A general yes, this is doable.. You will probably spend some time setting this up. So if you are easily frustrated… brace yourself :-) But after setup -  you will have a robust system. Both stabil and very secure.. Not exposing any ports etc to they outside world :-) I'm using Alix 2D13 with pfSense 2.1 myself. ... I'm digging abit for you here.. You can block web sites. Se here; http://forum.pfsense.org/index.php?topic=43837.0 DHCP with assigned MAC locking IPs is possible. Address reservation - or better, use a DHCP with IP-pool. (i.e. 192.168.1.200 - 192.168.1.240) Then use the other IPs for permanent IP-MAC reservation. Content filtering are some tips here; http://forum.pfsense.org/index.php?topic=64432.0 Hope this helps :-)

Could anyone explain why the process wasn't working via the webGUI or if I was incorrectly configuring the bridges in the webGUI ?

Can you confirm that this only affects the 'wifi' subnet and not the main subnet? If so, you might have to screenshot the floating rules, outbound NAT and interface rules for us to look at. Seems like something isn't going right somewhere.

Close the question. I AM SO NEWB. I had an old pfsense who kept rebooting by itself due to hardware issue. So I changed it but left the old one there but close. After a electricity breakdown, it went back by itself. So what I was hearing was the old one rebooting. Had to switch from nanobsd to full to realized that. While the new pfsense was shutdown, I hear the startup sound. DAH!!! Thanks for your help guys…. sorry

You sure??  I don't see your 223.134 in the trace?? 17  212.73.252.6  131.313 ms  127.157 ms  131.363 ms 18  93.176.93.105  132.265 ms  132.466 ms  130.824 ms 19  62.116.200.129  140.069 ms  139.443 ms  139.987 ms

Thanks for the replies / guidance on this.  I think it was ultimately a matter of questioning myself on a better way of doing it, although I suppose there is some pride to be taken in a well-defined ruleset.  ;)

Is the clock on your system OK? If the GUI and SSH both break the most common shared cause would be a broken clock on the system that causes cryptographic operations to break.

Troubles solved.  :) When virtualization host has heavy I/O load (due other virtual guest), pfsense on IDE virtual controller has troubles and fall into reboot or other unexpected state. After we load VirtIO drivers https://doc.pfsense.org/index.php/VirtIO_Driver_Support, pfsense is happy and we too. But don't allow all VirtIO drivers! VTNET in our case slown down net traffic after few days rapidly. Working configs virtual guest pfsense: pfSense 2.1-RELEASE-pfSense (amd64) cat /boot/loader.conf.local virtio_load="YES" virtio_pci_load="YES" #if_vtnet_load="YES" virtio_balloon_load="YES" virtio_blk_load="YES" virtualization host Ubuntu 12.04 64bit: Linux xxx 3.2.0-54-generic #82-Ubuntu SMP Tue Sep 10 20:08:42 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux qemu 1.0+noroms-0ubuntu14.11

I also did the same thing.  I installed BandwidthD around 9:30am (judging from BandwidthD's daily graph) yesterday, and around the same time RRD stopped updating any of its graphs. After reading your post, I checked the system logs for "lighttpd" entries, and saw the following: Dec 1 09:23:32 lighttpd[30518]: (mod_fastcgi.c.2543) unexpected end-of-file (perhaps the fastcgi process died): pid: 31140 socket: unix:/tmp/php-fastcgi.socket-1 Dec 1 09:23:32 lighttpd[30518]: (mod_fastcgi.c.3282) child exited, pid: 31140 status: 0 Dec 1 09:23:33 lighttpd[30518]: (mod_fastcgi.c.3329) response not received, request sent: 1394 on socket: unix:/tmp/php-fastcgi.socket-1 for /pkg_edit.php?xml=bandwidthd.xml&id=0, closing connection I was going to post a question about this earlier, but now my RRD graphs seem to be updating again.  I'm just missing a chunk between ~9:30am yesterday and ~7:30am this morning. In the future, is there something that can be done to keep the process that logs RRD data running?  Or notify me if it goes down?

SUCCESS! I manually assigned the interfaces to what they should be and its all working now! :) disabled all the other stuff in the bios too im just using 2.03 since its the one i already have, suppose i should get the up to date one before going further Thanks for the help  ;D ;D ;D ;D ;D ;D ;D

@GruensFroeschli: @vincom: @GruensFroeschli: You don't necessarily need to assign the created bridge interface. From the description in this thread it appears as if the bridge was never created in the first place. thats correct as the tuts and howto posts ive read it states to create a virtual interface first then create the bridge Creating the bridge is what creates the virtual interface. i know that now but the howto posts dont state that, they state to click the + sign to add a virtual then bridge the physical opt1 and the virtual opt2 and then reasign the lan port. @joebleed: I'm running the x86 version now and get the same + missing when all physical nics have been assigned. As for the op trying to bridge, I don't know why it would matter, but have you tried setting the wap's ip to static and see if it just works after that? Edit:  oh, just wondering, if you want the lan and wap bridged to the same network, why not just plug it into the switch on the lan?  Can you still control traffic between them once bridged? i had the extra gig nic and made a project for myself and in doing so learn more about pf

Ok, tried a new clean install except I used the x86 version this time and only used squid 2 and squid guard 1.5x  still I get the ssl cert because it's trying to go through https. reading this post:  http://forum.pfsense.org/index.php?topic=7317.0 I decided to force webconfig to http and not https.  i no longer get the https error and it goes directly to the error page as expected. Seems obvious, but i thought with out checking the "Disable webConfigurator redirect rule" i wouldn't need to do this.  I'd still only have the https web configurator port only. Any way this can be fixed?  I'm thinking about trying some of the stuff listed in this old thread, but i don't know if that will do any good.  Could/should i change the squid port to 80?  seems this may be asking for trouble if i do that.

Not sure if this is the case but I had random crashes when I upgraded to 2.1. I fixed it by doing a backup, doing a fresh install instead of the upgrade and restoring the backup. No crashes since so if you did an upgrade to 2.1 i'd suggest doing a fresh install.

Found my answer hidden in the DNS forwarder settings to register local systems in DNS.

Using Snort with a specific signature for Ultrasurf seems like a better way to do it. Maybe using Layer7 with a specific pattern. Although even using these will fail eventually as ultrasurf employs many techniques to disguise itself. If you look at firewalls that claim to able to block it (Watchguard, Sonicwall) they are doing it using Layer7 pattern recognition. You can attempt to block the IPs ultrasurf uses for it's servers but it will fail eventually as the list is a constantly moving target. Steve

@stephenw10: What most people want to know is the throughput of the box. I.e. 'If I have a 200Mbps WAN connection can hardware X pass that?'. To test that you need a box on both sides that is at least as fast as the pfSense box. A popular test is utility for this is iperf, it's inclufed in pfSense so you can use 3 pfSense boxes to test but it's also available for other OSs. Run it as a server on a box on one side of the box under test and as a client on a box on the other side. Test the throughput. Test it in the other direction. This artificial test will give you a nice comparable number but real world bi-directional, multi-connection traffic will be different to some extent. Steve Thanks, i will try using iperf as instructed.  :)