@rakeshvijayan; i appreciate your reply but the "ouapapaladam" is asking about allowing the facebook for about 5mins. Assuming ouapapaladam has already blocked  it using squid either using a proxy mode or manual ip list in squid! In my case I am not able to block https with proxy .ouapapaladam did you check in your client side with https facebook . Hi  srk3461  you point a good knowledge to me also I will try it on my virtual machine for testing purpose thanks

Glad to see your reply. I can't understand your explain,but… I add my local domain in here,the dns is answered correct. Services -> DNS forwarder -> Domain overrides Thanks so much. YOU DONT NEED TO ADD ANY SETTING OVER THERE YOU HAVE TO INSERT THE CORRECT DNS ENTRY OVER THE GENERAL SET UP SELECT THE CORRECT GATE WAY FOR THE DNS . OR TRY TO INSERT GOOGLE DSN FOR CHECKING 8.8.8.8 AND SELECT GATE WAY YOU WISH ,THEN TRY TO PING TO GOOGLE FORM THE DIAGNOSITC TAB ,BY THAT YOU CAN REALIZE IF IT IS DNS PROBLEM OR NOT  .Services -> DNS forwarder -> PAGE YOU HAVE ONLY PUT A TICK MARK ON (ENABLE DNS FORWARDING TAB)

Communications between LAN machines that are connected together via a switch go across that switch. They never reach pfsense even though it's also on the same switch. There is nothing for pfsense to log because it never sees that traffic. That is how you are setup, right?

old topic..anyway.. I'm facing the same problem. you can't set that second rule via web gui but I put it in "by hand": I added the rule in /tmp/rules.debug and then pfctl -f /tmp/rules.debug so the rules I have now are : rdr on bridge0 inet proto tcp from any to any port = http -> 127.0.0.1 port 3128 pass in log quick on bridge0 route-to lo0 inet proto tcp from any to 127.0.0.1 port = 3128 flags S/SA keep state but it's not working! bridge0 = (em1, em2) client is on em1 side I can see IP clientip.3002 > 127.0.0.1.3128: Flags SYN on the other side of the bridge member em2. no traffic on lo0 interface. so route-to lo0 dosn't work. or better.. it's the rest of the rule that doesn't work, if I place the (wrong and temporary) rules like: this one: pass in log quick on bridge0 route-to lo0 or even: pass in log quick on bridge0 route-to lo0 inet proto udp then I can see traffic on lo0. I tested on 2.0.3 and 2.1 beta1. it's been reported here long time ago : pfSense bug #1620 http://redmine.pfsense.org/issues/1620 there's on FreeBSD 9.1 it works fine.

Yea im new to pfsense but have been on Checkpoint SPLAT that a tcpdump doesnt show the NAT'd address in the re-written source address (I think it had something to do with the order that the packets are processed).  Hence me asking for clarification :) I'll have a play around and check when I get home!

In my firm we have more 60 computer using internet connection with load balancing .In my pfsence i configured dhcp squid firewall ip forwarding to web what else we need rather than pfsence . yes you can save more money if you have knowledge to problems in pfsence here more Ideal and technical persons available here to help us with their experience . from ISP all fiber end are ended in a GE converter out put connection may vary base on 10/100/1000 in my firm I have one 100 based and 1000 base card is used to handle the incomming connection .so you have to know about that configure it before

@ljadmin: My gateway status is 'online' but i cannot ping my gateway from the IP of my Firebox but I can from other systems on the switch. [Gateway (#.#.#.217)] – switch -- [Firebox (#.#.#.219) & ServerA (#.#.#.220)] What does ping report? (a png report is nearly always more informative than "cannot ping"). How many interfaces have you configured on the firebox? How many of them are in the same IP subnet as the pfSense WAN interface? I presume the switch you mentioned is connected to the pfSense WAN interface and Server A such that Server A can directly contact the gateway (bypassing the Firebox).

@marvosa: When using FTP behind a NAT Firewall, I've always forwarded the passive ports.  Unless the firewall dynamically monitors FTP connections and opens ports dynamically when it detects a passive FTP connection, which I'm guessing is what the FTP helper is trying to achieve. From -> http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes: FTP helper now in kernel So, maybe it's a kernel bug or the "FTP Helper" has been deprecated.  If someone has a more official explanation, feel free to chime in. I think you are correct. I have not disabled it so maybe there is some kind of bug on the FTP helper since although enabled i have to port forward the passive ports my self. Except if the FTP helper on pfsense is not supposed to do this as the [ Tracking / NAT Helpers - FTP nat helper ] i said. Who knows. Regards

Try looking for the VLANs tab on Interfaces -> (assign)

I realize this was posted in wrong place. I just want to update in case someone was scared off by my experience, When I downgraded to 2.0.2 I had the same issue when I restored the config backup. So apparently there was an issue with my config exposed by the upgrade process, unrelated to version 2.0.3. I am now running 2.0.3 with config rebuilt by hand (with aid of the xml file open in notepad) and all seems fine. Was probably a good time for a config 'spring cleaning' anyway.. Thanks again to maintainers of this project for this solid update! @pvoigt: @dig1234: I'm on nanoBSD i386. upgrade from 2.0.2 to 2.0.3 was a disaster. Bootup would hang at Starting Firewall. Turned on verbose logging, eventually bootup finishes but packages did not reinstall. Getting message in syslog and console:  kernel: t_delta 15.fd984de3455432fc too short etc. Will try installing from scratch, maybe upgrade process just crapped out. Otherwise I'll go back to 2.0.2 Well, these issues are looking even more serious than those nsswitch warnings. Maybe I missed it but are you getting the nsswitch warning besides your other problems? If yes, could you please give feedback I they do disappear after a clean install? I'm runing a NanoBSD image and it is a real pain to exchange CF card for re-imaging.

Thank you all for your help. I also found out that every night comes the night guard to this company with his own laptop which was also infected:)

@heper: squid on pfsense can work with AD authentication. How well it integrates with squidguard/dansguardian i don't know. You have to install the following packages [image: pfsenspackages.png] you will sea the proxy filter and proxy server on the service tab you have configure like this [image: proxy_filter.png] [image: proxyfilter.png]

You can't use two WAN NICs with the same gateway.  It'll only route traffic out of the default gateway. If you have more than one public IP address that can use the same gateway, you can do it with one NIC, and VirtualIPs and 1:1 NAT routing. (http://doc.pfsense.org/index.php/1:1_NAT)(http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F) On my WAN2 interface I have a public IP address ...39, and ...40, and ...41.  The ...39 is the LAN2 subnet.  ...40 is a single IP on LAN2, and ...41 is another single IP on LAN2.  I could easily have added another public IP and had that route to LAN1, but in my case I have a completely different WAN connection with a different (different than WAN2) gateway instead. Create the one WAN interface and use 1:1 NAT with a VirtualIP.

If you are looking at building a new box it's hard to recommend anything other than a low-end Sandybridge/Ivybridge based board. As Tim suggests above, using an socket 1155 board gives you lots of upgrade options. This board: http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622 Is slightly more but gives you a smaller footprint and DC power for greater efficiency. Even a low-end Celeron will firewall/NAT at Gigabit wire speed so should be good for 120Mb of OpenVPN (I have no test results to confirm this). http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889 If you want less building then maybe something like the Shuttle DS61: http://forum.pfsense.org/index.php/topic,56950.0.html To be honest you could probably get 120Mb VPN with a far less powerful system but it's probably easier and cheaper to go with something such as the systems above. Steve

If they fix it upstream, we pick up the changes either the next time we shift OS versions (not very often) or if we bring their patch into our code (happens all the time).