Hi thanks for your questions. The Dlink is connected from a LAN port to the WAN port of pfsense. Dlink is configured as "Transparent Bridge" and is correctly giving the IP from the 4G provider. Pfsense Wan interface is IPv4 only with DHCP. The problem seems to be that is also giving the same IP for the related gateway and interface!! Looks that Dlink transparent mode is not giving the gateway and PFsense gets confused!! If I reset the Dlink to put it back to factory configuration. It works giving a LAN IP 192.168.0.50 to the wan. PS - Transparent Mode on the DWR 921 only exists as an option on the latest firmware I can use this way for normal internet access but I not able to make IPSEC tunnel trough it. I really would like to connect using Bridge Thanks

@dotdash: @kevindd992002: Any other thoughts? That directory is only writable by owner (root). Either find somewhere writable and put the files there, or chmod the directory to be writable by wheel. What exactly are you trying to do? Ok, got it. So I should just use root for everything. I'm trying to server a proxy.pac file but was just wondering why the created user doesn't have permission on that folder. I already got the answer from you though, so thanks.

That is a well-known Apple sh*t related to Bonjour/Zeroconf/mDNS.

Replacing the RealTek device with an Intel EXPI9402PT solved the issues.

Application level control may work better. There is a large business of parental control software that may work better.

Thanks for the replies guys. Getting there. I think i just stick with the basics of Pf sense. Works stable so far.

Thanks, I didn't know that! :) Anyway, that aside, it is frozen again… I've done a brand new install, new VM - I leave it idle after installing and so it is at the first screen where it says "Do you want to set up VLANs now [y|n]?", and, I just left it. I came back a few minutes later and the machine is just frozen. Does anyone know why? This is just a standard new ESX 5.5 VM on freebsd 64 base / 1 core / 1GB memory / 8GB hard drive. I can't think of anything out of the ordinary.

Not really…  How exactly to you expect that to work out?  Seems like extra work for no added value other than something that could fail. How exactly is a user getting a cert that you didn't give them?  Why would you give them a cert and not put them in the group?

However, when I enable DHCP and NAT on my wireless access point (creating a double NAT situation), my speeds are almost tripled and everything works flawless. For sure this makes sense to me because then the both DHCP servers, one on the pfSense and the other on the WiFi Router are separated each from another and the networks is working well. What's going on here?  I really don't want to enable double NAT but I am completely confused… If you are setting up the WiFi Router in the so called wireless AP mode, to act only as a normal WLAN AP, you must also turn out the DHCP server on the AP or the pfSense, or you must work it out with the DHCP relay option. But with two DHCP servers you might be getting even this or similar trouble again and again. And if on the Switch once more again a DHCP server or helper service is running you might be getting much more trouble that you wont be able to get rid of this. It is the best to ensure that only one DHCP server is acting in the network or you work it out as explained above with the DHCP relay option.

Now on the apu1d4 though I am just running it on a plain Trancend SD card. I would more have look towards to use a mSATA or SSD otherwise perhaps a SATA-DOM that would be giving you the ability to do a full install of pfSense, together with the option to enable TRIM support and PowerD (hi adaptive) that might be a better or faster acting system than now. The interface is so slow. Everything takes forever. My personal mind will be the same as the one from @The Computer Guy, together with some cards pfSense might be having some problems at this time. There's no lag on the wired connections it's really just the user interface. I am running the most up to date version of pfsense This might be but if you are able to set up and install pfSense on a mSATA or even a SSD to do a test it would be also the best at this time as I see it right. Because if this is pending on a problem coming together with some drives you could work it out easily on this way. Does anybody have any ideas? Leave the miniPCIe slot with the SIM card free, insert a mSATA in the miniPCIe slot connected to the SATA Port and insert like you want a WiFi card in the last miniPCIe slot! I also have a lot of trouble with my wireless but I'll make that a different post. As I mentioned above you might be not able to use all miniPCIe slots as you want and for all miniPCIe cards you want in each of them. The miniPCIe slot connected to the SATA Port should be only used to insert mSATA drives in it. And in the miniPCIe slot connected to the SIM slot mostly only modems should be inserted and the the last free slot you might be inserting all other miniPCIe cards such as WiFi cards. So you prevent from many more trouble that could not be solved.

@hguo83: please keep up the great work and don't ever sell pfSense to Cisco. depends… what are the offering?  ;D

NIC1 -> WAN Configure as a WAN port like you need or are able to realize over PPPoE or with a static public IP address. NIC2 -> LAN(WAN) (WAN filtered by FW/SNORT) - servers on this side use global IPs Lets call it DMZ Port, behind this port usually the DMZ switch is standing connected with some or more servers with public Internet connection. Configure it as the DMZ port with matching rules for the WAN - DMZ and DMZ - LAN and vice versa. I suggest to use and go with 1:1 NAT and virtual IPs addresses (VIPs) and than set up the Snort on the WAN Port to filter and sniff all network traffic or set it up for the DMZ port that might be than only filtering and sniffing the WAN - DMZ traffic NIC3 -> LAN3 preferably accessible to a VPN USER A thru WAN This could be a VLAN or a own subnet with his own IP address range likes; a LAN Switch with VLAN support is connected: VLAN10 - PCs - 192.168.3.0/24 (255.255.255.0) a LAN Switch without VLAN support is connected: 192.168.3.0/24 (255.255.255.0) NIC4 -> LAN4 preferably accessible to a VPN USER B thru WAN a LAN Switch with VLAN support is connected: VLAN20 - PCs - 192.168.4.0/24 (255.255.255.0) a LAN Switch without VLAN support is connected: 192.168.4.0/24 (255.255.255.0) VPN USER C would have unfiltered access to the WAN. Set up and configure OpenVPN as the following: 3 different OpenVPN IPs – the first one (A) gets a route only to the VLAN10 or for the whole subnet (CIDR) 192.168.3.0/24 -- the second one (B) gets a route only to the VLAN20 or for the whole subnet (CIDR) 192.168.4.0/24 -- the third one (C) gets full access to the entire LAN, all subnets (CIDR) I mean or all VLANs handled by rules or routes.

Eh. Frankly, I'd run the duplication again.

Thanks I will give it try see how it works  ;D

I have someone going nom nom nom also real memory  = 8589934592 (8192 MB) avail memory = 8171061248 (7792 MB)

Just remember, you don't block data leaving an interface, you block data entering an interface. Make sure you block your undesired data from entering the firewall in the first place.

If you want to start messing around with LAGG you'll probably just need to bit the bullet and get more interfaces. Amazing how you start to chew through switch ports and interfaces when you start down this road. I just had to get a 48-port switch for my home/bench. Ran out at 24.

"through the L3 switch" So you have downstream networks from pfsense..  Does pfsense know how to get to those networks?  Have you setup nat so pfsense nats those networks, do the firewall rules allow for those other networks.  Normally when you have a downstream L3 switch doing routing you would connect that to your edge or wan router with a transit network. While you might have your downstream router pointing to pfsense as its default gateway, how does pfsense know how to get to those downstream networks??  You either need to create routes to them or run a routing protocol so pfsense learns how to get to them.  This sort of setup can also lead to asynchronous routing issues depending how everything is connected.. If for example you have a device in the 192.168.1.0/24 network using pfsense as gateway..  And he wants to talk to IP say in the 10 network, his gateway is pfsense, pfsense sends it to your L3 switch that routes it to the 10 hanging off it.. But when the 10 devices talks back the L3 switch says oh I have that 192.168.1 directly connected and just sends the traffic direct to client on that network.  So you have a asynchronous route - not good.  This is why downstream is normally connected via a transit so you don't run into that problem. Why don't you post a diagram and your network and we can work out where your problem is.. [image: downstreamnetworks.png] [image: downstreamnetworks.png_thumb]