I've fixed it. I don't think, that installing newer version helped, since my old one 2.1.2 was working like a charm. More likely it was hardware problem. Network card, that was designated as LAN was prioritised on hardware level, so all traffic tried to go through LAN. I've just switched IP's on network cards and everything working just fine. To whoever might be looking for similar problem - check if your network adapters assigned right and their priority. Thanks to everyone for help.

@newbie2015: can u tell me how? https://doc.pfsense.org/index.php/Outbound_NAT

@garethsnaim: I have ordered an ultra sff dell 745 from ebay for £29 which I think is a good 'size' for the task. I will probably get a SSD in the near future as well. I am hopeful there is a methodology to export settings and import to the new PC. Yes, it's as simple as exporting from the old and importing to the new.  I did that while swapping out completely different hardware.  It's fairly painless.

Cool.  I may have to pick one of those up and muck around.

@KOM: Sorry, I think I had it backwards.  If you have high interrupts, try enabling polling to see if it calms down somewhat. I enabled it and the load didn't move too much in either direction. Thank you for the suggestion. @heper: i personally haven't had much luck by enabling polling. it just slowed things down in my case. have you tried some of the tuning tips here? http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_a_hp_proliant_dl360p_gen8_with_10-gigabit_with_10-gigabit_chelsio_t540-cr i don't own 10gbe equipment, but i don't think it can hurt to try. I will have to take a look at this. Thanks for providing it. On another note, the load appears to be around 5-6 now. I believe this is related to lower usage. Towards the end of the business day our usage tapers off significantly, but we only do ~300 Mbs at peak anyways.

that could be it too. captiveportal redirects tend to mess with dns … dnssec tries to prevent messing with dns ;)

note the element you need for configuration 1.vlan 500 2,pppoe thanks

If all you want is an URL filter, Squidguard is a lot easier than Dans.  If you need more robust content filtering, then Dans is what you would use.  The Squid situation is a little unclear at the moment.  The packages are in a state of flux as they are being cleaned up to some degree.  Check the Cache/Proxy forum for more information.

Thank you for the answers, About the firewall, I may have expressed myself poorly. I meant that I'm to clear the rules that prevent access to certain websites which isn't being properly blocked by squid (like facebook). I'm probably going to try the WAPD package (in 2 weeks, when the proxy tests are scheduled).  Since, as KOM said, Outbound NAT rule may give me some false-positives of MitM attacks. The company specified that no branch office is supposed to have a proxy anymore. According to them it may interfere with the Net balancing, since we have two links, from the same provider, one for the internet and the other for the corporate net). And I'm definitely not going to manually configure the browser of 300 hosts. ;D Once again, thank you all. I would appreciate if this topic could remain open for 2 weeks, I may get in some trouble with WAPD.

Because it's disabled? Fix your client. Or, if it's not you, then stop logging the useless noise. There's a checkbox for this so that lighttpd junk doesn't flood logs.

enabling ssh from console(option 14) or webgui (system:advanced:Enable Secure Shell)

Is the NanoBSD version generally as good as normal version? I am wondering if its worth buying a really hard disk instead of replacing the CF. Are there any advantages to this approach? when I setup seemed that this would nice and simple, also takes up less space…

firewall rules don't say oh you can only go in 98% of the time ;)  Your issue is most likely with your actual web server or connectivity to it on your lan side. Does it go down on its ipv6 address?  You know when I see this "Also tried the rule allow IPv4/IPv6 TCP/UDP from * to Webserver port 443 and 80"  I have to think to myself.. WHY??  Since when does your website do anything on UDP for http or https???

Let me try to get this in. Using a second (instance/profile of the same brand) browser, I asked for the pfsense page and was given the login page. However, this page is using a different theme. Comparing the cookies between the two browsers, I find that the first browser has three cookies named PHPSESSID with different 'host' values. Deleting the two obviously wrong same-named cookies got me past the login page. On the first browser, I logged in and was given the dashboard page of the theme I always used. On the second browser, a different theme is shown, yet the General Setup, Theme choice is 'pfsense_ng' in both browsers. Edit: Changing the selection of the theme does not change the theme displayed. Edit2: Correction - the theme changes on the first browser when a selection is made, but not on the second when a selection is made. So, I think the browser was sending too many cookies or the wrong cookie. Suggest that pfSense use a cookie with a name unique unto itself, instead of the common/default PHPSESSID.

@mer: @heper understood, but explicitly stating port forwards would be nice to know. :) It would be, but the only reason to not like port scans is if you have opened ports.

You're misunderstanding what're being reported. Load is relative. If your CPU is running at 100mhz, then it's not hard to reach 75% usage. The reason "load" is high when using minimum is because the CPU is being down-clocked, you are saving power.

Are you doing your testing from a client on LAN, or fro pfSense itself?

What johnpoz is trying to say, is PFSense can block traffic going through PFSense, but not traffic that only goes through the switch.

Yeah, sounds like a plan. (If you want a separate ramdisk for /tmp only, perhaps dig up the pull request on GitHub.)

@cmb: Looks like the physical NIC you're plugging into isn't connected to the VM's WAN NIC. No replies to the PPPoE attempts. If you had any functional connectivity, it'd come back with something other than just a complete timeout. Thanks cmb, your post encouraged me to go back and relabel my NICs.. surprisingly enough, after spending a while troubleshooting (before I posted this) I must have become confused and got them all mixed up.. After re-labling them all I then passed them all through correctly and it seems to be working for now! Thanks again!