Skip to main content.

Errata for pfSense: The Definitive Guide

This the errata for the book, pfSense: The Definitive Guide (October 2009).

#1 (01 Dec. 2009)

In the Firewall chapter, section 6.6.9.1 (page 113) "Simultaneous client connection limit" references the wrong PF option. It should be max-src-nodes, which limits the number of source IP addresses that can simultaneously create a state. Each source IP can create multiple states, but the total number of source IP addresses is limited to the number entered for "Simultaneous client connection limit".

#2 (01 Dec. 2009)

In the OpenVPN chapter, in section 15.4.1 (page 306), "Determine an IP addressing scheme" had the wrong label for one of the boxes. In addition to the internal subnets you will want clients to access, you need to choose an IP subnet to use for the OpenVPN connections. This is the subnet filled in under "Address Pool" in the server configuration. (And same field was mislabeled just below that instance.)

#3 (08 Dec. 2009)

In the the multi-WAN chapter: In the course of pfSense 1.2.3 development, the algorithm for detecting down WAN interfaces was switched over to a single application instance that monitored the monitor IPs. This new deamon is called apinger, which will send a ping once every second to a target. If 10 subsequent requests all fail the target will be considered down. Apinger will also log warnings in the filter log files for high and low watermarks with regards to the latency to the monitor IP and packet loss to the target. This gives a fair of indication to the cause of the problem.

#4 (11 Jan. 2010)

In the OpenVPN chapter, section 15.4.5.1 (page 309) "Copy certificates" had the wrong filename for the CA certificate. It is "ca.crt".

#5 (19 Feb. 2010)

In the Installing and Upgrading chapter, section 3.3.4, the example using dd should use of=/dev/disk3 instead. The target should be the disk, not the partition.

#6 (14 Jul. 2010)

In the Firewall Redundancy / High Availability chapter, section 20.4.4, there should be an additional paragraph above the note at the end of the section. It should say: "On the backup firewall, go to Firewall -> Virtual IPs, and click on the CARP Settings tab. Check Synchronization Enabled, pick pfsync as the Synchronize Interface, and for the pfsync sync peer IP, enter the IP address for the primary system's pfsync interface, 172.16.1.2. Click Save when finished. Do not set any other values on this page." The first sentence of the note at the end of the section should be amended to read "You should not setup configuration synchronization from the backup firewall to the master firewall"