable DHCP in the wifi router and then connect the pfSense LAN interface (the new NIC) to one of the LAN sockets on the wifi device. Thus all wifi traffic should be handled directly by pfSense. That would be the case for most home wifi routers but some may have further configuration options and other hurdles to cross. Steve

Great.  Thanks for the info.  My company is slow at approving updates, so v2.0.3 might be an official release by then.  Either way, this is good to know

Much easier yet to use a FreeBSD box/vm to image the cards, then mount and copy the config before ever putting it in the target device :-)

I am also having this in my sys log. Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php') Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php') Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php') I hope to know what is causing this.

Is this a full install or NanoBSD? I've seen the "…....." happen before on NanoBSD if someone accidentally uploads a full CF image instead of an upgrade slice before, but that's the only way I can recall it happening.

FreeBSD has it, you can make/use labels for slices, but the installer code for full installs doesn't (yet) make or use them.

Hey Steve! I made no manual changes to the baud rating. Literally, I installed PFsense, loaded up the web_gui, and have only enabled disabled the serial console from that menu. I wish I could get the blasted serial console to work though, (in the event I fubar something). I hate popping this IDE drive out every-time I screw something up! LoL! EDIT Sorry, I forgot to mention, this is V2.02 Interestingly enough, I no longer have to kill/reinitialize the web-configurator (lighttpd) every 5 minutes when it becomes unresponsive now that I'm running a full-on install. That's a plus!

Thanks Steve!!! I really appreciate that.

Given the number of inetd instances there must be a significant number of reflected connections. Best to either not use reflection in that case, or upgrade to 2.1 and use "pure NAT" mode reflection. That's not in and of itself causing the crash I don't think, wallabybob covered that, but it's definitely not helping things.