Thanks for the quick reply. :) it helps me.

You need 3 things to make this work. Route to each different subnet. Rule in LAN to allow such traffic. Outbound NAT rule to allow the traffic to return. I think if you get those setup, you won't have any problems. I think I wouls also turn on the advanced option to bypass firewall rule if the traffic is on the same interface.

Thank you very much jimp  :)

I have personally found BT Infinity to be wildly varying in throughput. I have the old 40/2 service but get anywhere from the expected 36-37Mbps at 2 AM to 15-16Mbps at 6 PM. Try it late at night. Try using the Windows PPPoE client directly (or whatever OS you are running). Steve

If I can get this working with a password I will post how to do this, as username only is not good security.

More information would be helpful. What name server should the LAN system be using? Is the LAN system correctly correctly for that (static IP) or getting the correct name server IP address from its DHCP server? Is the DHCP server configured to supply the correct address? Perhaps your firewall is blocking all access to the name server. Perhaps the firewall is blocking DNS access to the name server.

Some parts of the developer rules page on the dev wiki may be useful to you.  The site for it seems to be down at the moment, so here's a cached version: http://webcache.googleusercontent.com/search?q=cache:xNnNncCyXkUJ:devwiki.pfsense.org/DeveloperRules There are also other pages that may be useful.  Cached version of the main page: http://webcache.googleusercontent.com/search?q=cache:CCzm5_BWozEJ:devwiki.pfsense.org/

It is better to get get each network segment working to the internet, then you can work on getting them to talk to each other. Basically it is rules and a lack of NAT for each network to talk to each other. Without knowing what rules you have set, what NAT you have set, and the packages you have installed, it becomes a guessing game for us. LAN is going to have a default allow rule, but any OPT interfaces will not. If you have not created a rule there then opt interfaces will not have internet or any access.

Usually this is from the rate program on the realtime traffic graph getting stuck… The usual way to kick it in the rear is (via ssh/console shell) killall -9 rate If that doens't work: killall -9 php; killall -9 lighttpd; /etc/rc.restart_webgui

While we don't technically support that in the GUI, the underlying OS is perfectly capable of doing that. It can take a little hacking to make it work, but it can be done.

On 2.1 you can adjust the "retries" on the pool. And there is a Settings tab with settings for the interval and timeout. You might change to a different monitor type, see if it helps.

@mklopfer: What it seemed like was happening was the web server was spending time trying to maintain dropped connections to the outside at the expense of inside connections - which should never touch the firewall.  All internal machines used an internal DNS server that specified the IP for the web server that was on the same subnet.  It looks like the symptoms we were seeing were indirectly related to the reflective NAT issue.  For some reason there were tons of connections between the server and itself trying to loop back over an external address–-my best guess is that something somewhere was hardcoded to talk over that IP.  But if that were the case, removing NAT reflection would not resolve the issue - it would still try and talk out and back and be blocked.  I'm still at a loss to the exact mechanism of the problem but any speculation to help others in the future is welcome. My guess would be that the html/php/asp is telling the client to go to http://<externalip>/internalpage.html/php/asp instead of ./internalpage.html/php.asp and as a result you where getting essentially redirected to the external ip instead of it using the internal ip from DNS. This happens sometimes when your webpage needs to load data from another page. This is generally the wrong way to setup a website IMO.</externalip>

Looks like that would reduce the amount of detail shown in the full logs. Does the firewall log view in the GUI still work properly when you have this active? I'm not sure that's a change that many people would want to make, but it's not a large change, so people can change it on their own if they like.

Ha, good to see I'm not loosing my mind. Yet.  ;) Steve

@marcelloc: @luke240778: So i am guessing that the install of Sarg somehow changed or messed up Lighttpd? Anything i can do to get this sorted out? As I told you, there are pfsense users using both. Your reply doesn't even moderately answer my question..  I am not asking if it is possible to run them both or not, i already know you can..  i am asking, from what i have already mentioned, if there is some way that the install of Sarg via command line using pkg_add has caused a problem to lighttpd?  Not at all mentioning or talking about the pfSense package of Sarg that i have later installed and is working. I just need to get this Lightsquid reports sorted and working as i find it a much nicer interface than this Sarg one that i have now got working.

It looks to me like WCCP is what we are looking for.  The problem is that we do not have Cisco infrastructure so the other option we may have to go with is an inline filter with bridged network interfaces.