@Phishfry: I was thinking more along the lines that you would not include a web server because there are so many different web servers, but that there is only one main dhcp server used by both Linux and BSD's. The ICS one with many versions in use. I do notice that debian ships without a dhcp server included as well. No big deal at all I was just wondering if there was a back story. This might have to do with the pupose of the server. dhcp is used mostly by internal networks - such as bootp, nfs, samba, etc.. maybe one reason, a good one by my account. Then these days, dhcp is nearly certain on internet routers by ISPs. So, two dhcp servers on the same network is trouble so is the fact that dhcp is tied into so many bootp, dns, and other servers/services So - dhcp is NOT internet friendly, NOT isolated to a few calls such as a database server, and really a joy-kill comes to improper config - NO NETWORK! Limited but essential, No, I have no idea why FreeDSB does not ship with dhcp Debian ships with NO UNECESSARY servers - like ??? Wow! Go Debian!

that would require that we move away from CARP. I don't discuss future plans here.  (try reddit… lol)

Le gonzopancho est mort, vive le gonzopancho !

Check out: https://forum.pfsense.org/index.php?topic=56941.0

figured it out.. set a static ip on the lan with the gateway the same as the LAN interface and connect wifi to existing network…

Wrong section but here's how you configure the AD authentication for pfSense. https://forum.pfsense.org/index.php?topic=44689.0 Pictorial guide:  http://www.geeklk.com/2014/03/pfsense-configuring-windows-active-directory-authentication/ You'll need to assign the correct groups and rights as you require.

I would suggest that your first troubleshooting step is to disable squid and squidguard, then clear out any tables those package have created. You can then verify that the desired traffic is passing through the firewall, which verifies your firewall rules allow it to pass. Once you have things working without squid and squidguard, you will need to reintroduce those packages and debug your settings. If you have a squid or squidguard problem that you cannot solve, I suggest you post again in the Cache/Proxy forum.

Won't affect the existing ones since they're already tagged, and by changing it in the portal it'll apply correctly going forward. Should be good.

I, too, am sitting on a couple 2.1.5 systems due to the limiter issues. Happily upgrading systems that don't require limiters+NAT/HA.

Don't sweat it.  I find it better to use Google to search these forums than the forum search function.

@phil.davis: @Nullity: The "block private networks" toggle does not seem to be causing any problems, I assume that is because no traffic (I am aware of) originates from there. Correct - there should be no incoming connection attempts originated from those private IP addresses. And so actually having "block private networks" in this case is a good thing, because if someone inside your ISP network does attempt something, it will be blocked. If the ISP is now giving you a private IP and you previously had a public IP, then that will prevent you from offering any services to the outside world (e.g. a VPN server for you to connect in when you are outside…). They are using 172.16.. Mine use 10.. They should not be doing that, but they do. You might happen to have chosen 172.16.100.0/24 for your LAN, quite rightly according to the standards. And it would now conflict with what your ISP chose. The ISPs should be using the Carrier-Grade-NAT 100.64.0.0/10 https://en.wikipedia.org/wiki/Carrier-grade_NAT - by doing that they will be sure not to accidentally conflict with customer-chosen private address space. I still have a public IP, I think. I can definitely open ports and have them confirmed as "open" externally. Routing is an area I am not yet comfortable with, but I have read about egress routing being different than ingress routing (apologies for the poor explanation). I will read up on the topic of routing & carrier-grade NAT's peculiarities, but I was immediately paranoid about security. I guess, technically, an external  private IP is no different than an external publuc IP, from the firewalls's perspective. PS. Thanks for all your work with pfSense and the forums, Phil. You are a proper example of compassionate open-sourcery (along with cmb, ermal, etc). :)

@lionelhunt: Hi everyone, I have setup pfsense as a firewall at work network.We all use exchange as our mailing platform. I have one user that would like to add a private pop account to his email accounts. When I do the testing, pop works, but not smtp, in other work user can receive his private emails but not send. How do I enable just this single user to send via his personal email account?Any help would be greatly appreciated. Do you explicitly block outbound SMTP or any ports outbound in general? If you do, set a static IP for his machine (or reserve one in DHCP) and create an allow rule with source IP as the machine IP, destination port as SMTP. If you do not block any outbound traffic, then this issue is probably related to your service provider (some of them will block outbound SMTP traffic unless you route your mail through their open relays).