What is your physical network layout? I am guessing that you have: a) pfSense LAN port connected to a switch, which connects to the various devices in LAN. b) pfSense Office port connected to a switch, which connects to the various devices in Office. If it is a physically-cabled home/office then you have to find some way to make the cable from your PC go to the Office switch. If you have VLANs, then you will be able to change the VLAN switch configuration to tell it which ports are in the LAN and Office networks. Tell us more if you need help.

Sure, anonymized and posted below (but I didn't change the netmasks to reflect my fictitious IP range).  Vr1 is connected to the ISP where the firewall only receives and responds to traffic.  No traffic seems to leave the firewall on that interface. vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0 prefixlen 64 scopeid 0x1         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:61         inet6 fe80::20d:b9ff:fe12:e961%vr1 prefixlen 64 scopeid 0x2         inet 1.1.1.1 netmask 0xfffffff8 broadcast 1.1.1.255         inet 1.1.1.2 netmask 0xfffffff8 broadcast 1.1.1.255         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:62         inet 2.2.2.2 netmask 0xfffffff8 broadcast 2.2.2.255         inet6 fe80::20d:b9ff:fe12:e962%vr2 prefixlen 64 scopeid 0x3         inet 10.1.10.19 netmask 0xffffff00 broadcast 10.1.10.255         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384         options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000         inet6 ::1 prefixlen 128         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4         nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460         syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 enc0: flags=41 <up,running>metric 0 mtu 1536 pflog0: flags=100 <promisc>metric 0 mtu 33200 vr0_vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan1 prefixlen 64 scopeid 0x8         inet 10.0.0.1 netmask 0xffffffe0 broadcast 10.0.0.31         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 1 parent interface: vr0 vr0_vlan2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan2 prefixlen 64 scopeid 0x9         inet 10.0.0.33 netmask 0xffffffe0 broadcast 10.0.0.63         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 2 parent interface: vr0 vr0_vlan3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan3 prefixlen 64 scopeid 0xa         inet 10.0.0.65 netmask 0xffffffe0 broadcast 10.0.0.95         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 3 parent interface: vr0 vr0_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan4 prefixlen 64 scopeid 0xb         inet 10.0.0.97 netmask 0xffffffe0 broadcast 10.0.0.127         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 4 parent interface: vr0 Routing tables Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            1.1.1.17        UGS        0 58450269    vr1 4.2.2.1            1.1.1.17        UGHS        0  621319    vr1 4.2.2.2            2.2.2.150    UGHS        0  4423618    vr2 10.0.0.0/27        link#8            U          0 172888076 vr0_vl 10.0.0.1          link#8            UHS        0        0    lo0 10.0.0.32/27      link#9            U          0 1925354412 vr0_vl 10.0.0.33          link#9            UHS        0        0    lo0 10.0.0.64/27      link#10            U          0 160538185 vr0_vl 10.0.0.65          link#10            UHS        0        0    lo0 10.0.0.96/27      link#11            U          0 82327693 vr0_vl 10.0.0.97          link#11            UHS        0        0    lo0 10.1.10.0/24      link#3            U          0  2424247    vr2 10.1.10.19        link#3            UHS        0        0    lo0 1.1.1.0/29    link#2            U          0      292    vr1 1.1.1.1        link#2            UHS        0      18    lo0 1.1.1.2        link#2            UHS        0        0    lo0 6.6.6.6      1.1.1.17        UGHS        0 21820627    vr1 127.0.0.1          link#4            UH          0        0    lo0 2.2.2.0/29 link#3            U          0        1    vr2 2.2.2.2    link#3            UHS        0        0    lo0 192.168.201.0/24  10.0.0.11          UGS        0  2678960 vr0_vl</full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></promisc></up,running></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

Bump. Since my last post I've tried the gateway advanced option in the firewall rules but it does not have any effect. Anyone know how to tell pfsense to answer always with the same interface or to tell that the management interface/console only has to work with one interface ? I've seen this trouble with all kind of the management protocol available : http / https / ssh … I've attached a quick diagram of what is happening to me. (I need the http out to be in the same interface than http in) Best regards [image: diagram.png] [image: diagram.png_thumb]

That configuration is certainly doable. There are many posts already to help you out if you where to look. My suggestion would be to test in a lab, could be ESX VM in a segragated vswitches, till you get the hang of it, then go for production. Biggest pointer I can give you right now is that if the cisco is only doing NAT, then that usually means it has a private address scheme. There is a setting in the WAN to block private IPs. You will need to turn that off.

Hi, sorry my english is not so good. Please make a draw of your network setup( or how you want to have the network flow)  and maybe i can help you. Have your ESXI 2 physical networkcards, no than use vlan´s but then your switch must be an managedable one. docsis –----[ESXI[WAN - PFSENSE - LAN]]–---[SWITCH]–--[AP] regards max

yes change "wangwgroup" to use gateway instead of default (*)

VLAN MACs follow the MAC of their parent interface. Assign the parent interface of the VLANs, set IP type to none, and spoof the MAC there.

@Nachtfalke: Hi, Port 1+2 are displayed as trunk ports. As far as I know trunk ports these ports accept tagged VLANs. A trunk port which has VLAN2 tagged and VLAN1 (default VLAN - better never use it) as untagged. On pfsense VLAN1 is always untagged and VLAN2 is tagged (you did that). Then you connect pfsense and HP switch through the trunk port. Now you must configure another port on the switch - lets say port 8 to be an untagged Port for VLAN2. So I would suggestthe following: Never use VLAN1 which is the default VLAN on pfsense and on many switches. If you need two VLANs or more then create them on pfsense like VLAN 2+3 or 10+20. Assign both new created VLANs on pfsense an interface on em1 On the HP switch configure port 1 as a tagged member of VLAN2+3 or 10+20 On the HP switch configure port 8 as an UNtagged member of VLAN2 or 10 On the HP switch configure port 9 as an UNtagged member of VLAN3 or 20 Connect pfsense em1 NIC with HP switch port 1 assign different IP address subnets for the two new VLAN interfaces on pfsense enable DHCP server on both two new VLAN interfaces set allow "any to any" firewall rules on the two new pfsense VLAN interfaces connect a computer to the HP switch and test your setup Connect a computer to the ports on Hey there Nachtfalke, I really appreciate that you took time out to reply, using your advice I figured out the problem!  :)

@srk3461: Do you have anything added under access control !? Did you check "allow users on this Interface" on squid's front page i.e General Tab! Make sure to clear cache memory of your browser's first! If possible post some screen shots of squid!? well, in ac tab is written " Note that the proxy interface subnet is already an allowed subnet" so i left it blank. Chekbox in "Allow users on interface" is marked.  But i discovered that http://forum.pfsense.org/index.php?topic=40509.0;prev_next=next is exactly my case. When i opened config file after i marked "Transparent proxy" and applied changes i found that "extra string". Manual correcting partly solved my problem: transp mode works normal but i can't change anything in "Proxy server: General settings" otherwise my changes are overwritten and i get the same issue.

Help? Pretty please?  :P

What version are you running? Are you currently running any custom static routes?

The you need to disable NAT only on the PTP interface. So go to outbound NAT rules, select automatic rules which generates NAT rules for all interfaces. Then switch back to manual outbound NAT rules. It shows you all the rules and then you probably only need to delete the rules for the P2P interfaces - on both sites. But the static routes on both sites must still be configured. And the firewall rules on the P2P interfaces must allow traffic from the other site.

Add the port to squid's list of safe ssl ports.