Indeed it not seems to work as I expected. What happens now is that both client groups only use the OpenDNS service that I provided along with my VPN provider's DNS. The DNS server of my VPN provider doesn't seem to be used for either connection - what could cause this? I have specified the OpenVPN tunnel as gateway and it is accessible. As I understand it, all DNS servers in the list are queried simultaneously (and using the gateway assigned to them) and the first (fastest) response is accepted. The strict-oder order option changes the behavior to do the queries subsequential. How about this: setting the strict-oder option, first DNS is my VPN provider's server (VPN tunnel as gateway) and the second DNS is OpenDNS using the WAN interface. The secondary DNS is neccessary to establish the tunnel as I do not know how reliable static IP's in the VPN config will work with this provider. What do you think about this  setup?

Are these HTTP or HTTPS sites?

I can't recall any circumstance where the interface and RRD stats on a stable release were inaccurate, those counters are pretty straight forward. Two completely diff means of calculating bandwidth, so if they match, you can pretty much be guaranteed that's reality. ISPs can measure bandwidth in a variety of ways. They may not count data to certain destinations (like things on their own network, especially if they have a IPTV/streaming video service or similar). You can run a packet capture on WAN, packet length 64 to minimize capture size over a longer period, count 0, all else at defaults. Start the capture, leave it running for a few hours, then go back and stop it. Download the resulting pcap, open in Wireshark, go to Statistics>Conversations and you'll see what you're actually passing on the wire (and what your ISP's passing you).

same issue I found many topic got no help

I'm going to answer the first question, and pretend I didn't see the second post. To restore selected parts of the config, you must backup selected parts of the config. e.g. Go to backup and change Backup Area from ALL to 'DHCP Server', then on the new box select Restore Area 'DHCP Server' and select your backup file.

Crap, I wish I knew this before I went ahead and bought the module I was working with… Either way. I'm not sure. Lately, I've been coming home to a down router that needs a reboot, so the issue is much worse... I'd like for someone with more experience to ask me for my logs so they can determine what the issue might be :(

I answered this for someone else here. If you have more questions related to Squid/SquidGuard, please post a new thread in the Packages forum.

@Derelict: I won't be able to take advantage of the Round Robin configuration. Condition 2 sounds like a problem to be solved on the web server.  Are you using name-based virtual hosting on it?  That breaks going to the server by IP address because the server has no idea what virtual host you're really trying to access.  Put a host override in the DNS forwarder pointing at the inside IP address of the web server and use the DNS name to access it.  If you do that you don't have to worry about NAT reflection. Thanks for weighing in. I can live with not doing Round Robin for the webserver. However, I have used DNS Forwarder that doesn't seem to work. The only I get this to work right now is by sending ALL TCP traffic from ANY source to ANY source (a rule set on LAN firewall rules). The moment I add destination in that rule as in IP of webserver things break because webserver requires DNS. I also, tried the DNS Forwarder and that failed for the same reason probably. In order to get to the bottom of this I think I should check into firewall logs but I am not sure where to start to what to look for. Once that is clear maybe I can change rules or decide to take a patch that gives me the ability to do Round Robin for ALL other traffic but port 80 TCP to the webserver. Any suggestions on where to find the necessary logs and what to look for?

Depends what you're trying to do… you have switch A, B, C and D are they all managed?  Which one is the netgear? Also what kind of LAGG are you doing.... link aggregation (LACP), failover, load balancing, etc?  If you're doing LACP (802.3ad), the switch has to support it and you usually have to bounce the LAGG at both ends to bring it up. Are you terminating your VLANs @ PFsense or on the switch?  If on PFsense, the connection to the Netgear will need to be a trunk. If you're terminating your VLANs on the Netgear, you'll need a separate untagged VLAN on the netgear connected to PFsense configured with an IP in the same subnet.

Hi guys good news since i have upgraded to 2.2-RC  release (more than a week) the issue is not present anymore! i didn't understand which was the problem but now i'm happy :)

Under Firewall - Virtual IPs, create an IP Alias for your public IP address.  Then create a NAT rule and use the IP Alias as the Destination.

Be aware that any script you put in rc.d will be lost on a firmware update. As it says on that wiki page it's preferable to use Shellcmd as that is included in the config file. Especially with a single line of code like you're using. If you do decide to use a script you might want to consider the filer package: https://doc.pfsense.org/index.php/Filer_package That won't work as well as shellcmd since after an update it will have to be re-installed meaning any script won't run at the first boot. Steve

Hello, Can you explain me please what you mean exactly ? I have transparent Mode on squid. Do you mean that is the reason why ? If Yes, why ? as far as I know,transparent Mode only means that users do not have to enter manually the proxy server in their browsers.

@BBcan177: I think the "z" in the name had something to do with it not being removed properly in the first place. I doubt it; originally it didn't have a 'Z' in it. I changed the alias name to that per a thread by another member here who managed to get it away by doing that. 'tWorked for him, it didn't work for me. _(If you want to know why the 'z' btw, I do that with most of my names in pfSense (and other systems). It's an old habit from my SAP time, where this was mandatory. The 'Y' and 'Z' were so called 'custom name spaces', only (ABAP) programs starting with that letter were allowed to be created by customers in the (huge) SAP system (and hence, these YZ-programs where only allowed certain types of access to the databases, to API's, etc. Smart engineers, over at SAP. You have to, if you want to give the management tools to the IT-departments that need to run these systems that all of the Fortune500 run). So, the Y and Z, that way:_ It is easy to distinguish standard SAP programs from custom built modifications; Which helps tremendously when you have to do upgrades and fixes, as the SAP upgrade will not touch these programs, but has all kinds of built in pre-upgrade analysis tools to see what custom development will be touched by what upgrade process. (Yes, I'm the eternal noob on pfSense, but it seems I'm long past the noob-status in SAP-land  ;D )). If you wish, I could Teamviewer in and help you clean it. You are too kind, BB  :-* Thank you  ;D I wouldn't want to take this precious time for you, especially since it's a different time zone thing. But mostly, because I do not want to take any time away from the development of pfBlockerNG  :P I think, in the end, when 2.2. is out, I will do again a completely fresh install, with your pfBlockerNG. As the old saying goes: 'it isn't eating bread' (the alias), 'so lets leave it there than. Thanks again BB  :-*

Well I guess I'm gonna buy another access point or revert to the stock firmware on my current router and see if things change because I am still having issues.

SSH in and look at /var/squid/logs/access.log and it should tell you what it was getting at the time.