@stephenw10: The default firewall rule on LAN only allows traffic from within the LAN subnet. So if your traffic has been routed from some other subnet (VLAN 10) then it will be rejected. Alter or add rules to allow this. Steve Ugh, how could I have missed something so obvious. Thanks so much for your time – this was my issue!

Usually after saving new config, there will be Apply Changes button, if you did apply, it should work.

Great software! Thank you very much Steve

^ Exactly. The re-seller arrangement is currently being revised I believe so there's not much info on the website. Just contact ESF directly, I'm sure they can sort you out. Steve

Isolated the problem yesterday to a machine on my network with an IP address and matching MAC address that was the "spoofer" … Even though I know there is a machine on my network, I do not know where the machine is. Will be onsite going from machine to machine looking for the spoofing system. From what I have read over the last few days, there is really no way for pfsense to stop this type of attack. Many say that it must be done through a managed switch or to statically assign the network parameters on each workstation in the building. It would be nice if there was a way that pfsense could stop this from happening. Anyone ever run across this and what solution did you use? Thank you Kell

Of course! Heh… I have way too many images of pfSense floating around on my computer, and I'm too used to installing it onto embedded machines with very little memory. smacks self on head

How about this feature for squid? Would this work? https://code.google.com/p/squid-ecap-gzip/

HTTP blocking with different blocking groups is relatively simple to set up. HTTPS is a bit more difficult… I struggled with getting HTTPS filtering set up at our school for a couple of months toward the beginning of this school year. The way I ended up setting it up is by using the "SSL man in the middle Filtering" in the Squid3-Dev package. Unfortunately, this throws certificate errors unless you install a CA cert from pfSense. It's a pain to set up (need to install the CA cert on each individual computer), but once it's in place it works. As far as I know (unless you go the route of DNS-based filtering such as OpenDNS) there is no way to do completely transparent HTTPS filtering without needing to install a certificate on each computer. As for having different blocking groups, you can most certainly do this with Squid. (I use Squidguard here for blocking, by the way, so I'm not familiar with the blocking package used in the tutorial you linked). Under the "Groups ACL" tab you can create a new group, and set up which IP addresses it is applied to (you can do individual IPs, or whole subnets... I just do 192.168.4.0/24 to apply it to the whole .4 subnet). Hopefully that helped some... At what point are you in the setup? Have you gotten the proxy working yet for at least HTTP?

ARP reports all known MAC addresses on a given interface. Bridging is essentially like a switch, so the original MAC address of the device on a separate segment is still used. To me, this is a valid report.

Apparently I had a space at the beginning of the URL string, this was causing the error and is now working.

Thanks for the feedback. Torrenting from any machine tanks the server, I think I already mentioned that. I'll try using a different virtualization solution to see if anything changes. Thank you.

I may have found what I was looking for http://lists.pfsense.org/pipermail/list/2012-April/001952.html Looks like an established TCP connection ha a VERY long time out. So my question is what benefit does this give me? Assuming my router can handle it, how can I use this to better manage/troubleshoot/diagnose/etc? I assume there is a reason for such long time outs. I think I read before that idle connections will get evicted if the state table starts getting full, so these states shouldn't hurt anything. Thanks!

Which aspect does it negate? The Windows 7 OS would not have connectivity. You are simply using the Windows driver to establish a layer2 connection via wifi. As long as you've removed IPv4 and IPv6 from the NIC then there will be no layer3 connection. You may want to remove any other layer3 protocols like netbios etc. The problem might be that the Windows wireless connection manager tries to establish an IP connection and then freaks out when it can't. You can probably do it manually in the driver properties if that's the case. It shouldn't do though because you can connect to wifi network that doesn't have a DHCP server. In that case you can connect but have no IP connectivity unless you set a static IP. Steve

Alright. I'm sorry I didn't keep you updated on this, but the problem was that the operating system was corrupt. All I did was a quick reinstall and that got the job done.

Thankyou!! You solved a major issue for me!

when adding a website to the allow list, you need to click save. and after go the page of the Squad and click apply always click APPLY

Yes rogue dhcp servers can be a huge PIA!  ;) Another user here experienced a similar thing except that the rogue server turned out to be an mobile hotspot application running on an iPhone. The user who's phone it was didn't even realise it was running and of course it was only there during work hours when diagnosing stuff is most difficult. Always worth remembering that story when things are looking really weird. Check the MAC of the DHCP server, you can see if it's the correct one instantly and if it's not you can find out the manufacturer which gives you something to look for. Of course that doesn't help if it's a malicious attack where the rogue server has spoofed your own MAC. Steve