The finalised version of this was committed a few days ago. @rowell - can you try https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/interfaces_ppps_edit.php (that is the version to be released in 2.2.4) Does that fix the issue?

Thanks!!! I will be contacting Dyn.com

I have allowed my pfsense box to be pinged, so as long as they don't somehow look for their SPECIFIC router, I should be good. And if they are calling you otherwise they perhaps where monitoring the MAC address of their router. Perhaps you are able to change the MAC address from their WAN interface to your WAN interface.

You could set it up with just the one LAN interface as a pure Squid3/squidGuard/ClamAV web proxy.  No need for NAT.  Squid would have to be in explicit mode, so all your clients would have to be configured to use the proxy or you would have to setup WPAD for proxy auto-detection by your clients.

The last time I saw this, the person incorrectly configured the forwarder on his DC.  By chance did you manually configure the forwarder in on your DC?

@n3by: @NOYB why don't you use Captive Portal for that ? It add another layer of security for your network. Nice suggestion but take this further, when you dont have total oversight of the physical network ie cables or insides of a device with wifi capabilities namely a laptop or mobile plugged into synch with a computer especially in a bring your device to work scenario, there is still the situation of a device/code hijacking one or more machine(s) and off loading the network traffic via a wifi/mesh network of sorts. In this instance only the absence of traffic at best will show up in pfsense if all traffic is rerouted via a dhcp/dns redirect, although if only off loading sensitive data you wouldnt even spot this potentially*, abit like a multi wan set up but on the device in question or would you? I can think of one situation which could theoretically show this up, but its not something pfsense could do and the OS'es could still potentially be the weakness.

I'm not opposed to having a granular option there, the problem is that more often than not people will want both and may miss setting one or the other. Splitting it into two checkboxes makes new problems while "solving" one that would rarely be hit. It makes it more difficult for most users while benefiting relatively few. It's a bit more complicated to code up but it may be better to have a drop-down that has options such as: /var and /tmp on disk /var and /tmp in RAM /var in RAM, /tmp on disk /var on disk, /tmp in RAM With appropriate upgrade code to migrate from the old setting.

So like I said Alias ;)

Maybe this will help? https://doc.pfsense.org/index.php/Multi-WAN#Load_Balancing For OpenVPN but the principle/idea/concept may be relevant for your needs/uses. https://forum.pfsense.org/index.php?topic=39328.0 https://forum.pfsense.org/index.php?topic=68605.msg375799#msg375799

Could also trying logging everything ie rules and see if anything shows up which is being blocked or not that might give you a clue as well. Its usually a good idea to log everything in order to help see when you have been hacked as anomolies occur which you might be able to pick up with some good analysis tools that can indicate when you have been hacked, eg looking up particular DNS servers can be a way to communicate code/instructions amongst many other methods.

https://doc.pfsense.org/index.php/Importing_OpenVPN_DH_Parameters

Currently pfSense can only match DSCP, not set. Setting is up to the endpoints.

Cpu utilization is at 6%, I also just noticed I do not have a PCI express nic card in there. I just ordered one so will see if that makes a difference. David

Heres what I do. Firstly I prevent anything from getting out onto the internet, next I monitor the fw logs to see whats talking, I then identify whats talking and if I want to allow it, I create a rule to allow it. Now creating a rule could mean creating an alias which has one or more domain names/sub domains in, which makes it easy to add to once the alias is set up in one or more rules. Its a good way to troubleshoot problems as well as see what devices on a network are talking to each other. I've never used whatsapp, but do you know if it initiates the communication in anyway or is a separate service giving away your location to the whatsapp servers and then they try to connect to you through a port they expect to be open?

I don't think it's a bad idea as long as there's a proper firewall. In my setup, the bridge had a firewall so no traffic was reaching the public IPs unless I allowed it. Of course, I will not go with the bridge from other reasons but the servers were not wide open. If I get the chance to route our own IP addresses pfSense will still play the role of a firewall in front of them which is exactly what I'd like. With VIPs I need to assign a public IP, a private IP and set firewall rules. With directly attached public IPs I don't need to manage another private subnet. Our servers are mainly Unix, we have enough public IP addresses to assign one to each server and changing IP addresses would be quite easily done with Ansible. While I would like to have our subnet routed using our HW, I think it will take more time than I have. So VIPs are now my main option, but I will bring this up with our ISP.

@BlueKobold: Where the ISP-provided cheap modem in that case is faster, can reach near the gigabit speeds.. In normal a modem is not doing SPI, NAT and passing firewall rules! So for sure the ordanary modem must be even faster, this is a must be! Not true, the modem is doing NAT in that case. And it has some basic SPI functionality as well. Keep in mind we're talking about single-stream throughput, the easiest case. I don't know how well those would stand up across much larger numbers of simultaneous connections. @BlueKobold: ….where a 4860 tops out at 700ish Mbps on PPPoE in that circumstance because it's stuck to one core. With SPI and NAT you will loose even something around 3% - 5% of the whole throughput, depending on your hardware for sure. But often with other hardware I really think this would be not the end of the line, with a Xeon E3-1286v3, muchECC RAM and an intel server network adapter it would be also able to archive more throughput, but also holding the level of security! Sure, in that case all you need is a CPU that has faster cores, so a single core can handle a higher traffic rate. I have no doubt a new Xeon would easily max out a 1 Gbps link in the PPPoE scenario (at least with large-ish packets, not at purely 64 byte frames). But that's also an unreasonably expensive firewall/router box for home and SMB uses. It's not true in general that you'll lose any throughput from SPI or NAT, as long as your system's adequately fast for your connection speed. We're talking microseconds of processing time from arrival of a packet on the LAN NIC to it exiting the WAN NIC, as long as there is CPU capacity to spare. That's such a tiny portion of your latency to any Internet destination it has no measurable impact. It's far less than just the jitter to close Internet destinations on high quality connectivity.

We don't include the FreeBSD auditing system bits, but that's probably not what you're looking for anyway. Just looking for review of changes? The config history that muswellhillbilly mentioned is a built-in way. Ideally you'd want something outside of that as well, like storing your configs in a central revision control system where you have indefinite length history.

You can use gdb to analyze it. Could you get that file to me? Upload it somewhere and send me the URL privately, or if zipped it's less than 25 MB, email to cmb at pfsense dot org.