Curious why want/need for 2 ports for admin?  Are these directly connected to workstations or something? Also from a performance point of view why don't you run your vlans on em4-7 vs sharing the one lan port?  Are you limited in switch ports or something?

That's a pretty standard design, although this one is not that clever: once you have configured LDAP in order to handle authentication, why would you want to maintain list of authorized users within squid conf itself. As stated in this document, using LDAP group is much easier and efficient.

IIRC, when you have a proxy configured, the behavior of browsers can change and they may not try to resolve resources for themselves.  IOW, the host may be sending the request for "localhost:3000" over to the proxy, which is then trying to hit port 3000 on the pfSense box and failing (because you presumably don't have it open / have a service on it). I know that IE up through 11 has an option under the Proxy settings to not use the proxy for "LAN traffic."  I can't remember if it's smart enough to realize that localhost is LAN (actually, on the local machine), but I suspect it is… and I think that option is enabled by default. My hunch is that Edge is behaving the same way - sees the request for your own machine and just sends it there.  Chrome is trying to send everything to the proxy, which it probably shouldn't.

@wirerogue: pretty sure your wan should be dhcp, not static, so it can pull an address from your isp. Running static IP as the modem is not running DHCP @Gertjan: @Tassiedave: …. What have I stuffed up? lol Everybody uses 2.2.6 and you decided to use 2.2.5. Why ? Because that was the version my boss asked me to install  ;D Are there major differences between .5 and .6? @phil.davis: And post your WAN (and LAN) settings, and what ISP and connection method you think you are supposed to use. Modem: Technicolor TG797n v3 Firmware version: 15.1 ISP: Telstra business (Australia) Will get the settings up in a sec

It now works flawlessly… No errors in any of the logs... plus no issues after reboots. Plus even though I used the GUI, it would only add my IP address to the config file and not the dyndns name.  Seeing as I'm on a dynamic IP package here, I don't have much choice in the issue. I don't know why adding the modem helped, as its my pfSense box handling PPPoE and not the modem.  Modem is only handling the ADSL connection with no credentials.

I blocked out the last two portions of your IP address. It's the same as the IP you post from so any one with admin privs here can see it already. I don't see a current crash from that IP address. The last one I see was from December 13, and it looks like a crash in a memory operation in a fairly common program unlikely to actually have a bug. So more likely than not that would tend to point to a hardware issue.

Well, finally seems to be fixed "magically". On last friday I left the firewall configured and with the problem exposed above. Yesterday I did a test to continue trying to fix the problem and bingo… is working fine. Anyway tomorrow i've to do another test to see if still working. greetings and thanks!!

Though I am new to pfsense,  or rather firewall,  I had similar questions. With my experience with pfsense for last couple of months,  I am trying to answer in my own way. Can you configure via the webGUI to use Tor (instead of a VPN)? If not, will it be easy to transfer all traffic to the tor client SOCKS (I have basic Debian experience).  – >  Not tried hence can not answer. I want to fully control my home network. This means that I want to white list machines based on their MAC (beside the normal WPA password etc. it's purely for human control and not technical security), is this possible (via the webGUI)?  --->  You can   Confiigure dhcp service  and allocate static address based on mac addresses per device, disallow unknown devices.  All thru webgui. I want to manage internet speeds per device (or network) to the outside. Can I for example give my own Desktop atleast 90% of the 20Mbps to the outside and other machines less? This is one of the key factors why I'm thinking about pfSense (or another system in between).  – You can do thru webgui.   Steps –1) Create firewall rule that your lan network traffic only to your pfsense box.  2) configure limiter  on per device basis.  (  on you tube, you will get plenty video's how to set this ) Is it a good idea to place Wireless cards inside my PfSense box (which means it will be both a firewall and WiFi AP)?  **No it is not a good idea as a very few internal wireless cards are compatible to pfsense.  Best is to use standard wireless router without routing. ** What hardware should be applicable for a 1000Mbps internal network with about 20 devices (Laptops/PC's/Phones)? Core i3? Core i5?  –  .  **Standard core2duo with 2gb and a pair of  intel based lan card of 1gb is more than sufficient for the purpose ( Actually I am using this setup for 50 + devices with no issues.  ) ** Best of luck !!!

There is a specific forum for OpenVPN issues.  Perhaps someone in there might know.

The URL for that dynamic DNS services has changed. It is fixed for 2.2.* by this: https://github.com/pfsense/pfsense/commit/fdc515af3361bd0371f236557fa018b41d61578c but you will need to make that change on your system - e.g. with the System Patches package.

That's not a "backdoor" or even a vulnerability, it was named by a moron. It's using administrative functions of the system, post-authentication as a root-level user, to copy files to the system. It can be summarized as "I can root your box, just give me your root password." Uh huh, you can. With every OS ever created. When you're authenticated with full administrative credentials, there is no limit to what you can do, whether pfSense or Windows or Linux or BSD or anything else.

Not sure what helped, but changed a single line in the server config file… After local was my IP address, but changed this to my dyndns host name. Also added my modem on a virtual interface as a static IP and now everything works, even after reboots! :-D

They apparently changed their update URL semi-recently, and no longer support HTTPS. I updated the client for 2.3 (and 2.2.7 if there is one, but probably won't be) to use the new dyns URL. Thanks to GP^ on IRC for noting the change and this thread.

Use netflow and prtg. It can give you a real insight into what's going on in the network. For torrent you can use snort at least to identify users doing so.

Softflowd does not send netflow v5 or v9 that NTA will understand. This is because in all netflow packages, both Interface Indexes = 0 in exported flows: https://thwack.solarwinds.com/thread/31006 By forcing the traffic to be shown as you probably have done in NTA, you are only seeing what the NTA can decipher from SNMP data. Unfortunately, doing so excludes all traffic not originating from the router and multicast, as you have seen. NTA is extremely picky about netflow. The only netflow that I have been able to get working reliably with NTA on pfsense is Pfflowd. Unfortunately, on recent PfSense versions, this no longer works: https://forum.pfsense.org/index.php?topic=88441.0

@jimp: A general FreeBSD forum would be better for that but it's not a really complicated issue. It depends on how you login and/or how the shell starts. Try making .bash_profile instead, or linking the two. Indeed, this worked: $ mv .bashrc .bash_profile I will anyway ask on a FreeBSD forum and post the link here, for those interested. Thanks you.