clarknova is right.  The billing model is imposed by the seller of bandwidth here, it's not a choice we can elect to take or not.  All of our "wholesale" transport is priced this way.  I have only one question, tho... Wouldn't we need to input the "window" over which the 95th percentile is calculated?  In order to match our billing?

I know that aliases work.  I've used them many many times in pfSense configurations.  But yesterday I set up a new firewall using 1.23-Released (nano, on pcEngines board) and used it as a bridge (OPT1 to WAN).  I read the book and scoured the forum and got all the good advice I needed.  I set up the rules using aliases and... nothing worked.  No traffic.  Everything blocked by the default rule.

To make a very long story short, I changed the alias to a simple host address on a ping rule, and it worked.  Changed it back to the alias, and it stopped.  I did this several times because I simply could not believe that aliases were the root of my problem.  I compared addresses carefully and triple-checked everything.

Bottom line: the firewall bridge works perfectly if I use dotted addresses for all hosts and networks in my rules.  If I use aliases, nothing works.  Even an alias with only one host address identical to the dotted address fails to match traffic.

I have no other explanations.  This is not a complaint, since my firewall is up and running nicely and everybody is smiles all around.  But I thought I'd mention it here in case anyone wants to try to duplicate the issue or can explain why aliases work on every configuration except bridging!

Wouldn't installing the full version to a CF card (baring a Microdrive) kill the card eventually?

It's also worth reminding folks that the "micro hard drive" form of CF cards have basically infinite write cycles as well.  They aren't very common these days, but you can usually find them on ebay for very little.  If you go this route, do NOT get Seagate branded drives as they won't boot on FreeBSD.  I have used the Hitachi brand successfully (and the IBM brand before it was sold to Hitachi).

From the console, try:

Code:

top -SH

Instead of just top. That will show system threads and kernel threads.

Good to know.  I'll try that in a few months if it happens again.

What would have been interesting was to see what process was utilizing the CPU, via top or similar.

Actually, I looked for that.  When I logged in via SSH, tho, I did not see the utilization shown on the graph.  I did see an instance of sh which was "niced" and it was showing something like 10% utilization, but that was probably my SSH session.

I should mention that at no time did I suspect anything was wrong because my pfSense box was routing with no perceived degradation.  I only became nervous when I saw the RRD graph and rebooted the box.  It's now averaging 0.13% nice, 1% system, 0.25% user, and 0.62% interrupt.

I just looked at the processor utilization of my pfsense box and was shocked to see the "nice" utilization had grown to be about 40-50% of my CPU.  I have a Via-based pfSense box that does modest OpenVPN duty.  The RRD graph shows it went from about 1-3% utilization to the 50% level over a period of months.  I rebooted the box and it fell back to the 1-3% level.

Any ideas what's going on?

You also need to configure your ssh client to prefer key-based login over password-based.

Excellent.  For those reading this, one easy way is to add to your ssh command line this option:

Code:

ssh -o KbdInteractiveAuthentication=no ...

This has the effect of supressing interactive authentication for one session while leaving your default options untouched.

I suppose nearly everyone knows this already...  The little "micro drive" CF cards (which use a hard disk the size of a quarter) are very reliable as pfSense boot disks.  In fact, I've only killed one while using pfSense in three locations over three years.  (It was an infant mortality so the card was probably defective to begin with.)  There is no inherent write limit to disk technology.

The speed of the little hard drive is pretty good, with decent sustained read and write times.  There is a small delay as the tiny disk spins up but it doesn't affect the firewall adversely.

One point to watch out for -- not all micro-disk CF cards are bootable under FreeBSD.  I have found the Hitach Microdrive brand to be very reliable and it works well with pfSense.  It is commonly found on eBay in 4- and 6-GB sizes.  A lot of them are "pulls" from Apple iPods and the like. 

On the other hand, I have been unable to make a Seagate branded micro-drive CF card work in a pfSense firewall.

When I tried it, the "address pool" was messed up.  It chose the same range for two clients and could not distinguish them.  I couldn't figure out a way to force the pool to a specific range for the two clients as the server has only one place to enter the pool and it must be the entire range.

Just more stuff to figure out.  If it were easy anybody could do it -- and they wouldn't need an overpriced curmudgeon like me!

As far as I can tell, we are allowed only one "client" per "server", unless using PKI.  It seems a misuse of the term "server" if I can have only one client talk to it in shared-key mode.  Or is it possible to have multiple clients even with shared keys?

 

If you're still watching ppolymorphe I recommend the following:

Update your RC2 router to RC3.

I had RC1 and RC3 and could NOT get those to work properly at all.  My symptoms were very similar to yours -- I could ping one site from another but computers on the network could not ping each other.

Updating both routers to RC3 has resulted in a working OpenVPN solution.

Well well well. 

The same OpenVPN tunnel definitions that failed before work now.  All I did was update my home router to 1.2.3 RC3 (it was RC1 before).  It's starting to look like there is something amiss between RC1 and RC3 in OpenVPN implementations. 

Easy enough to fix, if you know about the problem...

I've been runing a compact flash "microdrive" (tiny disk drive) for a couple of hears using the "live CD" version of pfSense.  I tried a flash drive first but it failed after about 3 months.  

The Hitachi microdrives work best -- do NOT get a Seagate because it won't boot under FreeBSD 7.x.  They are all over ebay at good prices.  I just bought some "pulls" from mp3 players for a song (get it?).

One note -- my box wouldn't support DMA on the compact flash slot so I had to add the following line to the boot config:

Code:

set hw.ata.ata_dma="0"

Just a reminder.  Hope this gets into the "fix" list for version 1.2.3

I'm holding off until I can upgrade my RC1 box to RC3.  Call me chicken but I didn't want to do that remotely (1200 miles away from physical access).  I also have the book ordered from the big river so I'll give it a look and see what I've missed.