Setting the local network to 0.0.0.0/0 to reach the Internet is the right move. Technically that should have also been required in racoon as well, though at times with mobile it was all too happy to take whatever P2 network the client said it wanted, which is a tad insecure.

Your probably getting a cert error with lync. You may have bypass https filter for lync's external server.. What are you seeing in your lync client logs? There is alot of into in there. use Snooper to read them

@heper: squid developers should remove the https functionality. It's evil. Some people absolutely need it because of law, like schools. The road to hell is paved with good intentions.

Jan/23/2015 10:52:32: send request to ff02::1:2%pppoe1 Jan/23/2015 10:52:32: reset a timer on pppoe1, state=REQUEST, timeo=0, retrans=977 Jan/23/2015 10:52:32: receive reply from fe80::223:4ff:feea:2318%pppoe1 on pppoe1 Jan/23/2015 10:52:32: get DHCP option server ID, len 10 Jan/23/2015 10:52:32:  DUID: 00:03:00:01:00:23:04:ea:23:18 Jan/23/2015 10:52:32: get DHCP option client ID, len 14 Jan/23/2015 10:52:32:  DUID: 00:01:00:01:1c:4a:d9:23:00:1c:c0:d8:96:75 Jan/23/2015 10:52:32: get DHCP option IA_PD, len 41 Jan/23/2015 10:52:32:  IA_PD: ID=0, T1=900, T2=1440 Jan/23/2015 10:52:32: get DHCP option IA_PD prefix, len 25 Jan/23/2015 10:52:32:  IA_PD prefix: 2001:8e0:14b1::/48 pltime=1800 vltime=21600 Jan/23/2015 10:52:32: get DHCP option DNS, len 32 Jan/23/2015 10:52:32: nameserver[0] 2001:8e0:80::dead:beef Jan/23/2015 10:52:32: nameserver[1] 2001:8e0:40:304::dead:beef Jan/23/2015 10:52:32: make an IA: PD-0 Jan/23/2015 10:52:32: create a prefix 2001:8e0:14b1::/48 pltime=1800, vltime=21600 Jan/23/2015 10:52:32: executes /var/etc/dhcp6c_wan_script.sh Jan/23/2015 10:52:42: script "/var/etc/dhcp6c_wan_script.sh" terminated Jan/23/2015 10:52:42: removing an event on pppoe1, state=REQUEST Jan/23/2015 10:52:42: removing server (ID: 00:03:00:01:00:23:04:ea:23:18) Jan/23/2015 10:52:42: got an expected reply, sleeping. Just to show, that I get a prefix via DHCP-PD

What is the 504 coming from? It's not from the firewall itself. If you're doing it on a cell network or other network where there is a proxy, that's the proxy timeout message you'd get when nothing is answering. WAN net == WAN's IP subnet. WAN IP == WAN's IP.

@JasonJoel: Anything I can do/try at this point? Use the  "Reset webConfigurator password" feature from console/SSH.

The fun thing about networking is there are often several ways to configure something.  The trick is to know which is best.

Please don't post the same problem in more than one forum.  Check the Traffic Shaping forum for my response.

Assuming this is windows due to the "workgroup", is the printer wireless network printer or does it need to be plugged into a windows pc before it can be shared through the pc? Really need more info, like printer model to get an idea how best to proceed.

@dennypage: Of note is that the problem hasn't occurred in the last several updates… was anything done specifically to address this? I'm pretty sure the problem with the nut package was fixed, which seemed to be the root cause of the delay.

And to answer your prior question… With OpenVPN you can assign interfaces to OpenVPN server instances then, on that interface, perform 1:1 NAT. So you would be connecting to distinct IP addresses and they would be NAT translated.  You'd still have your work cut out for you.  They would all have unique IP addresses as far as pfSense is concerned.  On the ones that are the same scheme as the local pfSense networks, you'd have to translate both source and destination IPs.

@e3ctsc: @Renato: Could you guys check ownership of /usr/local/lib? I saw the same issue on a system with squid3 installed, and noted the directory ownership was changed to proxy:proxy, what caused check_reload_status not to be loaded and cause sshd not being started. It was the file permissions. I compared file ownerships with an older backup and saw following files changed complete /usr/local with all files, subdirectories and symbolic links was proxy:proxy instead of root:wheel /etc/ssl/openssl.cnf was proxy:proxy instead of root:wheel /dev/pf was root:proxy After chowning them back I had to reboot to get it working again (perhaps there had been a better way than rebooting) Thanks! I pushed a fix on squid3 package, version 0.2.6.

@LennySh: Hmmm… What else is changed? ;D Quite a bit… the "grouping" screen essentially replaces the DHCP screen but it removes most of the settings that are on that screen. It also assumes some specific names for the groups - which are setup as IP aliases.  It's really designed to allow you to assign static IP's to groups within one DHCP instance that assigns addresses for the LAN. I added a group element to the config.xml for each static assignment. I haven't changed anything that keeps the original DHCP screen from working - but the original screen wouldn't update (and will drop) the "group" element in the config.xml. If you want the code for the screen, let me know and I'll post it.

I didn't know that was in there.  Thank you.

@cesjr: It appears " There are no packages currently installed." and in the available package , there is no package of snort. My pfsense version is 2.0.1-RELEASE . You must upgrade your pfSense version.  Snort is no longer supported on anything older than the 2.1.x series. Bill

You might be able to export your settings and modify the xml file that way before restoring the edited backup? Have you also seen Status: System logs: Settings tab… Filter descriptions Show the applied rule description below or in the firewall log rows. Displaying rule descriptions for all lines in the log might affect performance with large rule sets ? The default is not to show the rule descriptions which can make it harder to workout what rule is blocking or allowing when troubleshooting what rules are being acted upon. Personally I log everything that way I can see when settings have changed/been reset on workstations due to updates or some other activity, even though I dont use ipv6 I still log it.

How are they remote? Are they coming in direct from the wan or getting in via a vpn before being redirected to the proxy? What version of pfsense are you using?

One thing I do with all firewall rules is switch on logging of all the rules, this way I can see what is being blocked and not. In Status: System logs: Settings tab, there is an option to show the firewall rule being applied, rather than just having ip addresses/ports with their corresponding block or allow status. This can be useful for finding out what rule is causing problems, but the default is not to show the rule descriptions. Filter descriptions Show the applied rule description below or in the firewall log rows. Displaying rule descriptions for all lines in the log might affect performance with large rule sets.

I use browser automation to check webpages when I cant get info/alerts/errors/warnings. IE allows you to control the DOM, but if you dont use windows & IE and do a bit of coding, this might be an alternative solution. http://www.seleniumhq.org/

Thats my bad, I should have realised it was regex cant remember last time I called it "regular expressions" so I was trying logical expression ie =+-<>& The thing that threw me, is there are only 35 chars for the ip addresses which isnt enough space for ipv6. Anyway for anyone else interested in how regex works, the link has some good examples to explain. http://www.proftpd.org/docs/howto/Regex.html or a quick overview can be seen below. ^ caret matches the start of a string, eg ^192 will match all entries that start with 192, ^10 will match all entries that start with 10, although not relevant on this page, but in other applications ^&foo will match all entries that start with &foo and ^@domain will match all entries that start with @domain $ dollar sign is similar but the opposite to caret in that its used to match the end of a string, eg 10$ will match all entries that finish with 10, @domain$ will match all entries that finish with @domain. . period matches any single character eg 1.2 will match the 3 digit numbers  112, 122, 132, all the way up to 192, s.f will match any 3 letter word that starts with s and ends with f, eg saf, sbf, scf, sdf and so on. open and closed square brackets will match any one or more entries containing the numbers, characters & symbols encapsulated in the square brackets. EG [192] will find all entries that have 1 and/or 9 and/or 2, [abc] will match all entries that contain a and/or b and/or c. Numerics in square brackets can also contain a range eg [0-9] will match all entries that one or more of the numbers in the range specified inside the square brackets. | Vertical pipe/bar is an either or operator eg ^192|21$ will match either all entries that start with 192 or all entries that finish with 21. \ Backslash is used to prevent the special meaning of operators eg . will make . (period/fullstop) behave like a period/fullstop and not a single char match, hence the . in the example Jimp provided. ^ will prevent the caret operating as a match the start of a string eg ^foo will find all entries that contain ^foo. ? question mark will match once or not at all, eg 19?2 will return 192 and 12 only, he?llo will return hello or hllo asterisk will match as many times as possible or not at all eg 192* will return 192, 19, 1922, 19222 and so on. will match at least once 192+ will return 192,1912, 1922, 1932 and so on. *, +, ? are acted upon first, followed by any concatenations and then finally | fwiw.