Anyone? Please! Kind regards, Joao

"I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever." I'm almost positive that it is Snort. The HTTP INSPECT goes wild often and for me anyways when pictures are loading on Amazon for instance this will happen: #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 AND when downloading a file this happens sometimes: #ET POLICY PE EXE or DLL Windows file download suppress gen_id 1, sig_id 2000419 I would just try suppressing those. Maybe even clear out your alert list afterward and try accessing the site again and then check your blocklist in Snort to make the necessary suppressions. That's the thing about Snort. It's a wonderful program but it also needs babysitting to make it work right. I have found that if my firewall rules are good then I don't even need it but then again I don't have anything facing the public. I would also just run one package at a time to see where the problem may be coming from as well. "After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing. " This can also be an issue so you're on the right track. I have noticed that for instance with HAVP, if I disable the proxy but I don't clear the checkboxes strange anomalies happen where things would just be very slow etc… Especially if you checked something that uses a RAM DISK. That needs to be unchecked along with any other customizations. I know that other packages have that option so you might want to check that out. Also, one way to fix some problems is to go to your console and run a shell and then type fsck.  I think that you only have to run a shell if your console is password protected. Normally I could just press CTRL C to get the # to popup and then you can type fsck. It will check your file system for integrity problems. "Hopefully a vanilla install will work.  Although after seeing all the things squid is detecting," That may be your best bet. Until you get a handle on a package I just wouldn't use it and if you're really concerned about younger users and where they go, HAVP worked very well for me when I needed it for that purpose. Simply because, say they go to a site that you don't want such as something complicated where it's not just zzz.youtube.com or whatever it may be. Say it's zzz.cn.thissite.dontgothere.com Let's say the prefix changes from cn to zb. If you put an item on your blocklist like this the site and the whole domain would not be accessible. These are the formats that are available for HAVP. *Enter each destination URL on a new line that will be accessable to the users without scanning. Use '*' symbol for mask. Example: .github.com/, sourceforge.net/clamav-, /.xml, /.inc So you could type in the blacklist area something like this  .thissite.dontgothere.com/  so that even if the prefix changes it's blocked still. You could do it all the way up to just .dontgothere.com/  .  HAVP is very powerful in that effect. As you can see, by typing something like /.xml  you can block all of xml.  You can do the same thing to any extension. You could block anything like .org, .mil, .cn, .php or whatever your fancy is that day. You could essentially do the same thing with the allow list but I don't recommend that. Another thing to consider is to just make your own blacklists. I have found that downloading blacklists is not nearly accurate enough to provide a lot of use. Also, there is a great set of rules in snort that prevent going to sites that young people shouldn't be going to. Which is emerging-innapropriate.rules. Just enable them all and if there is a problem find which rule is doing it and suppress it. I had to remove that because it did not work for me. Perhaps Dans Guardian would do a better job. Back to HAVP though. Just like any other package of this sort there will be false positives such as when Adobe flash needs to be updated it will flag it as a virus so that's when you have to do your homework and find out exactly what addresses it needs to do the updating without problems and then use the allow list.  Like I said before though. If your Lan rules are golden then you really don't even need these packages. You could just make aliases and block the sites by way of ip address that you don't want people to go to. There's a lot of ways to use pfsense that are made redundant by some packages. Just something to keep in mind. Get used to using the ping tool in pfsense to help with sorting out IP addresses. Then go look it up at CIPB if you want to block an entire IP range via cidr. Have a good day. Cmellons

A third VLAN as a management VLAN is another option.  Or choose one and use that as your management VLAN.

@newburns: Is it beneficial to continue troubleshooting the HVAP issue? Well, I'm thinking that your initial concern is now resolved - the WAN traffic has been identified and stopped. If you want to keep working on the HVAP issue(s) perhaps start a new topic in the Packages forum? https://forum.pfsense.org/index.php?board=15.0

Same problem for me. I came from 2.0.1 and upgraded to 2.1.3.

Hi, thanks for the reply. the advantage of the url filter was to make it easy to set limits. I use it in a school and I just have to say no porn no violence, etc put some sites in white list (my webmail is considered as porn…) No need to be a geek for that, just need to know how to read. I found on the internet an howto about  Squid + Squidguard, I will give it a test thanks Philippe

Reading docs and FAQs has never been a good substitute for hands-on, IMO.  From what I have seen in these forums, not very many people use all or most of the features, so not many people other than pfSense staff are going to know the answers to all of your questions.  pfSense is built on FreeBSD, and while it has a GUI, it isn't for the faint of heart or network noobs in general. 1. Bandwidth rules and traffic shaping are not easy topics in pfSense.  Easy start but quickly can get complex. 2. Too vague, what do you mean specifically? 3. There are several real/near-time views, depending on what you're looking for 4. This is easy using the Traffic Shaping wizard 5. Lots of logging, some reporting 6. It can be confusing here too 7. HAVP antivirus available but rudimentary, no password bypass that I am aware of 8. No spam detection or email handling in any way 9. Yes 10. Not that I;m aware of 11. If HAVP doesn't catch it, tough luck.  Use client protection. Install it and play with it for an hour.  You'll likely end up knowing more than an hour worth of abstract web searches would give you.

Pretty much.  All your LAN clients would use your AD controllers for DNS & DHCP, and your pfSense box as the gateway.  That's it.

Has anyone managed to get the OwnCloud Client to run in pfSense? I'm thinking I could use it to backup our configuration files automatically.

It's probably 128 characters: "Its total length must be less than _PASSWORD_LEN (currently 128 characters)." http://www.freebsd.org/cgi/man.cgi?query=passwd&apropos=0&sektion=0&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

As the saying goes: Patches accepted. I don't see anyone here going through the trouble, but if the code shows up…

Odd that you added the card months ago by the problems only showed up in the last few weeks. I suspect you have worked around the problem rather than repaired it. By removing the Atheros card you will have switched up the system resources, possibly freeing some RAM etc. You will have reduced the power draw on certain components. Most likely you opened the case to remove the card moved everything slightly, cables, connectors etc. Anyway, glad you're not suffering lockups any more!  ;) Steve

@DaReaLDeviL: Jun 3 08:21:25 miniupnpd[98076]: SSDP packet sender 192.168.1.199:64391 not from a LAN, ignoring Jun 3 08:21:25 miniupnpd[98076]: SSDP packet sender 192.168.1.199:64391 not from a LAN, ignoring You appear to be using a routing daemon of some kind, are you running RIP? Without knowing your exact routing setup, I'm just guessing, but you could probably prevent these log entries with a firewall rule on your LAN interface since they are all from the same IP and port… but if you are actually using UPnP on your network then filtering it out of your router could break things. (I suspect it won't, but what do I know?) I'd try a rule like this: ID  Proto  Source        Port    Destination  Port      Gateway      Queue        Schedule block *  IPv4  192.168.1.199  64391    LAN Address  *        *            * @DaReaLDeviL: Jun 3 08:20:20 dnsmasq[12752]: read /etc/hosts - 32 addresses Jun 3 08:09:07 dnsmasq[12752]: read /etc/hosts - 32 addresses This one I can't help with other than to suggest you double-check all your dnsmasq settings? Maybe reboot the router to see if it clears up?

@kpa: Remove the LAN gateway in the LAN interface settings. It is an error to have a gateway for the LAN network because there's no other way out of the LAN network than the pfSense router itself. AWESOME! This was the issue. Looking back, the 192.168.1.1 gateway was set to default … I removed the bogus gateway and bam were up and running! thanks a lot!

Would I have to bridge the connection/how do i set it up that way?

Have this issue from time to time with Firefox (latest versions, both for Linux and for Windows). Closing the browser (which clears cache, cookies, offline website stuff and so on and so on) and starting a new session resolves the problem every time…

Aha! Yes that is a step forward. It's showing as 'pass' because it's matching the pass rule you setup to allow the forwarded traffic. Ok, so that confirms that the box is reiving the traffic on the virtual IP, NATing it to the internal address and allowing it to pass through the WAN firewall. Yet you aren't seeing it at the server? Could you have some asemetric routing issue? Perhaps the returning traffic is not matching the open firewall state? Do you have a rule to allow the return traffic if it isn't? Anything in the firewall logs to show that? Edit: What is you current WAN firewall rule? Reading back I see that your original rule was for IPv4/TCP only which won't allow ICMP (ping). Steve

Please don't double-post questions: https://forum.pfsense.org/index.php?topic=77730.0

@pfissedoff: Good morning, I am having trouble with configuring this scenario… I have squid + dansguardian authenticating users with LDAP, what i would like to do is implement different levels of filtering depending on what group they are a member of, but the documentation is scarce, i have set up dansguardian with the ACLS that i need to apply to a user depending on what group (eg student, staff etc) they are in. Please could somebody point me in the right direction? or documentation? Thankyou for your time! BUMP Running PFSense 2.1 Squid 2.7.9 Dansguardian 2.12.0.3 Would like to implement multiple groups (Default and one extra group) to apply a stricter set of ACLs to one group Need documentation or step by step tutorial… I have created ACL's but when i create the group based on my LDAP group it does not populate users and DG service fails to start again until the group is removed.