Hi, thank you for your answer.

Nicolas

@webstor:

He has to generate a certificate for the required domain when bumping server-side first, it is a wildcard generated for the correct domain and not the ip.

I know it is for the site.

the question is, in transparent mode, how could squid know without intercepting that connection from 192.168.1.1 to 64.54.10.10 is a request to microsoft windows update?

Squid will only know the domain after interception, so acl will take no effect.

Also there are some notes about fast and slow acls that not work on this or that squid option.

I had a similar network in size, and the cache hit ratio was around 15-20%. YMMV. That would likely increase if SSL interception was enabled but that bring it's own set of problems.
Try it, it isn't too difficult to setup, especially if you use the pfsense package.

Your welcome Bill! Good call on how you programmed this.

So you mean - killbyname in case something happened to pid file?
I wouldn't do it like that, but I am not developing pfSense. If developers need to killbyname, they should be using link with different name themselves :)

I am not here to judge this. If that's how it is done currently, we'll use workaround, I just don't like that many workarounds around pfSense :(

@Luiz Gustavo , there is now other repositories working ???????

This is in Mail Report 2.3, available now. Along with fixes here also: https://forum.pfsense.org/index.php?topic=83668.msg488777#msg488777

Bacula should be OK now on 2.2, as of package version 1.0.6.

@markusxyz:

Is there any conflict with sarg+dansguardian? Should I use squidguard instead?

There is no incompatibility between Sarg and dansguardian. However, you will have to set the log format for dans to output in the squid format for Sarg to parse it. BTW, there are much better options for dansguardian reporting… you could install webmin and the DG reporting package - or see this thread https://forum.pfsense.org/index.php?topic=69003.msg377440#msg377440

The question on squidguard has nothing to do with Sarg… squidguard and dansguardian are not the same thing. Squidguard does blacklist based filtering. Dans does both blacklist and content based filtering.

Well, I got Failover working. Ticking the "default gateway switching" box did the trick. I did not need to add a floating rule like many trying to do this in 2.1.5.

Thanks BBcan177, I'll disable the rule.

Thanks for the response.  Looking at the PFsense dashboard, it's sitting at 20% memory usage of the 2GB of memory being used.  I've got other fish to fry with my network, so ntopng is more of a luxury.  Alas, it was wonderful when it worked.

@knebb:

Just wondering as there is now no symlink libz.so.5 nor libz.so anywhere…

Well yes, that is the point! It does NOT need libz.so.5. It gets moaning about that one since the linker symlink under /usr/lib points to the non-existent deprecated library version. (If you look into /usr/pbi, the PBI thing somehow creates its own directory structure for each package under /usr/pbi/<packagename-$arch>/local, and redirects the calls and produces its own symlinks copies there. So, just removing/fixing the broken symlink under /usr/lib is not enough. You need to nuke and reinstall the package as well.

At least that's my understanding of these stupid issues, I hate the PBI thing with passion and pretty sure at least some of the few remaining package maintainers are of the same opinion.</packagename-$arch>

While intercepting port 443, on http protocol will work.

Skype uses port 443 but it's protocol is not http.

That's why it's not working

This won't work out of the box with IPSec for reasons documented here: Why can't I query SNMP, use syslog, NTP, or other services initiated by the firewall itself over IPsec VPN

Fix all issues pinted by config alert and it will save.

Are you on nanobsd or cf images?

You don't need to do that.  When you define the OpenVPN server setup, you specify what net blocks o the firewall VPN clients will have access to.  So long as a Snort instance is listening on those net blocks (interfaces), your VPN traffic will be inspected.  Typically the LAN is the net block VPN clients have access to.

By the way, I fixed my typo in the VPN UDP port in my original post.

Bill

Hmm,

wanted to click "Thanks" for both posts but just works for one.
So thank you for your feedback. Would be a nice feature if it works but it is probably not that easy.

Thanky you!