The hardware offloading features available in the System: Advanced: Networking: section of the webgui do not include a complete TOE as referenced in that Wiki page. They only offload smaller functions: TSO, LRO and checksum. It looks like there is at least some support for TOE in FreeBSD but you would need to enable in manually in pfSense. Importantly I have no idea how it would interact with pf. As referenced in the wiki article once you've handed off the entire TCP stack to hardware much of the OS internal networking features are by-passed. It could be potentially completely redundant in pfSense. Steve

All of the methods people use to try to examine and filter the contents of HTTPS amount to a MITM attack.  Which is about the same as breaking HTTPS.

Tell them what you want.

It looks like it's HAVP as when I remove never_direct allow all;cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange default; from the integrations box, it then successfully downloads. I've now added .adobe.com/ to the whitelist and it seems to be working fine. Any ideas why this is happening in the first place? Detect broken executables is turned off.

Good stuff.  Thanks a lot, Jim!

Unfortunately no, and even for me using single Ports the monitor just always shows the balancer as unknown status :(, tried numerous guides and set ups and none of them work for me on my 2.1 box so i just gave up on it.

First thanks for all replies. The strange thing is that this setup is working (apart https). I have luck that my private lan has another subnet than 192.168.1.0/24 (I never use that!). Here is an (censord) extract of netstat -r: default          z.y.x.5.cust UGS        em1 z.y.x.5.cust link#3            UHS        lo0 5.x.y.z/32  link#3            U          em1 As you can see default gateway is the same address of pfsense… but it works! And, I can reach also 192.168.1.1., probably thanks to default route. Now I will try to configure modem as bridge or static ip, anyway I would like to understand this thing. It is a dlink dsl320-b

Hmm, not quite sure what to suggest here. A directional antenna perhaps? An external access point would almost certainly be easier. I'm tempted to suggest a tinfoil hat.  :P Steve

That's definitely what I'm going end up doing. What about the P2P and website filtering? How would I achieve that?

I guess I don't really understand the "filesystem/mounted on:" that is displayed when issuing df. "Filesystem" is the actual device that contains some dirs and files - an actual partition on a disk (these days "disk" means spinning disk, CF card, SD card, SSD or even memory-resident virtual-disk). That is physical space that can (and does) fill up. "Mounted on" is the place in the logical dir tree that the physical "disk" appears - e.g. partition "/dev/ad6s1" files are found in "/var/squid"

Here are my hmailserver settings and my results using mxtoolbox to connect to my mail server. [image: hmailserver-MyComputer.jpg] [image: hmailserver-MyComputer.jpg_thumb] [image: hmailserver_internet.jpg] [image: hmailserver_internet.jpg_thumb] [image: IP_Range_SMTP.jpg] [image: IP_Range_SMTP.jpg_thumb] [image: mxtoolbox-mail-test.jpg] [image: mxtoolbox-mail-test.jpg_thumb]

You may find the 'pftop' console command helpful.  Like the normal 'top', it's interactive by default., but it can be scripted as well.  There's a man page here: http://www.eee.metu.edu.tr/~canacar/pftop/pftop.8.html, though I'm not sure the pfSense pftop is in sync with the one described there.  The help text from pftop in a recent 2.2 snapshot:   pfTop Help       c  - toggle state Cache            f  - set state Filter       h  - Help (this page)              n  - set Number of lines       o  - next sort Order              p  - Pause display       r  - Reverse sort order            s  - Set update interval       v  - next View                    q  - Quit     0-8 - select view directly     SPC - update immediately     ^L  - refresh display     ^G  - clear command entry line     cursor keys - scroll display   Sorting shortcuts:       A  - Age            B  - Bytes          D  - Dest. port       E  - Expiry        F  - From          N  - None       P  - Packets        S  - Src. port      T  - To       R  - Rate          K  - peaK

WAN is everything going via WAN, so if the VPNs use WAN, then yes, the WAN graph would include the VPN's external/transport traffic.

What you're asking for is not practical. If you want to block HTTPS, simply add a rule to block port 443. The problem is that you'll also block most major services that your users use (Google, Yahoo, Gmail, Microsoft, etc.). If you're concern over what your users are doing behind the HTTPS layer, simply setup an SSL proxy in pfSense. That way, the connection between the client and gateway will be secured, as well as the connection between the gateway and the website. However, the proxy will still allow you to see what's happening inside the HTTPS tunnel and thus block anything that you don't want the user to have access to.

You can get a list of proxy IPs and block them but you will be into a never ending cat and mouse game with your users. Even if you block all available proxies there are plenty of other ways users can get an direct external connection. The way to prevent this is by setting client based policies, restrict what users can install. Steve

Hi, i checked the virtual conainer and its ok. so i think it must a corruption in the filesystem of freebsd / pfsense. i boot into shell and run fsck, it found some error but could repair. i think while its the root. so i tried with option -f -y but no success. i also found a command to make it writeable, but it didnt work. my problem is i dont know freebsd. i think i have to boot from an cd and run fsck. the question is there a iso to download which works well for freebsd / pfsense? i also ask myself where the failure cames from. i simple update the pfsense and install snort, nothing more on the system or custom things. thx

What traffic goes over the VPN and what goes over the normal WAN is defined by the firewall rules. So if the criteria can be defined by firewall selection fields (IP address, protocol, ports and more) then it will work. Certainly what you describe is easy.