Any update of this problem? Thanks Guys!

Bump.

Yeah this morning I gave up on CDs and did the USB image.  Installed perfectly first try.

@jimp: It'll be a non-issue once we're on FreeBSD 10 and the base is up-to-date. By then will the base still be up to date?  ;)

Does SQUID support listening on multiple interfaces as it can be selected but it seems it does not work? Has anyone got this to work or found a workaround?

Hello, As as an update, I expiremented with changing the source for the rule to pass traffic from DMZMGMT to LAN, and instead of DMZMGMT subnet or the single IP of the machine behind the interface, I decided to use LAN subnet, which worked, since the machine behind DMZMGMT had an IP address in the same subnet. So, if for some reason (again, maybe briding WLAN?) one wanted to put some firewall rules in place between two segments of the same subnet, this would work.  I did not leave it this way, however. I set it up to only pass ICMP and DNS from the machine in DMZMGMT to LAN, to reject all (other) traffic from DMZMGMT to LAN subnet.  So in practice, the machine can still reach the internet and download upgrades, etc.  It is also still reachable from the LAN subnet.  But, all other traffic to it should be blocked by default. stephenw10, thanks for the link to the patch.  I actually had read that thread when researching the possible issues with bridging the vlans, but had not seen the logs that showed the link state going up and down and the attempts at re-assigning the IP address, etc.  I will give the patch a try, and hopefully it will help with the stability. Thanks again for all of your help and input!  I really appreciate it.

Not by default. Not in a nice way with a clean result figure at least. You could, for example, run a script every 6 hours that downloaded and uploaded a file. That throughput would be recorded in the traffic graphs which are available on the dashboard but I doubt that's what you had in mind. Steve

Check in System: Routing: (gateways tab). Make sure you only have one gateway listed there, that it's the WAN gateway and that it's set as default. Adding a gateway to LAN really causes a number of problems. Having a gateway on LAN, although incorrect, shouldn't cause a huge problem in itself. This problem is that it's almost always the most recently added gateway and hence it becomes set as the default. Steve

@stephenw10: Ah OK. I use both Windows XP/Chrome and Xubuntu/Firefox regularly with no problems. Are you running and script blockers? Can you try Firefox? I seem to remember this bug from a while back and JimP suggesting a solution. Can't find it now.  ::) Steve Edit: Here: http://forum.pfsense.org/index.php/topic,63160.0.html ah, thanks for your help. it seems like click on the "top nav bar" before moving the cursor helps most of the time. as jim suggests. thanks!

/etc/inc/authgui.inc

How slow it is may depend on how aggressive an application is at getting a name resolved. For example I just assigned some non DNS address as the first DNS server and pinged a domain from a Windows 8.1 client.  A second DNS query was made by the client after about 20ms for which pfSense used the second DNS server and returned the domains address back to the client in under 40 ms from the time of the clients first query. Windows NSLOOKUP on the other hand is a total timeout failure that only hits the first DNS address. IE 11 name resolution results where similar to that of ping. I prefer not querying every DNS server since probably about 99% of the time the one I have listed first is the fastest anyway.  And because that is mostly due to network latency it's not likely to change.  So there is little benefit in some cases to sending all those DNS queries when the first one is going to be used anyway for the vast majority of the time. For a highly critical system it very well be required though.

Followed the guide that Mike mentioned. (For pfSense 2.0 - 2.1 has some extra features like 'Extended Query' which I left blank) Changed level from 'One' to Entire subtree now the Diagnostics:Authentication page returns 1 group… My challenge with OpenVPN and the same LDAP/AD is still on going (= not working) I am connecting remotely to the pfSense box and do not want to change Authentication Server from local DB to LSP just yet.

Small progress Adjusted Authentication server setup so that Level: Entire SubTree Authentication containers (4) CN=Users,DC=company,DC=local; OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local; OU=Security Groups,OU=MyBusiness,DC=company,DC=local; OU=Users,OU=MyBusiness,DC=company,DC=local Now Diagnostics: Authentication return a group (1 not all) User: Xxxxx authenticated successfully. This user is a member of these groups: Mobile Users OpenVPN authentication (from linux based laptop…) works if user name is in local database but NOT when trying to use a name in the AD... Any suggestions? Thx Peter

On most other devices I find myself wishing for a real shell but I know what you mean. Probably the closest thing pfSense has is the PHP shell: https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell Not really directly comparable though. Steve

@coreybrett: Is there a proper term for referring to the practice of assigning multiple IP addresses to the WAN interface of a router? I'm looking for the right lingo to explain my setup to the ISP. You mentioned that you have an allow rule on WAN for ICMP.  What is the destination address/ network you have listed in the rule? Your ISP does seem to be routing/ forwarding your subnet in an unusual manner.  Most will deliver in a 1 + 8 or 1 + 16 manner. i.e.  There is a separate /30 for WAN and all of the allocated static IPs in the block will be forwarded through that.  How you want to use them (Virtual IP/ routed) is up to you.

I agree OpenVPN is the way to go - but I need OpenVPN with AD authentication … and comes with it own set of challenges. The reason this one is an issue is that there is a PPTP server inside the LAN - pfSense 'forwards' to it. When the person is trying to connect to a PC on the internet (customer) using PPTP/RDP and setting up a new PPTP connection the reply coming back in from wan goes back to the PPTP server in the lan rather than the PC that initiated the connection. I found out that this is a 'known' issue and can be avoided with a second static IP etc. but I rather remove the PPTP server from the LAN and go with OpenVPN.