@charliem: Well, my machines have worked OK with that patch since before I posted it.  No known breakage, but I guess I don't count as a second opinion :) Your first opinion is appreciated regardless. :) Wasn't clear from your earlier post if you were running it at all at the time, or were still running it now 6 months after the fact.

When I meant to capture decrypted traffic to your lan I figured you would be sniffing on a span port somewhere.  But if you sniff on pfsense lan you should see all traffic in and out of that interface.

I have several builds with this case using LSI SAS controller and NAS4Free. They are nice and cheap. http://www.amazon.com/Norco-ITX-S4-Mini-ITX-Computer-Storage/dp/B00J353KH8 You really only bought a drive box, Not a NAS.

@cmb: @Harvy66: Why wouldn't it exceed 1Gbps? With the nature of how those counters work, it isn't possible to exceed the link speed of the interface if you're getting sane values. @burdandrei: Thanks @cmd, will do. i restarted the firewall, and looks like it stopped.  I got status tgz before and after, will open the ticket when i'll have more info Thanks, curious to see that. So even if the actual link speed is faster than the reported link speed? It's not a common situation, but this is one of them.

@fraglord: How do I connect from a remote client to the ser2net port? Connect via VPN (external) or SSH (internal) to the pfSense box and then you could connect over the ser2net application to the ports directly.

Ah ok thats for the reply. Kinda sucks but i guess ill just use the watchguard as a training tool with pfsense until i actually build a pfsense computer.

Post your System Activity again. It'll tell you exactly what is using your CPU.

Could you describe what IPsec configuration you have on the system?

In what you show as "setup 1", squid would be running in transparent mode. I have no experience with that, so I can't comment on to set it up. Your "setup 2" would be running squid in proxy mode, which is how I've always done it. Your clients would use the IP address of the pfsense box as their default gateway. On the pfsense box, you'd block outbound port 80 and 443 for all IP addresses except the squid box. You'd need a "proxy auto config (PAC) file on a local web server. You'd tell clients how to find the PAC file via a WPAD entry in your DNS, or a DHCP option. The PAC file would contain a JavaScript function that looks at the URL the browser is attempting to go to, and either returns the string "DIRECT" (if the URL is an internal sites), or "proxy 192.168.1.2:3128" if the site is not internal. Something like: function FindProxyForURL(url,host) { if( isPlainHostName(host) || isInNet(host, "192.168.1.0", "255.255.255.0") ) return "DIRECT";       return "proxy 192.168.1.2:3128"          // squid box would be 192.168.1.2 and squid is listening on 3128 } More information: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol NOTE: The one gotcha that tends to stymie people setting this up is adding the MIME type your your web server to match ".pac" files. The referenced wiki documents what needs to be done.

There is no special code in the installer to handle any sort of alignment/offset at this time.

Ok, for now i've set a workaround cron task running every 15 minutes: /usr/bin/killall -9 apinger && /usr/local/sbin/apinger -c /var/etc/apinger.conf Thanks, Edoardo

while i run a modified(for 2.1.5 atm) mkflash version to create the pfsense image, i have no issues while i have one "BIG" slice for data (pfsense0) and another slice for the configuration(cf) so the only , let it call a problem, u cant upgrade in this Constellation but this is not a problem for me.

exactly!  You can setup mDNS to work across segments but its a PITA ;)  avahi makes it easier.  But if you only have 1 segment, or your wifi and wired are on the same segment and your resources are wired n that segment your wireless devices on that segment can find them. I ran into this issue when I isolated my wireless for security reasons and still wanted to print ;)  Easy solution was to move my printer to that segment..

Some more detailed feedback for those potentially facing similar issue: as suspected and highlighted by Derelict, problem was misalignment between DSL device and pfSense. In order to reach internal web service, if DSL device acts as a router, 2-steps NAT is required. One from internet to pfSense and one from pfSene to internal server. This needs to be consistent all along the path however paying attention not to open everything in order to grant access  ;)

Is my "real" information safe to use for a private server? Who will see it? If this is a private installation you could also put into it bogus names or company names as well this doesn´t matter, but if this is a installation used in a productive network it should be also going with real names and informations.

Rule 2 should be moved to the bin.. What point is it if you already allow wifi net to go anywhere..  Is that address on a different segment than wifi net?  If on same as wifi net also pointless. As to 3 and 4 they could be removed by making 1st rule a ! alias that includes your other networks.