@stephenw10: What's wrong with using 2.1 snapshots, which are based on 8.3? Whilst 2.1 Snapshots are okay for testing and possibly for production if the day is right when no major glitches arise, I have found it hangs quite often when testing configs for routing public IPs - something not explained well either in the wiki or in the book and needs some experimentation. @stephenw10: See: http://devwiki.pfsense.org/UsingProjectEvilOnpfSense Thanks, I saw it was a bit dated what with the old sze of 64MB that is now 128MB and whether the loader.conf.local would entries would still be needed - will check it out though. I thought the release 2.0.2 might have some nice fixes now - any build from repo instructions? @stephenw10: @apmuthu: Are there any unofficial public Wikis on pfSense that are maintained well? I've never seen one. Thanks for the info - a nice candidate for a wiki to substitute for the missing links in the current one and experimentations not in the book as well! Trawling the forum is quite cumbersome. Managing Spam and malicious activity on the Wiki is tiresome indeed. @cmb - your book is well laid out and nicely cross referenced. Thankyou. The memstick installer img uses the older FreeBSD Slice naming convention and had me stumped quite a while. Instead of mounting it withmount /dev/md0s1a /mnt/pfsensewe need to mount it with``` mount /dev/md0a /dev/pfsense

Thank You for the responses.

The pfsense appliance has 4 LAN ports available and it will be connected to three 42-port VLAN capable switches. Is it best to design it as a router on a stick, or to connect each VLAN to a pfsense LAN port?

yeah I was hoping to have 2.1 out as well, but I've had to deploy 2.1 BETA from the snapshots to my customers for now. Even though it's beta, still more than reliable enough to deploy in a simple network situation. :) Michael Johnson Novacore Systems http://www.novacoresystems.com

I have reread this thread and noticed a change in the network shared by Cisco and ISP facing router: 192.168.2.0/24 became 192.168.2.0/30 (unless you made a typo). Depending on the IP addresses assigned when you did the switchover you may have created an invalid configuration. For example, suppose the Cisco had 192.168.2.100 and the simple router 19.2.168.2.1. Perhaps you replaced the simple router by pfSense with the interface connected to the Cisco assigned 192.168.2.1/30 then you have an invalid configuration because the Cisco and pfSense are not on the same subnet. Please post a diagram of the current configuration including IP addresses and netmasks of all relevant interfaces, the tests you have tried and what is reported by these tests.

Edit the config.xml file and search-and-replace the old device name with the new one (e.g. em -> igb)

lol, i really doubt i'll have that much cache. Plus i only have 1gb of ram for this machine. I have quite a few older IDE drives laying about i just really don't trust them long term. but at the same time, i want it to function at 100% and not have to worry about replacing something that craps out… Oh well guess i'll try it. Thanks for your help Steve.

I found this forum page…. will try it out and update this forum thread http://forum.pfsense.org/index.php?topic=50711.0

Brilliant! Thx Jim!

Yes, pretty much. You should be able to upgrade directly from the GUI without separately downloading anything. Read this: http://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide and this: http://doc.pfsense.org/index.php/Upgrade_Guide If you have any doubts the safest thing you can do is buy two new CF cards and use those instead. Restore a config backup onto the new 2.0 image and you should be good to go. That way you can quickly and easily go back to the old cards if something doesn't quite go to plan. Steve

Ah, thanks for the correction. Not sure why I thought that then. Steve

@stephenw10: Ah good stuff.  :) I have no idea about 802.1p, or no more than is revealed by a quick Google: http://en.wikipedia.org/wiki/IEEE_P802.1p You might think that setting it to a higher level would give you priority over other users. However it may also screw things completely or have engineers are your door in seconds! Since everyone else will be at 2 there would be no need to go higher than 3. Wait until a busy time when your connection speed has slowed and try it.  ;) Most likely it will do nothing at all and is just an option provided by Huawei that's unused by BT/Sky. I keep meaning to get a second modem to hack. This may be the final trigger. Steve yeah nice one. thanks for your help. your thread came in really handy

@stephenw10: Damn it! The info about "It's worth noting that there is no point in buying a card with a high transfer rate" came a little bit to late for me :D. Well, it's just ~35€ so everything is fine. It's this one: http://www.amazon.co.uk/gp/product/B00422IVLC/ref=noref?ie=UTF8&psc=1&s=computers I went for the 8GB CF card since I was afraid of the 4g limitations on some CF cards. Yes, I tried out the work around of JimP and it worked perfect, but something slowed down the firewall again and I'm kind of tired to remount it every time again. I'll just switch back to 2.0.1 and wait until a stable, hopefully properly working with my CF card, 2.1 version is out :). I was always wondering what the difference is between those 1g-4g versions, thanks for clearing this up. Thanks for your support and all replys, Szop

The pkg button is the proper way. Snort is odd in that it has (or maybe it's been fixed since) an option, on by default, to clear out the snort settings when it is upgraded or reinstalled. Find the relevant checkbox to disable that behavior and it should retain your settings.

jimp, I believe the issue he was having was that when using pfsense his WAN IP address changed too often, whereas using another router it didn't. He wrote: I've also tried a basic router (Asus something) which has been working fine without any address change, which should rule out the ISP as the problem? Without more info it's hard to say what could be going on (flaky modem, weird dhclient issue etc) The flushing of states via the old gateway on WAN IP change event would be another related issue.

you prob have dns not working on pfsense itself - where do you point pfsense for dns?

The really interesting thing is that earlier you said: @rjcrowder: Then, if I go into the console menu and reconfigure the WAN - telling it to use DHCP - it gets an IP address! Possibly the default state of the NIC, when the machine first boots, does not check for all 4 pairs connected. However when the driver is loaded this check is enabled in the hardware such that subsequent negotiations are able to fall back to 100Mbps. I guess.  ;) Anyway using the correctly wired cable is the right solution. Steve

So, that was just the beginning, it's actually better to not null-route it but make the following entries: files.pfsense.org - 192.168.1.100 files.pfsense.com - 192.168.1.100 www.pfsense.org - 192.168.1.100 www.pfsense.com - 192.168.1.100 If your package web server is 192.168.1.100. Next is the problem of not having the packages themselves. So wget -mk -np http://files.pfsense.org/packages/ gave me a directory that I plopped into my already existant packages directory (created from the git clone as described in the documentation) but the problem I ran into was the php files being rendered still (which made any packages that pulled php files get the rendered version instead of source). So you need to add a .htaccess file in the packages directory with the following: RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off Make sure that "AllowOverride all" is enabled if you are running Apache to host the package site, if not, you'll have to google how to allow .htaccess files for your particular server. (or if you server doesn't support htaccess files then how to enable source disclosure) After those alterations I seem to be off to the races for the most part. Some packages pull from other websites, but altering the package_8.xml or just rerouting the dns seems to solve most of those issues.