Are you sure that your database server is accepting connections from outside itself? By default MySQL usually only listens to localhost.

Do you have your Wi-Fi on a seperate subnet or on a separate Pfsens interface from your LAN?

If so then run the Traffic shaping Wizard and dedicate 2MB of total bandwidth (Set upload and download max)

Then test it to ensure it works. I done something similar, and can confirm it workshere. That Wi-Network won't allow the Wi-Network to go over 2BM total download and upload…if too many people is on it, it just slows down, but it won't let the wifi exceed 2 MB download and Upload as a total.

since your already running Squid, you can use cacheing to make it appear faster then it actually is without it chewing up your bandwidth.

Method 2:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks?

Maybe you can try a "whitelist" in squidguard.

You create an extra folder called "whitelist" into your favorite blocklist.tgz. (so download it first on your desktop)
That folder, called whitelist, should contain a url file or a domain file, with the urls or domains you want to whitelist.

Upload that manipulated blocklist.tgz into pfSense, and update squidguard with that locally stored blocklist.
Now in the squidguard menu (Proxy filter) in the tab "Common ACL" you add the "whitelist" category to whitelist.
Save and Apply and test the previously blocked url.

@evilsmo:

I create simples script
/bin/echo 1 >> /root/eu.txt

And call this on gui cron on web interface
1 * * * * * /bin/sh /root/eu.sh

NOT WORK

That will run the script at minute 1 of every hour.

If you want to run every minute, you need to use */1 as the first parameter.

Also make sure the user is root, not *

Chrome may be using HTTPS and not HTTP, and may be bypassing the proxy.

The default setting in squidGuard is to block. Go to the Common ACL tab, look in the Target Rules List, and make sure the last entry for default is set to Allow. Then go back to the first squidGuard tab, apply, and then test again.

Bump

This problem goes back YEARS !!

Seriously, does no one ever use time restrictions on Squidguard ?

https://forum.pfsense.org/index.php/topic,43352.0.html

What is your maximum object size set to?  If it's less than your example, no it will not be saved in cache.

Rick

@bmeeks:

@digdug3:

:o stupid me… I changed the name in "Whitelists" and of course you need to reset them in all the interfaces.
Maybe you could add a warning that the whitelist is used in an interface and should be re-enabled?

I can do that.  I already flag an error message when trying to delete a "currently assigned to an interface" whitelist.  I can do the same with rename, or else just silently go ahead and change the name for all interfaces it is assigned to (and maybe just pop up an info box to let the user know).  I think I like the "just rename it on assigned interfaces" option best.

I'll put this on my TODO list.  To late, though, for the 3.0.4 version that is in review right now.

Bill

No problem, it's just to prevent stupid questions like this in the future, although I know that even if you warn people, they still don't -read- it…

Personally, I think Dansguardian is the ultimate in managing internet access for a family. See this post for a description of how I use it and some stuff I've created to try to make it easier for those who want to use it in the same way… https://forum.pfsense.org/index.php/topic,68927.msg379573.html#msg379573

@sebna:

Hi,

I have changed by mistake SNORT settings in Alerts tab to show 3000 or 30000 and it is now refreshing to blank page so I cannot change it back to 300.

How can I change it back to show only 300 or so if the GUI interface of Alerts tab does not load.

pf 2.1, snort Installed: 2.9.4.6 pkg v. 2.6.0

Thanks,

Well, first off that is an old version of Snort.  The current package is 2.9.5.5 v3.0.3.  I would suggest upgrading if possible.  If not here is how to change the value back manually.

First, make sure you give it enough time to actually read 30,000 rows.  That could take several minutes on a slow box.  If you are satisfied that it actually won't come back to a displayed page, then you will need to manually edit the config.xml file to fix this.

Click Diagnostics…Edit File from the pfSense menu.

Browse to /conf and open the config.xml file in the editor window.

Scroll down near the bottom of the file and locate the section for <snortglobal></snortglobal>.  In there are all the settings for Snort.

Find the element tag <alertnumber>30000</alertnumber>

Change the 30000 value to 250 and then save the change.  That should put things back to the default.

Bill

How can help me,Please? ???

@grandrivers:

there are also ipv6 issues with it on 2.1.1 if i enter ipv6 on gerneral tab complains about format of conf
hopefully can start trying 2.2 before too long

I have no issues with IPV6 and Unbound on 2.1 or 2.1.1.

@fragged:

I does download the paid rules. But what you were the OP was talking about in your first post was the Snort binary version.

The Snort VRT tie the snort binary version to the rules version.  This means you can't use 2.9.6.0 rules with the 2.9.5.5 binary and vice-versa.  The installed binary must match up with the rules.

An update to 2.9.5.6 Snort is on the way.  We are having some issues at the moment getting the binary package to build for 2.0.3 users of pfSense (the old *.tbz packages).  The new 2.1 PBI packages are working fine.  We don't want to release the new update until the binaries will work on both pfSense versions since both are supposed to be supported.  We should get this *.tbz package building problem worked out shortly, and then the new 2.9.5.6 binary and the updated 3.0.4 GUI package will be posted.

I have not updated to 2.9.6.0 yet because doing so will lock out the free users of Snort VRT rules so they would not get updates until the end of February.  And because the binary version and rules version are tied together, that prevents me updating just for the paid-subscriber guys as well.  All things considered, it's probably not a bad idea to be one version behind "bleeding edge"… ;).  That way the bugs can get worked out.

Bill

Great. We have a potential fix in testing for that problem, it shouldn't be an issue in the near future.

also tried setting the static route to 0.0.0.0/1 … flows still not making it.  I also did a pcap to confirm they are not making it.  I feel like I'm missing something simple......  :-\

EDIT: BAH. Nevermind. pfflowd works with the static route in place. I absolutely could not get softflowd to work over IPsec. I'm happy.