Sounds like you should additionally read the documentation that comes with your webserver concerning virtualhosts.

doing: find / -name openssl revealed a different openssl version in /usr/local/bin/openssl that was exploitable, so I did need to upgrade

You would forward 1 or more ports in to the pfSense WAN and make OpenVPN server/s listening on pfSense WAN. You could have 2 servers - 1 that provides routes to both DMZ and LAN subnets. And give the different groups of people clients keys for the relevant OpenVPN server. That would eliminate those customers from seeing a route to the LAN at all. They should be able to use their domain username/password for connecting to the OpenVPN server. Then put firewall rules on OpenVPN (you will probably need to assign an interface to each OpenVPN so you get a separate Firewall Rules tab for each OpenVPN server) to restrict which IP addresses are allowed to be reached. When people connect to a file share on the server/s they will need to use ordinary Windows authentication - their domain username/password.

I go the the relevant LAN in pfsense and forward this to my server. But it will not go through. Normally you make the port forwarding entries on pfSense WAN interface, for traffic with destination WAN address, port nnn, and forward to some address that happens to be in an internal LAN.

Thank you for that hint. Now I have tried activating multiple queuing also. It seems to be stable.

@doktornotor: You need to configure both DNS and DHCP, plus actually make the wpad entry resolve via DNS, since it is blocked by default on Windows DNS servers. http://technet.microsoft.com/en-us/library/cc995158.aspx Thank you for your help! I've added a CNAME to reflect the WPAD in pfsense and also configured that address into DHCP. It started working like a charm.

Hmm. Are you running Squid in pfSense or doing any layer 7 filtering? Do you see anything in the firewall logs when a mobile device trys to connect? Is there a distiction between http and https sites? With the current Heartbleed crisis it's likely that ssl certificates are being revoked all over. Just a guess. Steve

Thanks!  That's the ticket.  I appreciate the tip.

So you found it? [image: intro12.gif] ;D 8) :-*

OK, possible explanation found. I am running the bind package with some slave zones, and the timestamp of newest zone database file coincides with the 'Last config change' timestamp.

@Atlantisman: Yes, you can push a full gig through pfsense, i do it all the time. I believe it is recommended that you have at least a 3Ghz CPU. Recommended but not required.  I think those numbers were based on Netburst cores.

Yup, found those after I posted.

Is that a full install? NanoBSD? What sort of platform? Everything we've tried has been OK as far as I've seen.

Ah, OK. I don't have bogons blocked on internal networks no. However all of my LAN rules are using LAN subnet(s) as the source rather than any, they're IPv4 rules though. I have found one IPv6 entry in my firewall log, a blocked outgoing ICMP6 packet from my OpenVPN interface. Seems reasonable!  ;) Steve

@dirknina: Thank you for your input on the cpu i was looking for a low power usage cpu. I also wanted a low power cpu so I use an Atom. I figure in 5 years time I'll get a new box. @dirknina: For the swicthes i want control so ill go managed just have to decide Netgear or TPlink. Or Cisco. I have an SG-200-08. There are others in the range. More $ than some of the others but good reputation. @dirknina: how many Vlans/ subnets would i need. Up to you. E.g. you could have all xbmc's on one vlan, all servers on another. Or every individual device on an individual vlan. I have an 8-port switch so I have 7 or 8 vlans, one for each switch, but I only use half. The more you use, the more configuration you need to do. There are ways to simplify this, using floating rules and aliases. @dirknina: all my xbmc's and severs would have static ip's, but how would i go and make the privet ones to be hidden from all save for my main work station. @dirknina: The 4 access points how would i go and make 1 privet/hidden broadcast and one guest broadcast. It's all set by firewall rules. You can set aliases for ranges/groups of IP addresses and pass/block ranges etc. This is what I do, to allow certain devices full access, other devices restricted or time constrained access, and some devices almost no access except to one or two IPs. pfSense is very configurable.

@tmacka88: looked into the Unifi. they look pretty good and not too expensive compared to other enterprise solutions. might have t get some and have a play. any idea when v3 will be released? also how did you find setting these up with pfsense? was it very difficult? thanks No clue when v3 will be released. The betas are very stable at this point though, so it shouldn't be too far down the road. As far as setting them up with pfSense, what do you mean? They'll work with any routed network, really, regardless of your L3 device. I plugged them in, the controller server saw them, I adopted them, done.

@fser: -I have changed default ip to 192.100.100.1 and set everything on pfSense web ui. 192.100.100.1 is completely invalid IP for LAN. You just don't invent things, there's RFC1918 for non-routable IPs for local networks (ab)use. NetRange:      192.100.100.0 - 192.100.100.255 CIDR:          192.100.100.0/24 OriginAS:      NetName:        DNIC-RNET-192-100-100 NetHandle:      NET-192-100-100-0-1 Parent:        NET-192-0-0-0-0 NetType:        Direct Assignment RegDate:        1991-04-12 Updated:        2009-04-02 Ref:            http://whois.arin.net/rest/net/NET-192-100-100-0-1 OrgName:        DoD Network Information Center OrgId:          DNIC Address:        3990 E. Broad Street City:          Columbus StateProv:      OH PostalCode:    43218 Country:        US RegDate:        Updated:        2011-08-17 Ref:            http://whois.arin.net/rest/org/DNIC :o ::)

Awesome, thanks Steve.  Just installed the latest and it's working great.