Re: [pfSense Support] vmware appliance using onboard wifi as an interface

[RB]

On Fri, Apr 17, 2009 at 14:02, Sean Cavanaugh  wrote:
> I really wish it would virtualize wireless cards like that as I could get
> rid of my access point at home and just add a card into my system.

Both KVM and Xen allow you to directly map a PCI slot into a client's
namespace.  Right now I'm running pfSense as a VM under KVM and have
both a physical Ethernet port and a HiFN card mapped directly to it.

With VMWare, VirtualBox, and most other virtualization managers (as
Sean noted) it'll present as a generic Ethernet interface with no WiFi
extensions, you'll have to use the host to manage the actual wireless
association.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vmware appliance using onboard wifi as an interface

[Sean Cavanaugh]

As far as I know, the virtualization layer runs as a protocol on top of the 
interfaces in your computer. you CAN get pfSense to use the network connection 
over the wireless...but it will not see it as a wireless inside the VM, and 
will treat it as wired instead.
remember that VMWare does not virtualize the hardware itself, but offers 
virtual devices that are hooked into the hardware.

I really wish it would virtualize wireless cards like that as I could get rid 
of my access point at home and just add a card into my system.

-Sean


From: Chris Flugstad 
Sent: Friday, April 17, 2009 3:23 PM
To: support@pfsense.com 
Subject: [pfSense Support] vmware appliance using onboard wifi as an interface


Im trying to run a vm of pfsense in windows, but be able to use the onboard 
wireless card(atheros chip) as opt1.  anyone succesfully done this?  I don't 
need to use the wireless on the windows xp side as i have a ethernet connection 
or a evdo usb device.  Any thoughts or help would rock.

So far i've booted the vmware appliance in vmplayer.  I think i need to edit 
the "computer" in vmserver to allow the wireless as an interface and prolly 
have it "bridge"?

just a thought, i'll try that but thought i'd ask around in here

thanks,

Chris Flugstad
Cascadelink
900 1st ave s, suite 201a
seattle, wa 98134
p: 206.774.3660 | f: 206.577.5066
ch...@cascadelink.com 
- To 
unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, 
e-mail: support-h...@pfsense.com Commercial support available - 
https://portal.pfsense.org 

[pfSense Support] vmware appliance using onboard wifi as an interface

[Chris Flugstad]

Im trying to run a vm of pfsense in windows, but be able to use the
onboard wireless card(atheros chip) as opt1.  anyone succesfully done
this?  I don't need to use the wireless on the windows xp side as i
have a ethernet connection or a evdo usb device.  Any thoughts or help
would rock.

So far i've booted the vmware appliance in vmplayer.  I think i need to
edit the "computer" in vmserver to allow the wireless as an interface
and prolly have it "bridge"?

just a thought, i'll try that but thought i'd ask around in here

thanks,


Chris Flugstad
Cascadelink
900 1st ave s, suite 201a
seattle, wa 98134
p: 206.774.3660 | f: 206.577.5066
ch...@cascadelink.com




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rules keep failing

[Gary Buckmaster]

You can easily install a dedicated squid box (not a pfSense box running 
squid) in your network and accomplish the same goals. 


Graeme Evans wrote:

Chris

Seems you may be on to something. I have removed Squid and what was a very re-producible issue doesn't _seem_ to be happening. I had thought about that but dismissed it as it was affecting ICMP/Ping, TCP/FTP and other traffic which I didn't think squid would interfere with. 


However now I have another problem, It's most important to have the security 
but squid saves us hours of time and gigs of bandwidth a day by caching updates 
for all the PC's that come through our workshop. Really could do with it 
installed and still have the intended security. I guess I could have a second 
PFSense box caching within the workshop segment but it shouldn't be needed.



Graeme Evans
Technical Manager
KCS Computer Solutions
e: graeme.ev...@kcssolutions.co.uk 
w: www.kcssolutions.co.uk 
t: 017687 75526

f: 017687 75636
a: Packhorse Court, Keswick, Cumbria, CA12 5JB
Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in 
England & Wales)
Company Number: 4533301
VAT Number: GB734 732 432 
This email and any attachments are confidential.  It may contain privileged information and is intended for the named recipient(s) only.  It must not be distributed without consent.  If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it.


Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd.  Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. 
Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents.  We believe but do not warrant that this e-mail and any attachments are virus free.  You must therefore take full responsibility for virus checking.  Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network.



-Original Message-
From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris 
Buechler
Sent: 17 April 2009 15:36
To: support@pfsense.com
Subject: Re: [pfSense Support] Firewall rules keep failing

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
  

Situation:

I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
other is Workshop (10.0.1.0/24).  We have allsorts of computers including
infected PC's connected to our Workshop interface so there are firewall
rules setup only to allow internet access from both Local interfaces and on
the workshop interface a some simple rules allowing things like FTP access
to our fileserver on the LAN interface. We want no other access between
subnets. We also have squid installed in transparent mode listening on the
Workshop interface only, lightsquid,



If you uninstall squid does it change?  If traffic isn't getting
logged and you have logging on all your firewall rules, squid has to
be picking it up. There are a number of potential consequences of the
squid packages, this may be one.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


  




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Firewall rules keep failing

[Graeme Evans]

Chris, The address I tried to register on the forum is gra...@initi.co.uk 

Graeme Evans
Technical Manager
KCS Computer Solutions
e: graeme.ev...@kcssolutions.co.uk 
w: www.kcssolutions.co.uk 
t: 017687 75526
f: 017687 75636
a: Packhorse Court, Keswick, Cumbria, CA12 5JB
Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in 
England & Wales)
Company Number: 4533301
VAT Number: GB734 732 432 
This email and any attachments are confidential.  It may contain privileged 
information and is intended for the named recipient(s) only.  It must not be 
distributed without consent.  If you are not one of the intended recipients, 
please notify the sender immediately and do not disclose, distribute, or retain 
this email or any part of it.

Unless expressly stated, opinions in this email are those of the individual 
sender, and not of Keswick Computer Services Ltd.  Legally binding obligation 
can only arise for, or be entered into on behalf of, Keswick Computer Services 
Ltd by duly authorised representatives. 
Keswick Computer Services Ltd excludes any liability whatsoever for any offence 
caused, any direct or consequential loss arising from the use, or reliance on, 
this e-mail or its contents.  We believe but do not warrant that this e-mail 
and any attachments are virus free.  You must therefore take full 
responsibility for virus checking.  Keswick Computer Services Ltd reserve the 
right to scan all e-mail communications through its network.


-Original Message-
From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris 
Buechler
Sent: 17 April 2009 15:45
To: support@pfsense.com
Subject: Re: [pfSense Support] Firewall rules keep failing

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
> PS: anyone know why the registration system on the pfsense forum won't send
> activation emails - so I can't register?
>

Oh, and I looked for your email address on the forum and it isn't
there. If you let me know offlist what you registered under I can
manually activate you. Between the mailing lists and forum email, our
mail server sends out a ton of mail, we tend to get wrongly blocked as
spammers quite a bit. Unfortunately backscatter is an issue, with
people trying to spam the mailing list from spoofed addresses which
then get the "you are not subscribed and cannot post" bounce back,
which I'm sure contributes to the occasional blocking. There isn't a
good alternative.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Firewall rules keep failing

[Graeme Evans]

Chris

Seems you may be on to something. I have removed Squid and what was a very 
re-producible issue doesn't _seem_ to be happening. I had thought about that 
but dismissed it as it was affecting ICMP/Ping, TCP/FTP and other traffic which 
I didn't think squid would interfere with. 

However now I have another problem, It's most important to have the security 
but squid saves us hours of time and gigs of bandwidth a day by caching updates 
for all the PC's that come through our workshop. Really could do with it 
installed and still have the intended security. I guess I could have a second 
PFSense box caching within the workshop segment but it shouldn't be needed.



Graeme Evans
Technical Manager
KCS Computer Solutions
e: graeme.ev...@kcssolutions.co.uk 
w: www.kcssolutions.co.uk 
t: 017687 75526
f: 017687 75636
a: Packhorse Court, Keswick, Cumbria, CA12 5JB
Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in 
England & Wales)
Company Number: 4533301
VAT Number: GB734 732 432 
This email and any attachments are confidential.  It may contain privileged 
information and is intended for the named recipient(s) only.  It must not be 
distributed without consent.  If you are not one of the intended recipients, 
please notify the sender immediately and do not disclose, distribute, or retain 
this email or any part of it.

Unless expressly stated, opinions in this email are those of the individual 
sender, and not of Keswick Computer Services Ltd.  Legally binding obligation 
can only arise for, or be entered into on behalf of, Keswick Computer Services 
Ltd by duly authorised representatives. 
Keswick Computer Services Ltd excludes any liability whatsoever for any offence 
caused, any direct or consequential loss arising from the use, or reliance on, 
this e-mail or its contents.  We believe but do not warrant that this e-mail 
and any attachments are virus free.  You must therefore take full 
responsibility for virus checking.  Keswick Computer Services Ltd reserve the 
right to scan all e-mail communications through its network.


-Original Message-
From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris 
Buechler
Sent: 17 April 2009 15:36
To: support@pfsense.com
Subject: Re: [pfSense Support] Firewall rules keep failing

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
>
> Situation:
>
> I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
> interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
> other is Workshop (10.0.1.0/24).  We have allsorts of computers including
> infected PC's connected to our Workshop interface so there are firewall
> rules setup only to allow internet access from both Local interfaces and on
> the workshop interface a some simple rules allowing things like FTP access
> to our fileserver on the LAN interface. We want no other access between
> subnets. We also have squid installed in transparent mode listening on the
> Workshop interface only, lightsquid,

If you uninstall squid does it change?  If traffic isn't getting
logged and you have logging on all your firewall rules, squid has to
be picking it up. There are a number of potential consequences of the
squid packages, this may be one.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rules keep failing

[Chris Buechler]

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
> PS: anyone know why the registration system on the pfsense forum won’t send
> activation emails – so I can’t register?
>

Oh, and I looked for your email address on the forum and it isn't
there. If you let me know offlist what you registered under I can
manually activate you. Between the mailing lists and forum email, our
mail server sends out a ton of mail, we tend to get wrongly blocked as
spammers quite a bit. Unfortunately backscatter is an issue, with
people trying to spam the mailing list from spoofed addresses which
then get the "you are not subscribed and cannot post" bounce back,
which I'm sure contributes to the occasional blocking. There isn't a
good alternative.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rules keep failing

[Chris Buechler]

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
>
> Situation:
>
> I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
> interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
> other is Workshop (10.0.1.0/24).  We have allsorts of computers including
> infected PC’s connected to our Workshop interface so there are firewall
> rules setup only to allow internet access from both Local interfaces and on
> the workshop interface a some simple rules allowing things like FTP access
> to our fileserver on the LAN interface. We want no other access between
> subnets. We also have squid installed in transparent mode listening on the
> Workshop interface only, lightsquid,

If you uninstall squid does it change?  If traffic isn't getting
logged and you have logging on all your firewall rules, squid has to
be picking it up. There are a number of potential consequences of the
squid packages, this may be one.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Reboot on virtual IP

[Chris Buechler]

On Fri, Apr 17, 2009 at 12:42 AM, Tim Dressel  wrote:
> Hi folks,
>
> We've been playing around at work with binding multiple IP's to the
> WAN interface so that we can port forward the same ports from
> different IP's to different services on the LAN side.
>
> Has anyone ever seen when you add a second virtual IP, and then create
> the NAT on the second (also creating the rule at the same time) for
> PFSense to hard crash and reboot?

Using CARP VIPs?  CARP can be finicky, if you don't do things exactly
a certain way, it'll panic. The system should prevent all of those
things though, most were fixed in 1.2 RCs and earlier, though if
you're using VLANs there's another fix in 1.2.1 for some scenarios.
Should be impossible to panic with CARP on the latest version if
you're doing everything through the GUI.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Firewall rules keep failing

[Graeme Evans]

Thanks, and yes I am applying changes. It seems to be that action (reloading 
the firewall rules) that causes the problem.

I don't know too much about the BSD internals of PFSense but I have been using 
it for a while (and m0n0wall for embedded applications) and am reasonably 
familiar with how it is supposed to work, which is why I'm a little frustrated 
by this problem. I am thinking of rebuilding the system from fresh and 
configuring it again, it's not a very complex setup.


Graeme Evans
Technical Manager
KCS Computer Solutions
e: graeme.ev...@kcssolutions.co.uk 
w: www.kcssolutions.co.uk 
t: 017687 75526
f: 017687 75636
a: Packhorse Court, Keswick, Cumbria, CA12 5JB
Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in 
England & Wales)
Company Number: 4533301
VAT Number: GB734 732 432 
This email and any attachments are confidential.  It may contain privileged 
information and is intended for the named recipient(s) only.  It must not be 
distributed without consent.  If you are not one of the intended recipients, 
please notify the sender immediately and do not disclose, distribute, or retain 
this email or any part of it.

Unless expressly stated, opinions in this email are those of the individual 
sender, and not of Keswick Computer Services Ltd.  Legally binding obligation 
can only arise for, or be entered into on behalf of, Keswick Computer Services 
Ltd by duly authorised representatives. 
Keswick Computer Services Ltd excludes any liability whatsoever for any offence 
caused, any direct or consequential loss arising from the use, or reliance on, 
this e-mail or its contents.  We believe but do not warrant that this e-mail 
and any attachments are virus free.  You must therefore take full 
responsibility for virus checking.  Keswick Computer Services Ltd reserve the 
right to scan all e-mail communications through its network.


-Original Message-
From: Jaime Díaz [mailto:jnd...@gmail.com] 
Sent: 17 April 2009 14:20
To: support@pfsense.com
Subject: Re: [pfSense Support] Firewall rules keep failing

Might be a silly question... but are you clicking on the "Apply
changes" button, right?

Regarding the forums, I had to resend the activation email two times
until I got it in my inbox.

Regards.

On Fri, Apr 17, 2009 at 5:15 AM, Graeme Evans
 wrote:
>
>
> Situation:
>
> I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
> interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
> other is Workshop (10.0.1.0/24).  We have allsorts of computers including
> infected PC's connected to our Workshop interface so there are firewall
> rules setup only to allow internet access from both Local interfaces and on
> the workshop interface a some simple rules allowing things like FTP access
> to our fileserver on the LAN interface. We want no other access between
> subnets. We also have squid installed in transparent mode listening on the
> Workshop interface only, lightsquid, pubkey and phpsysinfo packages are also
> installed. The box was recently updated from 1.2 to 1.2.2 using its inbuilt
> update feature.
>
>
>
> Problem:
>
> Following a reboot all this seems to work correctly but as soon as I make
> any configuration updates all rules between local subnets seem to fail and
> as far as I can tell there is full access from computers on the workshop
> interface to all PC's on the LAN interface.
>
>
>
> I have tried:
>
> Enabling logging on rules to try to identify a malfunctioning rule. I ended
> up with logging enabled on every rule, on all interfaces. Pinging and http
> between subnets was working but no relevant log entries were logged.
>
> A further reboot seems to fix things, again until I have to make a further
> change.
>
>
>
> I can't trust a firewall that does this, and I can't reboot every time I
> make a change. Help!
>
>
>
>
>
>
>
> PS: anyone know why the registration system on the pfsense forum won't send
> activation emails - so I can't register?
>
> Graeme Evans
> Technical Manager
>
> KCS Computer Solutions
> e: graeme.ev...@kcssolutions.co.uk
> w: www.kcssolutions.co.uk
> t: 017687 75526
> f: 017687 75636
> a: Packhorse Court, Keswick, Cumbria, CA12 5JB
>
> Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered
> in England & Wales)
>
> Company Number: 4533301
> VAT Number: GB734 732 432
>
> This email and any attachments are confidential.  It may contain privileged
> information and is intended for the named recipient(s) only.  It must not be
> distributed without consent.  If you are not one of the intended recipients,
> please notify the sender immediately and do not disclose, distribute, or
> retain this email or any part of it.
>
> Unless expressly stated, opinions in this email are those of the individual
> sender, and not of Keswick Computer Services Ltd.  Legally binding
> obligation can only arise for, or be entered into on behalf of, Keswick
> Computer Services Ltd by duly authorised rep

Re: [pfSense Support] Firewall rules keep failing

[Jaime Díaz]

Might be a silly question... but are you clicking on the "Apply
changes" button, right?

Regarding the forums, I had to resend the activation email two times
until I got it in my inbox.

Regards.

On Fri, Apr 17, 2009 at 5:15 AM, Graeme Evans
 wrote:
>
>
> Situation:
>
> I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
> interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
> other is Workshop (10.0.1.0/24).  We have allsorts of computers including
> infected PC’s connected to our Workshop interface so there are firewall
> rules setup only to allow internet access from both Local interfaces and on
> the workshop interface a some simple rules allowing things like FTP access
> to our fileserver on the LAN interface. We want no other access between
> subnets. We also have squid installed in transparent mode listening on the
> Workshop interface only, lightsquid, pubkey and phpsysinfo packages are also
> installed. The box was recently updated from 1.2 to 1.2.2 using its inbuilt
> update feature.
>
>
>
> Problem:
>
> Following a reboot all this seems to work correctly but as soon as I make
> any configuration updates all rules between local subnets seem to fail and
> as far as I can tell there is full access from computers on the workshop
> interface to all PC’s on the LAN interface.
>
>
>
> I have tried:
>
> Enabling logging on rules to try to identify a malfunctioning rule. I ended
> up with logging enabled on every rule, on all interfaces. Pinging and http
> between subnets was working but no relevant log entries were logged.
>
> A further reboot seems to fix things, again until I have to make a further
> change.
>
>
>
> I can’t trust a firewall that does this, and I can’t reboot every time I
> make a change. Help!
>
>
>
>
>
>
>
> PS: anyone know why the registration system on the pfsense forum won’t send
> activation emails – so I can’t register?
>
> Graeme Evans
> Technical Manager
>
> KCS Computer Solutions
> e: graeme.ev...@kcssolutions.co.uk
> w: www.kcssolutions.co.uk
> t: 017687 75526
> f: 017687 75636
> a: Packhorse Court, Keswick, Cumbria, CA12 5JB
>
> Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered
> in England & Wales)
>
> Company Number: 4533301
> VAT Number: GB734 732 432
>
> This email and any attachments are confidential.  It may contain privileged
> information and is intended for the named recipient(s) only.  It must not be
> distributed without consent.  If you are not one of the intended recipients,
> please notify the sender immediately and do not disclose, distribute, or
> retain this email or any part of it.
>
> Unless expressly stated, opinions in this email are those of the individual
> sender, and not of Keswick Computer Services Ltd.  Legally binding
> obligation can only arise for, or be entered into on behalf of, Keswick
> Computer Services Ltd by duly authorised representatives.
>
> Keswick Computer Services Ltd excludes any liability whatsoever for any
> offence caused, any direct or consequential loss arising from the use, or
> reliance on, this e-mail or its contents.  We believe but do not warrant
> that this e-mail and any attachments are virus free.  You must therefore
> take full responsibility for virus checking.  Keswick Computer Services Ltd
> reserve the right to scan all e-mail communications through its network.
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Reboot on virtual IP

[Paul Mansfield]

Tim Dressel wrote:

> Has anyone ever seen when you add a second virtual IP, and then create
> the NAT on the second (also creating the rule at the same time) for
> PFSense to hard crash and reboot? When it comes back up the second
> virtual IP NAT does not work.

I've not seen that kind of instability since early RCs of 1.2

what version are you running, and SMP or plain vanilla kernel?

might be hardware - have you turned off all unnecessary devices in the
bios to free up interrupts, dma etc?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Firewall rules keep failing

[Graeme Evans]

Situation:
I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN 
interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other 
is Workshop (10.0.1.0/24).  We have allsorts of computers including infected 
PC's connected to our Workshop interface so there are firewall rules setup only 
to allow internet access from both Local interfaces and on the workshop 
interface a some simple rules allowing things like FTP access to our fileserver 
on the LAN interface. We want no other access between subnets. We also have 
squid installed in transparent mode listening on the Workshop interface only, 
lightsquid, pubkey and phpsysinfo packages are also installed. The box was 
recently updated from 1.2 to 1.2.2 using its inbuilt update feature.

Problem:
Following a reboot all this seems to work correctly but as soon as I make any 
configuration updates all rules between local subnets seem to fail and as far 
as I can tell there is full access from computers on the workshop interface to 
all PC's on the LAN interface.

I have tried:
Enabling logging on rules to try to identify a malfunctioning rule. I ended up 
with logging enabled on every rule, on all interfaces. Pinging and http between 
subnets was working but no relevant log entries were logged.
A further reboot seems to fix things, again until I have to make a further 
change.

I can't trust a firewall that does this, and I can't reboot every time I make a 
change. Help!



PS: anyone know why the registration system on the pfsense forum won't send 
activation emails - so I can't register?
Graeme Evans
Technical Manager
KCS Computer Solutions
e: graeme.ev...@kcssolutions.co.uk
w: www.kcssolutions.co.ukhttp://www.kcssolutions.co.uk/>
t: 017687 75526
f: 017687 75636
a: Packhorse Court, Keswick, Cumbria, CA12 5JB
Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in 
England & Wales)
Company Number: 4533301
VAT Number: GB734 732 432
This email and any attachments are confidential.  It may contain privileged 
information and is intended for the named recipient(s) only.  It must not be 
distributed without consent.  If you are not one of the intended recipients, 
please notify the sender immediately and do not disclose, distribute, or retain 
this email or any part of it.

Unless expressly stated, opinions in this email are those of the individual 
sender, and not of Keswick Computer Services Ltd.  Legally binding obligation 
can only arise for, or be entered into on behalf of, Keswick Computer Services 
Ltd by duly authorised representatives.
Keswick Computer Services Ltd excludes any liability whatsoever for any offence 
caused, any direct or consequential loss arising from the use, or reliance on, 
this e-mail or its contents.  We believe but do not warrant that this e-mail 
and any attachments are virus free.  You must therefore take full 
responsibility for virus checking.  Keswick Computer Services Ltd reserve the 
right to scan all e-mail communications through its network.