Thank you very much for taking the time to respond. Will disable pfblocker and see how it goes.

Fair enough. As you can see 4GB is way more than pfSense uses without any packages running. I have a test box running 64bit that I upgraded from 32bit, the process was painless. You should check the firmware update location is set correctly if you do try this. I would probably go for a full re-install on a production box to be safe. There have been several hints from the devs that 32bit will eventually be phased out so that's one reason to be running 64bit. I hope it's not for a while though since I have several boxes that aren't 64bit.  ;) Steve

Exactly. Because your box is over-powered for your requirements? What is your WAN bandwidth? What packages are you running? The only problem you may have is that you're consuming more power than is necessary.  ;) Steve

Just kind of happened.  ;) Steve

Do you have a proper default route under Diag>Routes at the time? Can you ping that gateway IP? If so, what does a traceroute to something on the Internet look like when it's an issue?

pfSense is no different than any other router at the network level.  If your DMZ subnet is 172.16.0.0/24 then your other servers should also be in that same subnet.  Then you can use firewall rules to cordon off the DMZ from other network segments.

System->Routing, Groups Add a gateway group with WAN-A and WAN-B both at Tier1. (e.g. call it LoadBalance) On LAN add rules to match whatever traffic you want load-balanced. In the Advanced section of the rule, Gateeway - select the LoadBalance gateway group. Now the traffic is feed into the gateway group. As states are created they are round-robined between whichever WANs are up. And I see you are running a very advanced version of pfSense - 2.5.1 - what are all the new features that we will get in a few years?  ;)

@torontob: Thanks, is there anyway to do this without traffic shaping? I have used traffic shaping before and queues tend to full really quickly rendering the whole system useless. I find traffic shaping to be the weakest link in pfSense. Not as far as I know…

Cool - Glad its up.

Hi there, I was wondering if you ever managed to sort this out. I can't find any other posts on this subject and i have the exact same issue. Thanks!

@tobiascapin: Log http and https connection storing transfer length, destination hostname and local ip or mac address Filter hostname from a list of denied hostname or by regex rule Do not use a connection configuration (transparent) Do not decrypt https content and do not alter certificate exchange (man-in-the middle) Optionally can be usefult to cache the http content. Hi, Squid and SquidGuard will cover all of the points above. The SSL Interception is optional. As long as you leave the SSL Part disabled, there is no modification (and interception) of SSL traffic. SquidGuard is optional but nice to have if you want to use complex rules (e.g. complex Regex) and logging. Speaking of logging: All users should agree that you log there sessions. Due to the law in many countries. As an example: I'm from Germany and the German/EU law doesn't allow the logging of accessed URLs and other personal data. this is due to privacy protection. A valid workaround is to log the MAC Address and mask it in your reports.

@Mikeyb!: To caveat this first, this is a bad idea, but it's just for testing on a test network. Watch out for the vHosts Package. It works out of the box. Yes it have PHP, but if you really want to get rid of PHP just modify the Package defaults and you have a very light weight Web Server.

@kiekar: all worked fine even without changing any LAN and WAN settings on the wireless router. If you do that at the very least you must disable the DHCP server on the wireless router. It may be working fine now but sooner or later a device is going to get an IP address from the wireless router and it will be in the wrong subnet with the wrong gateway. Going the way you originally had it configured is generally frowned upon because of the double NAT, as Derellict said, but in many situations it will work fine. I'm writing this from behind double NAT and have experienced no issues with day to day stuff. Things get complicated if you have to forward ports though and some things (VoIP) really hate double NAT.  ;) Steve

The logs show what rule matched, and you want to see the specific source IP, you don't want the alias name there. You can tell from the rule it shows which alias it hit. There is reverse DNS lookup support there as well.

No problem. Easily done.  ;) Steve

@stephenw10: Have you tried disabling Squid as a test? If that works you could exclude the bank site from the proxy. Steve YES!!!! This problem was in Squid, when i entered my IP in "Bypass proxy for these source IPs" site wil work fine! Thanks a lot. P.S. I'm trying to stop squidguard but it is not take effect. Why squid blocking? My rules are allow all traffic.

Are you using extended queries? You should post a screenshot of your config page.  Blank out anything you might feel is sensitive but do it in a way we can see all the strings. you can also try and escape the space with \20 and see if that works so ou=OU WithSpace becomes ou=OU\20WithSpace Or might  be %20 as escape for space. so would be ou=OU%20WithSpace if you need multiple groups to be searched the authentication container string should look similar to this CN=Users,DC=domain,DC=com;OU=DifferentUsers,DC=domain,DC=com I use extended queries for my vpn access and it looks like this memberOf=CN=VPNusers,CN=Users,DC=domain,DC=com