The logs show what rule matched, and you want to see the specific source IP, you don't want the alias name there. You can tell from the rule it shows which alias it hit. There is reverse DNS lookup support there as well.

No problem. Easily done.  ;) Steve

@stephenw10: Have you tried disabling Squid as a test? If that works you could exclude the bank site from the proxy. Steve YES!!!! This problem was in Squid, when i entered my IP in "Bypass proxy for these source IPs" site wil work fine! Thanks a lot. P.S. I'm trying to stop squidguard but it is not take effect. Why squid blocking? My rules are allow all traffic.

Are you using extended queries? You should post a screenshot of your config page.  Blank out anything you might feel is sensitive but do it in a way we can see all the strings. you can also try and escape the space with \20 and see if that works so ou=OU WithSpace becomes ou=OU\20WithSpace Or might  be %20 as escape for space. so would be ou=OU%20WithSpace if you need multiple groups to be searched the authentication container string should look similar to this CN=Users,DC=domain,DC=com;OU=DifferentUsers,DC=domain,DC=com I use extended queries for my vpn access and it looks like this memberOf=CN=VPNusers,CN=Users,DC=domain,DC=com

Yeah - I have my server side on unlimited fiber internet.  So my VPN is much faster than my connection here in Asia.  I get about 5/5 here but about 60/60 in the USA. Sorry to hear that.  I will tell you this though.  The USA doesn't have a such thing as a anonymous / private VPN service.  They all comply with requests for info from law/government (or pretty much anyone who asks).  They all keep records.  Not one is "private". So, don't get too hung up on the ubber private vpn claims.  Its all disinformation, misrepresentation or blatant lies. I would go so far as to say that VPN providers are probably considered one-stop-shopping for law/government etc. For sure you would be better off on a VPN server you set up yourself. Its not that I condone illegal activity.  Its just that I don't think EVERYTHING should be read to make sure its legal…

Note to self, when you think you've checked everything make sure that Snort is not blocking access to your gateway  :o

Has anyone found a solution for this? It's a real problem, sa sometimes ppp connection will fail, after days of working fine, and pfSense just won't reconnect…

nfsen is my preferred option there. Best open source one I've seen. Scrutinizer is definitely nice, but very costly.

You need to go forward at this point, not backwards. Especially not backwards to a Heartbleed-vulnerable version. Try 2.2, that's vastly safer than 2.1.1 at this point.

@stephenw10: Just set a firewall rule on the internal interface that the mailserver is on. Specify the source IP as the mail server and the gateway as whichever WAN you want to use. Steve It is so easy when you know how it's done. Now I kinda feel stupid. But thanks anyways :) Appreciate it very much!

with a /29 you would have 192.168.99.192 - 192.168.99.199 available in your subnet.  Try pinging each and every one except the address your WAN is set to. For the rest-  a great number of small rural ISP's use private space on their networks between their routers and customer WAN.

Yeah - At least one really good person who is always on the clock or like he was saying, ESF professional paid assistance.

If you set the gateways on your DNS servers to the proper ISP, your DNS servers should get /32 routes out that specific gateway which should override the default route out the tunnel. Note that this leaks your DNS queries to the global internet and they will no longer go out PIA (if your clients are configured to use them) so you're leaking info if you want to stay anonymous. Otherwise you need to figure out how to use PIAs name servers, or have firewall rules that steer DNS queries to the proper places.

I doubt it.  Your traffic is probably being converted to ATM over the DSL network.  I highly doubt layer 2 info like VLAN tags can survive the trip.  But being a bridge it might.  You really need to talk to your DSL provider.  If nothing else, you will need to get your DSL bridge ports configured from untagged to tagged.  Then you need to determine if your q-in-q tags make it across.

thank you for your answer, ill do as you say… thanks

@BeerCan: try User naming attribute = samAccountName Group naming attribute = cn Group member attribute = memberOf There is more but I am late for a meeting :) perfect thank you, that works under Diagnostics - Authenication and with the space in the OU name (no need for %20 etc). Now how do I allow this to log on to pfsense for report monitoring ?

What would be cool would be if SMF would automatically suspend posting privileges for accounts with < 5 posts with a 1:5 or greater posts:smites ratio.  That way we could just crowd-moderate these fuckers.

@cmb: @kejianshi: Is it a 2.1.5 problem also?  Thats what those pfsense I was talking about are on. No, that problem never existed in 2.1.x, that was a regression in 2.2 only that I fixed a couple days ago. Guessing it is the cause of OP's issue if that's on a snapshot that's more than 1-2 days old. It worked! :D Current build is  Fri Nov 07 00:00:15 CST 2014, FreeBSD 10.1-RC4-p1. Unchecked Firewall -> NAT -> 1:1 -> Edit -> NAT reflection = use system default Services -> DNS forwarder -> Register DHCP leases in DNS forwarder and Register DHCP static mappings in DNS forwarder Unchecked. And of course the settings for DNS Split in Services -> DNS forwarder -> Host Override. Only thing is. When having multiple websites on one machine that you can access via different subdomaines like site1.mydomain.com site2.mydomain.com etc. Host Overrides only gives you the default website since I can not assign a specific directory to a subdomain. But I guess we will figure something out. It is not as important as the mailserver was. So thank you very much! –--------------------------------------- //Edit: Just a little update for all the googlers that might come here later. To solve the website issue, we setup our own bind DNS on an extra machine. This DNS handles all requests from IPFire. Directs requests to sub.domain.com to the internal IP of that server. And in case that IP is a Webserver, Apache with Vhosts handles it and forward that to the specific directory. So thats it :)

FreeBSD-based.  Going to look at upgrading in the first instance.  Thanks for your help