That's the thing, it cannot be 100% scheduled - it will be based on users checking-in to work, as we want to make sure they actually got to their machines to limit the "premium" bandwidth use. I can have all of the rules pre-set, I just need to selectively disabled/enabled.

@Derelict: Run a packet capture on VLAN60 and get a new or renew a lease. Great idea, will do that tonight and report back.

@mikesm: It sounds like you have the SMC router from Comcast.  While you can try putting it in bridge mode, my advice is to replace it with a pure cable modem, like the SB6183.  COmcast can provision that with static addresses if needed, and you don't have to fight the the SMC trying to act as a router. This se up will be more reliable, and you will avoid issues with double NAT and other problems by Comcast trying to provide "value added" routing when PFsense is far better a router than that POS SMC box.  :) Thx Mike You know what's funny? We just did that. Replaced it with a ubee. Finally got 2 charter reps to admit that SMC has a firmware issue with static ips. Network came back up immediately on that ubee modem when we got it provisioned :)

nginx is so good at its job of being a proxy, that nginx is probably the best place to filter your requests. Any other package that you use to filter it will make it slower. And I'm not sure what issue you're describing. nginx is a reverse proxy not a normal proxy. Completely different. You can't access the "Internet" through a reverse proxy, you can only access preconfigured sites. If you want, redirect them to https://www.fbi.gov/ or something.

^ What???  Did you read the thread?

DHCP leases can be viewed in pfSense by navigating to Status > DHCP Leases. Thanks…

The fix we put in to make pw's writes safe (fix for passwd file corruption) also made it slow in some circumstances, especially with large numbers of users. Short of thousands of users, I haven't heard of any delays of minutes attributable to that. In FreeBSD 10.3, a different fix for that problem has been implemented which doesn't have the performance issues in those circumstances. I've put it through our power cycle test rig upwards of 3000 power cycles immediately after passwd write, and it still survived fine. I haven't tested large scale performance, but the FreeBSD developers who reviewed and implemented the change have. So any portion of it attributable to that will be significantly faster in 2.3.

@cmb: Yes. In the plans for the future. Any idea of a possible time line? :) Thanks

No need with modern SSDs to disable logging. That option disabled all logging except filter.log, I just fixed that. https://redmine.pfsense.org/issues/6018

I really really wish they would be very large bold letter caveats when installing tools like pfblocker and for sure snort and even the proxy - that lack of understanding will BREAK your shit ;) hehehe Snort can take quite a bit of tweaking of the rules before it is of anything other than log noise generation tool… Putting it into block mode before you have spent the required time tweaking the rule set to weed out noise, etc.. is just asking for shit to break.. While I like the idea of pfblocker, it too is a very quick and easy way to break shit when you don't understand its actual use.. Letting it auto create rules if you ask me is a REALLY BAD idea..  If you want to use it to block countries IP ranges, and or remove ads then use the rules in alias mode and place the specific rules you want. In general letting stuff block stuff for you automatically is going to lead to shit not working, and you not understanding why.. As to the proxy, unless you have a bunch of puberty  age boys that your trying to block from porn ville it serves little use in anything other than a corp environment.. And just another thing that could break your shit for very little added benefit..

Firefox update 45.0.1 fixed this bug.

Just bumping this back up. I think this should happen at some point.

Good point on the caching, I was thinking for using it let's say I join a source game server and they use fastDL and it takes forever, my friends come over and they have to download the same junk. I thought it'd be useful for that, but that seems incredibly inefficient now that I think of it. The AP doesn't have Vlan to my knowledge but it'll just be for my private network, just a basic AP. I think I'll just remain stock with pfSense until I can find a reason to grab anything else.

@killmasta93: The worst part is recovering because its always best to start from scratch formatting the servers and the computers. Thank you again In the scenario I described, the server was "untouched" in that it just saved the files the workstation told it to (encrypted of course). From that point of view, their recovery was a complete wipe of their server's data drive and a restore from the previous backup. I always set my backups to do a complete copy of the data drive for just this scenario. And since they're Linux based servers (I stopped doing Win servers some time ago) it's trivial to segregate the server operating drive from the data drive. The net result is I have zero worries about the server being infected. As far as the workstation, yup that's a complete wipe and reload from scratch (Win machine and not worth the worries otherwise). Some users keep drive images to make it easier to reload the system, but encouraging them to keep all data on the server often simplifies everyone's life.

@jimp: Load balancing doesn't work at all when using a proxy on the firewall, so it's a moot point. This is crystal clear (to me) and pretty obvious. I was not meaning "with proxy on pfSense"  ;)