Thank you all, I meanwhile ended up trying to follow the hint to better get a new transfer network / WAN configuration.

Thanks Chris for working through my post and helping me to make a decission towards the right solution. The only thing where I´m stuck is the VPN IPsec restrictions for the mobile users. Could anybody give me any hints how to restrict diffenet users to different local subnets. For example: LAN has 3 subnets 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 IPsec User 1 should only be able to access 192.168.1.0/24 IPsec User 2 should only be able to access 192.168.2.0/24 IPsec User 3 should only be able to access 192.168.2.0/24 and 192.168.3.0/24 Where can I set those restictions in pfSense? Thanks again! Harry

thanks :-)

You go to the 'Certificates' tab in Cert Manager and click the '+' sign. Now change to 'Create an internal Certificate'. This will create a certificate from your CA (that you just created), you can then assign the webGUI to use it. However this will not help with your problem installing the CA key in IE. You should be ab;e to do this whether or not you've created any certificates from it.  :-\ I agree with Johnpoz: open the .crt file in a text editor check it's a real and complete file. Steve

I've never seen nor heard of that happening so I'm not sure how you got into that situation. Maybe an upstream proxy or something returning invalid data when it did an update, though newer versions validate that data. That's never part of the normal restore process.

Thanks Wally!

I presume you are issuing the rsync command on a Linux system and expecting pfSense to respond. pfSense standard installs do not include the rsync and rsyncd utilities. The man page for rsync on my Ubuntu 12.04 netbook says of the "-e" option: If this option is used with [user@]host::module/path, then the remote  shell  COMMAND  will  be               used  to  run an rsync daemon on the remote host, Since there is no rsyncd on the remote host (pfSense) this won't work!

Mine does through certain package(s), Squid and LightSquid you can look at how much bandwidth per IP address and see what sites each IP address went to.

Sorry, I misunderstood.  I’ll try it again maybe I didn’t get it right – the connection was still dropped just before midnight when I tested it. Certainly worth another try – thanks for your help!

I'm at work again and unable to test but this may be of use of on pfSense 2 or above - http://www.unix.com/man-page/FreeBSD/8/ppp/

You have a misconfigured squid. Check squid options, change netmask network ranges to cidrs and try again.

On pfSense 2.0.1 and earlier, the log files were always wiped/reset at bootup. On pfSense 2.0.2 and later, on a full install the logs are kept at bootup. On NanoBSD, the logs are kept in RAM and would be wiped after each reboot no matter what. If you need to keep logs indefinitely, setup a syslog server and have pfSense send its logs there.

@rabbyweb: It's showing it's block our IP. What is showing this? Where? It's unlikely you will have multiple public IPs. You would have to have paid for these from your ISP. Steve

@cmb: Judging by this (I have no 10G equipment at all), the Intel 10G driver in FreeBSD 8.1 must be somehow broken with VLANs. I would try 8.3-based 2.1 from snapshots.pfsense.org. I had severe problems with VLAN with Intel 1 Gb (Intel Pro 1000 network, em0 & em1) NIC's also. Upgrading to FreeBSD snapshot solved the issue. BR, Tommi

The llinfo error means that it's trying to send a packet to that IP (typically that's your gateway IP) but it can't be located on that interface. That can happen if the interface IP changes via DHCP on WAN, or if you manually change it, and there are still states referring to the old/previous gateway. The apinger error can be ignored - it's meaningless. The hotplug event means what it says. lan was unplugged and plugged back in, but since lan has a static IP, nothing was done.

You can set a domain override for facebook.com pointing to a non-sense IP. (I usually set it the an unused ip in the local subnet when i "block" a domain like this). However with such a setup it's not possible to change the behaviour for one/multiple specific IPs. You might want to look into a "proper" solution to block domains. (eg. squid guard).