It depends what you want to Limit. You can filter sites by group membership. No. Yes, as long as you can match the required groups in firewall rules. If it's only by AD group member ship that may not be possible. You might be able to have Squid use a different source IP/WAN directly, I'm not sure I've ever seen that tried. Steve

As stated those are almost always blocked by ISP or even at the cable modem (docsis)... As stated sniff on your wan while your sending traffic to that port - does it get there? Also sending rejects on wan (that is connected to public internet) is almost always going to be a BAD idea!!! example - I just checked 445 to my public on can you see me, and nothing seen at my wan via packet capture.

WooHoo!!! I have got it to work!! I added to the Nextcloud config.php file 'overwriteprotocol' => 'https', I think it has something to do with HAProxy handling ssl. Anyway its SOLVED!

There is no shaping or limiting of any kind on the firewall. We don't actual use/generate that much traffic, but there are a lot of opening/closing of tcp sockets. There are lots of small packets. The only package installed on the firewall is openvpn-export-client. On and off pfctl will bounces around 100% and then disappear maybe 20-30 seconds on and then 20-30 seconds off. Thanks for the responses, this is giving me stuff to look at!

Works fine through an SG-3100 here. Though it resolves to 128.59.105.24 as the main IP for me. Steve

Mmm, I'm not aware of any way to do that in pfSense. One thing you can do is setup a bandwidth sharing scheme. That uses dynamic pipes to share whatever bandwidth is available equally between connected clients so that one client cannot use it all. Steve

Not personally but there may be others who can. You should be able to get it working in OVH though. Steve

@jimp Working I just changed admin@192.168.40.1 to root@192.168.40.1 , removed sudo and it worked. Thanks,

@stephenw10 Thanks, I will try that!

That's annoying. I was hoping to add an OID for code signing. thanks.

Those look more like ram errors. They are completely different the earlier crash.

I know it's been a while, but I just wanted to provide an update. I recently connected my iMac to ethernet and turned off the wireless. Since I've done this, the changes don't seem to freeze up pfSense in the browser anymore. It's weird. I've tested it by making several changes within DHCP Server > LAN this morning and then clicking the Apply Changes button. It finished up in about 1.5 seconds and it never froze. I then reversed the changes I made while testing and clicked Apply Changes again and same thing...finished in about 1.5 seconds and never froze. I'm not sure why the problem seems to have gone away since it's been connected over ethernet, but I'll take it! Thanks to everyone who chimed in on this.

@stephenw10 Thanks. That confirms to me that a single pfSense router (even better in a HA dual setup) would be a much cleaner setup for the following reasons: A shared LAN would require hundreds of static routes One pfSense box allows me to have multiple WANs in failover mode, with time-based bandwitdh restrictions, etc., etc. Option of a HA setup just by getting a few extra ethernet ports With an AMD FX 6xxxx and 16 GB o memory I only see 10% load. If needed, functions like firewalling, DPI, antivirus and proxy could always be run in separate boxes. I should able to route non-critical traffic between VLANs inside my HP1920 switches (like network projectors, public printers, media servers) to alleviate my main router. I have only found 1 example of a shared LAN after days and days of searching. There's plenty of examples of HA or transit/transport link between pfSense boxes Thanks for the insight. Tomorrow (monday) I'll start redoing everything. I have exactly one month to get everything running until school starts... with one machine for now, and HA as soon as I can get the second unit setup with extra eth ports.

@viktor_g said in Packages of Aliases (Port + IP's + company AC) for easy administrating: @Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating: have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate; company buy a software product that need to communicate with outside servers on a developer side; company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side; Every appliance uses it own list of ports, that can be changed It is better to check this information with the vendor May be 5 or 7 years ago I was agree with You, because there are a huge bunch of SaaS services and the pool of IPs cannot able to be collected in reasonable timeslot. BUT now in 2020 exist only 30-100 SaaS services that used by MOST OF USERS: Amazon AWS, Google ~Servises, Apple, 5 email services (Google, Yahoo, ...), and around 10 most-usable hardware vendors (Dlink, TPlink, Amazon devices, Google devices, ...) Sorry, I need to repeat again: The main question are the most users just need "push button and all working well" solution. Just look at this NetGate forum - more than 80% are about something described in official doc, or more than one time appear on forum. But same questions popup again and again, again and again, countless. Even pinned on top of official pfBlockerNG part of this forum Bypassing DNSBL for specific IPs have words like CloudFlare. Rock... :) And from point of view of ordinary users if something goes wrong, each user clime the "NetGate pfSense router" rather himself for not setup pfSense correctly. You may see on this forum even sysadmins of small organization are to lazy to correctly setup the pfBlockerNG-devel. This is reality of our life. So at the bottom line are: if some solution exist on level "push button - and we do the rest" - more than 80% of users are happy with this. And buy more and more of pfSense devices, and recommend to others. NetGate are open source but not source of donation, this is "open source / business" balance. And my proposition also about increase the power of this "open source / business" balance. blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...) You can block it with the pfBlockerNG-devel / DNSBL Category You can also find/add some specific DNSBL/IP lists there, Most cloud providers have these lists, check https://github.com/joetek/aws-ip-ranges-json https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops etc.. Thank You for source! Appreciate Your attention and time!

Yeah its a common problem where users setup the host overrides in the wrong one be it forwarder or resolver, when they are actually using the other ;) Glad you got it sorted! Enjoy... If you were using forwarder, and it had dhcp leases registered that might explain why you were seeing roku ;) If roku at one time had those Ips

@stephenw10 okay will try thanks

It's L2TP over IPSec transport so the firewall should only see the IPSec part. You would need to forward UDP ports 500 and 4500 and possibly ESP if you want a non-NAT-T connection. Steve

Nothing has changed in that regard in 2.5 as far as I know. Not yet at least. Steve

Nice. Not sure how I missed that /24. Must have been low on coffee!