ASAP reply!!!

P.S. Sorry, I just woke up. I'd have had my alarm clock set to earlier had I known I was that urgent.

Actually, China is sort of my EX-Expertise. 
I can see where there might be some level of government interest in black-holing your pfsense sites there.
Cool - Different thread one day.

There is also Bro

http://www.bro.org/

And Bro is BSD licensed, which is nice.

thinking your confusing a domain name like local.lan with your Active Directory domain..  Which might also be called local.lan but not actually the same thing.

Your pfsense would not ever actually join your windows AD domain, but yes they can share the same name space like pfsense.yourdomain.tld and ws2012.yourdomain.tld, and your windows ad dns could have a record for pfsense.yourdomain.tld in its dns.

It looks like there are promising ways to improve the algorithms by which TCP (on various OS implementations) handles changing its parameters (window size etc) in response to perceived network throughput/congestion. The control of all that is end-to-end in TCP - the end point systems have to do it, and they do it more or less crudely at the moment. So I don't see how it will help the routers/firewalls along the path. But yes, if you have a controlled office environment then you could implement these things (when they are actually real software available for the OSs that you have) and get your office computers doing more friendly sharing of bandwidth.
If only new IPvN had a proper QoS system, and we could pay a bit extra to our ISP to be able to set QoS parameters in packets, have the ISP respect this, and have the ISP pay the internet backbone a bit of that money to also process QoS…

A few million people hold top secret clearances and many more than that have.  I'd estimate that about maybe 1% of the population knows exactly what is and isn't being done - officially.  Since a secret is something that you and one other person knows, this stuff aint no secret.

Enormous State tables, lots of Ram…

So....

Your 10,000 simultaneous "perfectly legal" downloads won't crash your router and cause it to flake out right in the middle of your favourite Netflix episode.

I'm no fan of CALEA, but as I understand it, even CALEA has threshholds for required emplementation.  Specifically number of users and type of service.  I think this guy is too far below the radar to get forced into CALEA requirements, however that depends on how many people is "large wifi network for a nine building apartment complex".  Technically speaking.

https://freedom-to-tinker.com/blog/felten/calea-ii-risks-of-wiretap-modifications-to-endpoints/

Another problem I have with logging, especially copious logging is that if a logging system is compromised, now the privacy of everyone included in the logs has been compromised.

CALEA compliant systems have been "hijacked" by criminals to invade the privacy of people and even to commit financial crimes.

HAHAHHAHAHAHAHAHAHAHAHAHA!!

Huh?

http://doc.pfsense.org/index.php/Static_Routes

No Problem Glad I was able to help.

Ah yes I read that too quickly and thought you were trying to get access to the web interface of your Cisco box.  :-[

So you can access the cpanel login with the full link but not the shortcut?
I would expect a shortened address like that to work only if the local dns knows about it.

Steve

We are using a mixture of ethernet (as their PE router is on our premises) and ADSL where the PE router is at the exchange.

The ADSL connection comes in 2 types:
1. Where they just need you to specify a loopback address that they then enter into the vrf.
2. Where they ask for a loopback address and a lan subnet that they enter into the vrf.

Now, with number 2, I would imagine you could use any old router as the lan is specified by the providers.
But with ethernet & number 2 above, it looks as though you have to use a mutual routing protocol eg BGP as that is the only way of getting the routes into the table.

You'll have to define 'full fledged proxy'. You have Squid available and Squidguard or Dansguardian if you want filtering options.

Steve