If I got it right, seems like a peculiar necessity. Anyway, I'd go with nginx + varnish (if you need caching) combination, and multiple subdomains also. Taking into consideration that remembering an URL is simpler than remembering a port number when it's about end-user interaction. But if you still want to go with varnish and in the way you want it, you need to put its daemon listening on all the ports you want (in your example, 80, 8080, 8081). Then define the all backends you have serving varnish. And, finally, you just set the flux and point the correct backend for the request, based on the server.port attribute. This last one done through the vcl_recv subroutine. I have no means to test it, but should be something like: sub vcl_recv {   if (server.port == 8080) {     set req.backend = webserver2;   }   elsif (server.port == 8081) {     set req.backend = webserver3;   }   else {     set req.backend = webserver1;   } } This documentation can help you with it: https://www.varnish-cache.org/docs/trunk/users-guide/vcl-backends.html If it doesn't work, at least I hope it guides you to the right path. :)

Quite possibly, although traffic shaping is not on by default so PRIQ is not enabled at least on what I have here. I'd look through all your logs if you can and see if anything shows up as I suspect its a lack of resource possibly behind the crash. I've noticed my 8Gb SSD machine is struggling to stream data from a radio station causing frequent stutters and hangs in the last two version of pfsense, which I've yet to track down, and I could get it to crash with a 2.42mbps ddos when I attempted to look at the RRD graphs. https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Priority_Queueing_.28PRIQ.29 "Priority queuing is the simplest form of traffic shaping, and often the most effective. It performs prioritzation of traffic only, without regard for bandwidth." https://doc.pfsense.org/index.php/ALTQ_drivers Section 30.3.2. Enabling ALTQ for more info, but I dont think its on as a default option. https://www.freebsd.org/doc/handbook/firewalls-pf.html You nic's might not even support some or all of the ALTQ features either.

Do yourself a big favour and get a different switch. This one's just POS with known severe bugs totally ignored by UBNT. https://community.ubnt.com/t5/ToughSwitch/bd-p/ToughSwitch

So your using a wildcard record..  Not really a good idea if you ask me.. What happens when user goes to sljdflsjdfljdljflsjdff.example com ??  What gets served?  Your default page? In your example you have 2 private side Ips, .10 and .11 – if you this was all just on one box then you don't need a reverse proxy.  Your httpd can see the host headers and serve up whatever site you want to serve be it www.example.com or mail.example.com or whatever.example.com

Also worth issuing a cert to each user, this way you can tell when they have been hacked if someone else attempts to connect, and also having short cert lives which you keep issuing, timescales before expiring depend on what you need for extra piece of mind.

@creepwood: Wow, that seemed to help. Superfast. Let's hope it's not some sleep thing https://doc.pfsense.org/index.php/2.2.4_New_Features_and_Changes#Security.2FErrata_Notices

@KOM: OK, it's fixed.  ARE YOU HAPPY NOW GUYS???  ;D and just amazes me how many people run and use ftp and don't really understand it's pretty simple: the average IT person is expected to be an expert on everything these days, which is impossible.  I fully admit I'm a jack of all IT trades and master of none.  I know enough to (usually) get by, but I must admit that my working knowledge of the exact sequence of FTP handshakes in sorely lacking… Ultimately it boils down to what the programmers decided when writing what looks like a FTP server, the one's I've written even just work on port 21 as there was no need to support more than one connection at a time, in a scheduled time slot fashion. You dont always have to conform to industry standards if the customer requirements are different to others. The avg IT support person can up their game by learning to program as its the programmers who ultimately write the manuals the support people follow, so having a good overview of how everything works and then coding for them can be quite illuminating. Alpha/Beta testing can be useful for understanding the skill of other programmers, seeing the bugs and how quickly things get fixed to understand strengths/weaknesses of said programmers.

During an upgrade you have switched from 32-bit ot 64-bit install (or even from 64-bit back to 32-bit). You should check on the dashboard if ou have 32 or 64 bit, and check in System->Firmware, Updater Settings to see if there is some special or wrong place selected for getting updates. If you change the 32/64 bit then the old RRD files will not work.

I'm having a question about high internet speed, How high the speed is there? The Internet connection I mean?  :( currently when I do a speedtest I have roughly ~100Mbit speed What kind of speed test? Through the Internet? Or from on to another PC by using iPerf?  ;) When I'm looking in my PfSense the cpu will go higher then +70% Which CPU, Cores, GHz, how many RAM, which architecture, which LAN Ports are in usage (Realtek, Broadcom or Intel)?  >:( and the admin panel 'n such will freeze up mSATA, USB Stick, HDD, SSD or SATA-DOM?  :o Even the OpenVPN will freeze up, so something is clearly wrong with this process Or is only the hardware not capable enough? Is this 32Bit or 64Bit Hardware you are using? Are their any free miniPCI or PCI slots in the system? Does anyone else have experience'd this and knows how to fix it ? Really fast hardware, with AES-NI or VPN (crypto) acceleration hardware support Multi Core (Dual or Quad) CPU ~@3GHz or around would be good, 4 GB or 8 GB RAM Intel NICs server grade or newer on board ones.  :-* pfSense store SG-xxxx units  :D Supermicro C2x58 SoC boards Celeron G3260 @ 3,2GHz Jetway NF9HG-2930 Alix APU Boards Alix Boards & Soekris vpn 14x1 cards

I seem to have somewhat similiar problem: https://forum.pfsense.org/index.php?topic=97431.0 Began after last update.

@Derelict: Sounds like Wi-Fi just isn't your thing. (Did you disable the DHCP server on the TP-Link?) (I said "AP" (Access Point).  Not "Router") Correct. I never had much time fooling around with it. Except once trying to turn a usb-dongle into a AP..after many hours/days of cursing, it worked…but whatever. Yes, I disabled DHCP. Androids can finally connect. Now it's just the darn Chromecast left. I remember some setting when I had the AP running at the pfsense which made the Chromecast work, can't find it on this cheap TP-Link-thing though.

"ftp bounce attack, victim is 192.168.1.4:2266, action, DROP" Opening and forwarding the ports would be one thing, but then setting up rules that are matching exactly this ports and services is also a must be. Could it be that only the firewall rules are not matching this behavior? Using FTP.exe imply to me that you were also able to use something likes FileZilla Server software because it is also free of charge and offers on top S/FTP service. Also a script that opens a SSH connection to your home firewall would be nice running and able to do.

Yeah. Check for a BIOS update. If you've changed anything in your BIOS, try changing it back, or just resetting the BIOS settings to defaults.

I used standard procedure to install in FreeBSD OS correspondíng to the pfsense versión.  Look into the ports folders for the MySQL server version in the port to identify the correct name of the package. It will install the dependencies.

Good question! You are exporting the logs to some external syslog server? Steve

@pigdogs It's not obvious what equipment you're using here. The most recent BT hubs have the VDSL modem integrated so you'd need to either put it in bridge mode or setup pfSense behind it ina double NAT scenario which is not ideal. As the others have said you want to have a separate VDSL modem really such as those BT supplied for use with their ealier hubs. Steve

@doktornotor: Because it's extremely well hidden in the GUI! Interfaces - WAN - scroll to the bottom. :o ::) I've assumed this an written it above, but was not sure if it helps.