@iska: @jimp: https://doc.pfsense.org/index.php/Why_was_FreeBSD_chosen_instead_of_another_OS I know OpenBSD is aimed for maximum security, and FreeBSD is for maximum performance, while PfSense is for security or firewall/router, why don't they chose OpenBSD. Because Theo.

Ok, if you insist, and will assume the liability  :) "Put it" at "/usr/local/www"  (or in a "new directory/folder"  /usr/local/www/XXXX )

Thank you, that did the trick.

I agree with you - but you stated this "they don't understand the underlying plumbing going on." So unless you do, you have no idea what they are doing - right?  You say it works when both on the same lan.. So look to see what is going on when on the lan, then you can make your firewall rules to allow this, etc. You for sure would not need to do any sort of natting here - since local networks to pfsense do not nat between each other.

Depends what is more important to you, you say it not too slow. Keep in mind that the vast majority of net traffic not static any more - most everything is dynamic.  So your cache is not going to buy you much.. Browsers cache most of their own static stuff anyway. Using explicit vs transparent would be better, since now your not forwarding all your 80 traffic to your proxy port and just hitting the proxy port directl.  Also what hardware are you running this on?  How exactly are you benchmarking your slowdown? Have your users actually complained about the performance hit?

I have no experience with NtopNG - anyone else feel free to jump in…

I am not sure this is the correct answer but I would test: Define a DMZ with the public pool. Add a gateway with  185.81.117.97 in pfsense in the rules allowing outbound traffic from the DMZ select in the advance option the gateway you have defined above. It should work but it might not be the best answer.

no.. i don't want assign a public ip behind the pfsense . i want simulate isp's reaction  how i assign an ip block over a line with a pfsense (isp simulator). there is end of this line my pfsense fw simulater (and then it is going to use 1:1 nat - this part is not problem , i will handle) the problem is how can i simulate isp's reaction (assign an ip block to my customer :) )

Wow. I don't know what is wrong. I spent several hours trying to get the CD to work for rebuilding the firewall and nothing worked. I used a USB CD Drive to burn and read, but the boot up took forever. I transferred the ISO to my main computer and burned it on the internal CD Drive. This made it better. The firewall doesn't have a CD-ROM, but it is a computer so I hooked one up to the SATA port and it would not load the CD. So I went back to the USB CD-ROM and it booted, right up until it detected the USB CD-ROM then errors with mount issues (error 19 or 16, don't remember). I don't remember it being this hard to install pfSense. I had several issues just getting a working copy of the software from the sites (ended up downloading it on my Linux laptop and the hashes matched finally). In case you want to try calling me stupid or something for not using the USB installer, I already tried that. It was my first set of attempts before going to the CD-ROM. The BIOS doesn't detect the USB Boot Drive.

Ok 'default_backend majesty' is probably the reason it ends up there.. could be that none of the acl's matched.. The current acl might not always match.: acl        OWA  req.ssl_sni -i mail.mydomian.com Could you add also a: acl        OWA  req.ssl_sni -i mail.mydomian.com:443 So including the port? that might solve something.. p.s. it seems you have to many 'default_backend' configured anyhow. but if the acl's pick up the traffic you shouldnt end up on majesty. (when requesting mail.mydomian.com)

I'm using a Jetway device for my build as well. I forgot the model number but its a fanless build with celeron quadcore and 4GB of ram. More then enough for PFsense and some decent packages. I've been running it at my house for 6 months now. Solid as a rock! I paid about $300 for the unit. Since this is a home network, you don't need to go crazy on a switch. I personally use two dummy Netgear switches. One for my main production network on subnet 192.168.1.x Eth1, and my second switch is plugged into Opt1 interface on a 10.10.10.x subnet where I host my servers. I have an old Linksys router configured to be used as an AP connected to it as well. Unless you want the experience of playing with vlans or something. I don't see a real reason to need a nice fancy switch. Two unmanaged named brand switches will work just fine. (you could get something like a 6-8 port for your OPT network and a larger one for your production etc… all depends on your needs). That is how I would start. Keep it on the cheap and expand in the future as needed. Now if you want to go fancy because you have the cash and want the learning experience. I'd do the following. Get something like a Cisco SG200\300 (you can get a 48 port for like $180). You could even get one with 4x POE ports for your WAPS on this switch. This is a great switch for playing with vlaning and has great support from the vendor and security. For WAPs. The UniFI AP-LR WAPs are awesome as hell. They are easily managed by Unifi software and can support vlans along with seemless automatic wifi jumps between waps. They also last ages, I've had mine for years and sturdy as hell still. Just an idea.

I deal with this pain on a daily bases as a network engineer. It's really annoying when the ISP doesn't really do any testing other then using their built in software to perform a 5 second test… How important is this connection? Are you doing duel WAN for balancing load or for failover? What I would do is disconnect that connection that is dropping packets. Connect it to a laptop and configure your laptops NIC to the static IP settings. Then perform a continuous ping or use a network monitoring tool to capture packet loses. If you lose packets then, it is for sure the ISP. If you do not, it is for sure your device. This is the only sure fire way to rule out ISP equipment from your own. It's a pain but it is pure proof that they can not disagree with.

You might consider separate vlans and put your kids device in 1 of the created vlans. Then set rules that shut down internet access at a certain time(schedule feature in pfsense), https://doc.pfsense.org/index.php/Firewall_Rule_Schedules Then consider using Opendns parental control ips for that vlan interface: 208.67.222.123 208.67.220.123…see opendns website for more details: https://www.opendns.com/about/press-releases/introducing-familyshield-parental-controls-the-easiest-way-to-keep-kids-safe-online/ Keep in mind this is coming from a non experts.

Thank you, I appreciate the responses. I am presently on travel but will give the provided instructions a shot at earliest possibility.

It doesn't prevent you from using those, it's not recommended, however. That means it's missing some property that the cert manager expects to see in a server certificate. That said you DO NOT want to use a "real" trusted certificate for OpenVPN. That would let ANYONE with a certificate from that CA connect to your VPN, not just you. Which undoubtedly is NOT what you want. There is no advantage to using anything other than a self-signed CA/Cert structure for OpenVPN.

That isn't content that should have ever been in extensions.ini. Not sure where that came form, looks like source from some other program. You can rm /usr/local/etc/php/extensions.ini and then from the console menu use option 16. If anything is needed for PHP to run, that will fix it up.

"That result is for a CMS called phpWebSite, not pfSense" They prob scanned the wrong IP ;)