When you say "anything above the CIR will be discarded", do you state this as a fact or a requirement on your end? If it's a fact, then let the ISP drop the packets, TCP will back off. If it's a requirement, then you will need to use one of the traffic shapers. Different shapers have different characteristics.  HFSC has the most correct implementation and should be nearly perfect. Just enable traffic shaping on your WAN interface, set to HFSC and assign a bandwidth. Don't need to configure any queues as the entire interface will be limited to whatever rate to specify.

Depending on your circuit, you may need to play around with some settings. If your circuit is unbuffered but hard rate-limited, you may need to reduce your bandwidth slightly under your provisioned amount due to scheduling and bursting. You may need to reduce your bandwidth a bit anyway because they may be calculating bandwidth differently, layer1 vs layer2 vs layer3, and possibly layer1/2 that is different than Ethernet.

Noeone has an idea? Please help i think its only a little failure :(!

Turns out it's more difficult than that for afraid.org.  Gawd!

In their interface you have to click on "Dynamic DNS" then click on "Check out: dynamic update interface (version 2)!" Then click on "activate" after ticking your IP's which will then ACTIVATE them for Dnyamic DNS…seriously?  That's why I'm there LOL can't you just activate them?  My gosh afraid!!!

Now they're active AND you get a proper URL without the special character "?" in it!

Done...the struggle is real people LOL.

what version of ntopng is everyone running? Mine seems really low compared to the advertised version.

Can anyone offer any suggestions please?

It doesn't make any sense.

Will have to try other hardware and ultimately another router. To rule out the problem.

I don't think it can be Vmware since i can meassure the full speed on both sides of it. (both adapters)

So my wild guess here is, there is no default filename and the GUI doesn't offer any method to set it or change it in dhcpd conf.
I could set it manually but yeah it would get overwritten by each change of config.

So I'd need to change the source template. Where can that be found?

Honestly expected more from the much praised pfsense.
Apparently <2.3 had that feature but not anymore.

Have you or anyone else found a solution to this? I am stuck with the same problem!

To add to what PiBa has mentioned, click this link, this example has a couple of screenshots showing how to use the AS numbers to block Facebook.

I have also added a firewall rule for the associated interface allowing all traffic (source and destination) but still no difference.

@tim.mcmanus:

@randomaustralian:

does pfsense handle multiple internet connections and load share?

If you have more than one WAN link and they are not going to the same gateway, pfSense can use multiple WAN links.  What it will not do is bind together two or more WAN links and aggregate a connection across the combined WAN links.  It can have multiple connections across WAN links by allowing each connection to go over a different WAN link.

this is what i was hoping for

I've answered my own questions.  Found info in topics that didn't really relate to mine but something tripped my brain into understanding what was going on.  It's the damn commas that are screwing it up.  That's the last thing I would have thought, that's how sharp I am.  I saw trying sed to attempt to color logs and that lead me to think of just stripping the commas and that works well enough for me.  I just used:

Sorry if this was too elementary[it's actually surprising to me that I figured it out.  Yes, it seems I'm talking to myself.  Is that a problem?  No, not unless you start having a dialogue.  Oh, OK.]

I am on the current version, yes.

2.3.4-RELEASE-p1 (amd64)

So you state your AP is pointing to pfsense as its gateway.  Did you verify its mask?  The simple thing that would cause your exact problem is if you have the mask wrong.. Anything larger than /22 would put your 192.168.2 and 192.168.1 on the same network.  So the AP seeing a ping request from 192.168.1.x would think hey thats my network and just answer it vs sending to its gateway.  It would not be able to arp for it.. So if your sniff shows you send it ping from pfsense, and all you see back is arps this would scream the mask is wrong on the AP.

This would explain why you can ping other stuff on the 192.168.2 network but anything from 192.168.1 can not talk to the AP.

Somehow you are hitting the GUI and not HAProxy.

If those are purely HTTP, it's possible your browser cached the HSTS info sent from the GUI redirect before you disabled it. Clear your browser cache and try it again.