No, the WAN in this case is just another private network that my laptop that I'm using for testing resides on. The private IP space from the WAN is valid in this case. I'm simply trying to use PFSense as a router to route the traffic coming from my 172.16.6.0/23 network(The Wan) to my isolated MGT1 10.222.200.0/24 network. I don't want to disable natting and SPF except for a last resort.

OK, I'm sorry guys… I did everything again and I found this option: "Allow remote access - Remote access allows you to manage the AP from the Internet or from a different LAN. To enable remote access, the gateway device needs to be properly configured, such as opening a port for the corresponding IP address of the AP." I didn't check that option the first time. Now It's running well ;) Thanks! At least, I checked my design with you. I hope this will be useful for other users. Now I have to focus on rules ;)

@kejianshi: Is your POS pfsense rig working ok? Runs good. Ordered another!

Genius!  THANK YOU!!!

@phil.davis: 1. The unit is supplied with instructions about where to find the "tuned" image if you need to reinstall completely. And it will look in the special place for updates also. The "community" one works also. I am running that, as it happens, because I often follow the bleeding edge with development snapshots. I believe the "tuning" is things like the content of loader.conf.local but nobody is saying officially. 2. There is no "tuning" in the config.xml AFAIK. You can certainly import a config from elsewhere, reassign interfaces as needed and run. I did that on the 2 SG-2440 that I have in production. Awesome, thank you Phil for the information. I am excited to get it delivered. Hopefully should be here by the end of the week Cheers! Jon

Nested aliases work fine in general. You wouldn't be able to reach this website if they didn't. Check your table contents under Diag>Tables for that alias to verify.

Found out it was just a server that was behaving abnormally. Rebooted the server and all is good  :-X Noticed it by looking though pfTop after logging into the console. Thanks for the help!

@musicwizard: but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one. You might want to disable that shitty "feature". https://forum.pfsense.org/index.php?topic=93188.0

I have a PPPoA ISP, my Draytek 120 is connected to pfSense in bridge mode, no issues, no lag, no problem. That modem, once you choose PPPoE<->PPPoA passthrough disables NAT and Firewall, also DHCP is disabled….a dumb modem. My pfSense unit takes care of what it can do better than a 25 euro combo modem/router. In the past I had a half-bridge configuration, using a Netgear WNDR3700 router (running openWRT, arokh builds) coupled to a Digicom Modem (it supported half bridge), pfSense seems not to support half-bridge scenarios. Just my experience, ADSL 20/1.

Depends on your personal needs. I have been an avid consumer router buyer, always chasing the last product….and after a couple of year I have been soon disappointed. I don't trust proprietary firmware on consumer router/firewall, I cannot afford and I don't need an enterprise router/firewall, I love open source and build something. pfSense gave me a lot of solutions: open source, very active and professional community, solid software, easy configuration for a home LAN...I put pfSense in a pretty good hardware (see my signature), I will not look at consumer router/firewall anymore. My Netgear R7000 and WNDR3700 have been downgraded to AP.

Yeah this sounds like a mess "router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network)." So you have multiple interfaces/vlan on pfsense.. ping the router I get 192.168.3.1 is your router?  Are you talking about pfsense interface on your wireless vlan or are you natting your wireless with a wifi router that is not in AP mode? Why don't you access pfsense with name?  You can setup your rules to be able to hit the lan interface lets call it 192.168.1.1 of pfsenes for its web gui from any of your segments.  You could setup different names for your different segments and hit that interface via that name with cert for that name, etc.  for example pfsense.local.lan is 192.168.9.253 on my setup, and pfsense.wlan.local.lan is 192.168.2.253 this is the pfsense interface in my wireless segment, then a few more dmz, ps3, etc. Personally I never access pfsense gui from anything other than the wired network.. Wifi shouldn't really be open to your firewall admin gui if you ask me ;)

If I got it right, seems like a peculiar necessity. Anyway, I'd go with nginx + varnish (if you need caching) combination, and multiple subdomains also. Taking into consideration that remembering an URL is simpler than remembering a port number when it's about end-user interaction. But if you still want to go with varnish and in the way you want it, you need to put its daemon listening on all the ports you want (in your example, 80, 8080, 8081). Then define the all backends you have serving varnish. And, finally, you just set the flux and point the correct backend for the request, based on the server.port attribute. This last one done through the vcl_recv subroutine. I have no means to test it, but should be something like: sub vcl_recv {   if (server.port == 8080) {     set req.backend = webserver2;   }   elsif (server.port == 8081) {     set req.backend = webserver3;   }   else {     set req.backend = webserver1;   } } This documentation can help you with it: https://www.varnish-cache.org/docs/trunk/users-guide/vcl-backends.html If it doesn't work, at least I hope it guides you to the right path. :)

Quite possibly, although traffic shaping is not on by default so PRIQ is not enabled at least on what I have here. I'd look through all your logs if you can and see if anything shows up as I suspect its a lack of resource possibly behind the crash. I've noticed my 8Gb SSD machine is struggling to stream data from a radio station causing frequent stutters and hangs in the last two version of pfsense, which I've yet to track down, and I could get it to crash with a 2.42mbps ddos when I attempted to look at the RRD graphs. https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Priority_Queueing_.28PRIQ.29 "Priority queuing is the simplest form of traffic shaping, and often the most effective. It performs prioritzation of traffic only, without regard for bandwidth." https://doc.pfsense.org/index.php/ALTQ_drivers Section 30.3.2. Enabling ALTQ for more info, but I dont think its on as a default option. https://www.freebsd.org/doc/handbook/firewalls-pf.html You nic's might not even support some or all of the ALTQ features either.

Do yourself a big favour and get a different switch. This one's just POS with known severe bugs totally ignored by UBNT. https://community.ubnt.com/t5/ToughSwitch/bd-p/ToughSwitch

So your using a wildcard record..  Not really a good idea if you ask me.. What happens when user goes to sljdflsjdfljdljflsjdff.example com ??  What gets served?  Your default page? In your example you have 2 private side Ips, .10 and .11 – if you this was all just on one box then you don't need a reverse proxy.  Your httpd can see the host headers and serve up whatever site you want to serve be it www.example.com or mail.example.com or whatever.example.com

Also worth issuing a cert to each user, this way you can tell when they have been hacked if someone else attempts to connect, and also having short cert lives which you keep issuing, timescales before expiring depend on what you need for extra piece of mind.

@creepwood: Wow, that seemed to help. Superfast. Let's hope it's not some sleep thing https://doc.pfsense.org/index.php/2.2.4_New_Features_and_Changes#Security.2FErrata_Notices