small bump.

Hello, So after thinking and reading, I will not go away from pfsense. It has a great captive portal system, that i will not missing. I will try to establish the same like doktornotor and I hope this is working with capitve portal as well? And when I put my second Box into "AP"-Mode where can I configure the sync to the master? When the second box is in sync with the master, will it work with captive portal, so that users can log in on box A and Box B. And do they have to reauthenticate when they switch from box A to B or visa versa? Thank you for your help and your nerves.

So you only see one gateway? A common mistake is assigning a gateway on the LAN interface which becomes the system default and breaks routing. Have a look in the PPP log. Do you see the modem connecting correctly, the username/password being authenticated, a public IP being handed out? I assume that the modem is known to work, that you've tested it under some other OS, that it is in contract/has credit? Steve

Sounds like you should additionally read the documentation that comes with your webserver concerning virtualhosts.

doing: find / -name openssl revealed a different openssl version in /usr/local/bin/openssl that was exploitable, so I did need to upgrade

You would forward 1 or more ports in to the pfSense WAN and make OpenVPN server/s listening on pfSense WAN. You could have 2 servers - 1 that provides routes to both DMZ and LAN subnets. And give the different groups of people clients keys for the relevant OpenVPN server. That would eliminate those customers from seeing a route to the LAN at all. They should be able to use their domain username/password for connecting to the OpenVPN server. Then put firewall rules on OpenVPN (you will probably need to assign an interface to each OpenVPN so you get a separate Firewall Rules tab for each OpenVPN server) to restrict which IP addresses are allowed to be reached. When people connect to a file share on the server/s they will need to use ordinary Windows authentication - their domain username/password.

I go the the relevant LAN in pfsense and forward this to my server. But it will not go through. Normally you make the port forwarding entries on pfSense WAN interface, for traffic with destination WAN address, port nnn, and forward to some address that happens to be in an internal LAN.

Thank you for that hint. Now I have tried activating multiple queuing also. It seems to be stable.

@doktornotor: You need to configure both DNS and DHCP, plus actually make the wpad entry resolve via DNS, since it is blocked by default on Windows DNS servers. http://technet.microsoft.com/en-us/library/cc995158.aspx Thank you for your help! I've added a CNAME to reflect the WPAD in pfsense and also configured that address into DHCP. It started working like a charm.

Hmm. Are you running Squid in pfSense or doing any layer 7 filtering? Do you see anything in the firewall logs when a mobile device trys to connect? Is there a distiction between http and https sites? With the current Heartbleed crisis it's likely that ssl certificates are being revoked all over. Just a guess. Steve

Thanks!  That's the ticket.  I appreciate the tip.

So you found it? [image: intro12.gif] ;D 8) :-*

OK, possible explanation found. I am running the bind package with some slave zones, and the timestamp of newest zone database file coincides with the 'Last config change' timestamp.

@Atlantisman: Yes, you can push a full gig through pfsense, i do it all the time. I believe it is recommended that you have at least a 3Ghz CPU. Recommended but not required.  I think those numbers were based on Netburst cores.

Yup, found those after I posted.

Is that a full install? NanoBSD? What sort of platform? Everything we've tried has been OK as far as I've seen.

Ah, OK. I don't have bogons blocked on internal networks no. However all of my LAN rules are using LAN subnet(s) as the source rather than any, they're IPv4 rules though. I have found one IPv6 entry in my firewall log, a blocked outgoing ICMP6 packet from my OpenVPN interface. Seems reasonable!  ;) Steve

@dirknina: Thank you for your input on the cpu i was looking for a low power usage cpu. I also wanted a low power cpu so I use an Atom. I figure in 5 years time I'll get a new box. @dirknina: For the swicthes i want control so ill go managed just have to decide Netgear or TPlink. Or Cisco. I have an SG-200-08. There are others in the range. More $ than some of the others but good reputation. @dirknina: how many Vlans/ subnets would i need. Up to you. E.g. you could have all xbmc's on one vlan, all servers on another. Or every individual device on an individual vlan. I have an 8-port switch so I have 7 or 8 vlans, one for each switch, but I only use half. The more you use, the more configuration you need to do. There are ways to simplify this, using floating rules and aliases. @dirknina: all my xbmc's and severs would have static ip's, but how would i go and make the privet ones to be hidden from all save for my main work station. @dirknina: The 4 access points how would i go and make 1 privet/hidden broadcast and one guest broadcast. It's all set by firewall rules. You can set aliases for ranges/groups of IP addresses and pass/block ranges etc. This is what I do, to allow certain devices full access, other devices restricted or time constrained access, and some devices almost no access except to one or two IPs. pfSense is very configurable.