Wanted to put my two cents into the NAT reflection necessity. I just replaced my existing firewall with pfSense and have a formal server DMZ  for servers that are publicly available and guest wireless DMZ in addition to the external and internal interfaces.  I initially created "no-nat" rules to allow desired traffic from the wireless DMZ to the server DMZ and the associated firewall rules. I configured the DNS forwarder to intercept my internal and publicly available domains to be resolved by using split DNS.  The situation I ran into that required Nat Reflection to be enabled for all the publicly available servers in the server DMZ had to do with mobile devices (apple devices like iphones and iPads but I did not test with anything android based). The issue was an inconsistent user experience when browsing to the publicly available sites while on the guest Wifi. If the device had not connected to the site before and did so while on wifi it was fine. However, when the device is no longer on wifi the internal DNS address was being cached on the mobile device and resulting in the page not being able to load. The opposite scenario was also true (access the site externally then attach to the guest wifi and have it not load). The only quick solution I found to this from the mobile device side was to put the device in airplane mode and disable airplane mode. The action of enabling airplane mode flushes the DNS cache of the device and allows the correct address to be queried and the site to be loaded. Of course this was only a per scenario solution as the user has to enable/disable airplane mode whenever they arrive or leave the building. While this is not a pfSense problem by any means, IMHO a user should not have to go through this extra step which they do not understand and will probably not remember to do anyway. In this case I described above I feel that NAT Reflection is the only solution that allows access and still maintains a secure network design. Thanks, Brian

So do I unwind the FreeBSD mods after I install TFTP?

Probably should have gone to Jim so I'll do that. ;)

If you use server grade network interface chips/cards that support SR-IOV and your CPU/Mobo supports IOMMU then you can have almost (like 95%) native performance. Without knowing your specs I don't know if it will work, but you could definitely do it with a fast CPU.

It's not important why it seemed to have worked in the past. Johnpoz already described how to set it up correctly. Use that and create a working system, don't you think? BTW: you can create your "groups" with "aliases" in pfSense.

Excellent news, thank you!

thank you replying to me  guardian , i'm using pfsense 2.3.1-RELEASE-p5 (amd64)  as web content filter. there is a requirement when any user access youtube and play a video we want to know what is the url that user access.i'm using authentication this squid config.  when i monitor that youtube url it's looks like this " video-sit4-1.xx.fbcdn.net:443 " this is the output of lightsquid package..please let me know how get real url that user access video.

@johnpoz: … 10/100 ... These Y-Adaptors use two of the 4 pairs in a CAT5 cable for each jack. This gives a maximum of 100Mb per host and that's why I linked such a switch. That's all. This is probably such an adaptor: [image: 41-hOHtyEyL._SY300_.jpg] and that's how it's wired: [image: YS-U11-D.JPG]

@heper: Diagnostics/Backup & Restore/Config History click the + on Configuration Backup Cache Settings. you can adjust the number of backups to keep. Thanks for that. Assuming the default is 30 backups and that is what was taking so long to process during boot, I've changed it to 5. I only had 1 previous configuration history recorded here (from yesterday), presumably because I deleted all the others. I'm not sure if an excessive boot delay caused by cleaning the backup cache is normal or not (my router has an SSD so it shouldn't be due to slow disk IO). Surely, there would be more complaints if this was a usual occurrence. Anyhow, I'll see if 5 backups helps boot times.

I did a Services / Snort / Update Rules - Force Update and that seems to have fixed it.

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Here's my comments: 1. You are going to be doing double NAT. Once through pfsense, and again through your DSL router. While this work for many applications, it will break some. You'd be far better off to put your DSL router into bridge mode, if possible, so that it is basically operating at layer 2. 2. Using your DC for DHCP and DNS is not a problem. Just configure DNS on your DC to forward unresolved DNS requests to some DNS server that has access to public DNS. You could point it to your pfsense box, or straight to something like google DNS (8.8.8.8) 3. You can access your DSL router's admin page at 192.168.1.254 (provided you haven't put it in bridge mode) by going into pfsense and disabling the WAN check for bogus networks since pfsense, by default, would block access to a private 192.168 IP address on its WAN side. 4. No DHCP relay needed.

Well is your switch config. If your going to put a vlan on your lan interface (eth1) then what is the ID of this vlan?  You configured that switch port to carry that vlan tagged.. What is the native or untagged vlan on the port for your normal "lan" network? So does your dmz also connect into this switch? But sure lets call your lan network using vlan 1, which is common default vlan for managment/data etc..  Then you create a vlan 100.. So switch port connected to eth1 would have untagged or native vlan 1, with tagged vlan 100.  Then if you wanted some device on your network to be in this vlan 100 that switch port would be configured for untagged or native vlan 100 and that is it.

I made a patch for 2.3.2  pfSense version for a CPU temperature graph for the above mentioned old thread. I used a lot of it but changed some things. I am not a programmer so things could be better. ;) This patch is for a quad core N3700 CPU. --- /etc/inc/rrd.inc 2016-08-21 23:05:29.707358000 +0200 +++ /etc/inc/rrd.inc.modified 2016-08-21 23:44:15.376961000 +0200 @@ -242,6 +242,7 @@ $spamd = "-spamd.rrd"; $proc = "-processor.rrd"; $mem = "-memory.rrd"; + $cputemp = "-temperature.rrd"; $mbuf = "-mbuf.rrd"; $cellular = "-cellular.rrd"; $vpnusers = "-vpnusers.rrd"; @@ -274,6 +275,7 @@ $rrdlbpoolinterval = 60; $rrdprocinterval = 60; $rrdmeminterval = 60; + $rrdcputempinterval = 60; $rrdmbufinterval = 60; $rrdcellularinterval = 60; $rrdvpninterval = 60; @@ -291,6 +293,7 @@ $lbpoolvalid = $rrdlbpoolinterval * 2; $procvalid = $rrdlbpoolinterval * 2; $memvalid = $rrdmeminterval * 2; + $cputempvalid = $rrdcputempinterval * 2; $mbufvalid = $rrdmbufinterval * 2; $cellularvalid = $rrdcellularinterval * 2; $vpnvalid = $rrdvpninterval * 2; @@ -733,6 +736,49 @@ /* End Memory statistics */ + /* CPU Temperature */ + /* the CPU Temperature gathering function */ + /* This is for a Pentium N3700 and coretemp which reports 4 cores */ + /* CPU Temp, create the CPU Temperature database */ + if (!file_exists("$rrddbpath$ifname$cputemp")) { + $rrdcreate = "$rrdtool create $rrddbpath$ifname$cputemp --step $rrdcputempinterval "; + $rrdcreate .= "DS:cpu0temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu1temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu2temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu3temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1:1200 "; + $rrdcreate .= "RRA:AVERAGE:0.5:5:720 "; + $rrdcreate .= "RRA:AVERAGE:0.5:60:1860 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 "; + $rrdcreate .= "RRA:MIN:0.5:1:1200 "; + $rrdcreate .= "RRA:MIN:0.5:5:720 "; + $rrdcreate .= "RRA:MIN:0.5:60:1860 "; + $rrdcreate .= "RRA:MIN:0.5:1440:2284 "; + $rrdcreate .= "RRA:MAX:0.5:1:1200 "; + $rrdcreate .= "RRA:MAX:0.5:5:720 "; + $rrdcreate .= "RRA:MAX:0.5:60:1860 "; + $rrdcreate .= "RRA:MAX:0.5:1440:2284 "; + $rrdcreate .= "RRA:LAST:0.5:1:1200 "; + $rrdcreate .= "RRA:LAST:0.5:5:720 "; + $rrdcreate .= "RRA:LAST:0.5:60:1860 "; + $rrdcreate .= "RRA:LAST:0.5:1440:2284 "; + + create_new_rrd($rrdcreate); + unset($rrdcreate); + } + + /* enter UNKNOWN values in the RRD so it knows we rebooted. */ + if (platform_booting()) { + mwexec("$rrdtool update $rrddbpath$ifname$cputemp N:U:U:U:U"); + } + + /* the CPU Temperature gathering function */ + $rrdupdatesh .= "CPUTEMP=`$sysctl -n dev.cpu.0.temperature dev.cpu.1.temperature dev.cpu.2.temperature dev.cpu.3.temperature | "; + $rrdupdatesh .= "cut -c-2 | tr '\n' ':' | sed 's/.$//'`\n"; + $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$cputemp N:\${CPUTEMP}\n"; + + /* end CPU Temperature gathering */ + /* mbuf, create mbuf statistics database */ if (!file_exists("$rrddbpath$ifname$mbuf")) { $rrdcreate = "$rrdtool create $rrddbpath$ifname$mbuf --step $rrdmbufinterval "; For easy implementation use the "patches" package. [image: CPUtemp.png] [image: CPUtemp.png_thumb]

My 3.1ghz Haswell i5 with an Intel i350-T2 NIC is getting 2Gb/s(1Gb bidirectional) with NAT and traffic shaping out of the box PFSense, while hovering about 10% CPU. If I disable traffic shaping, it's about 5% CPU. When it comes to a firewall, the NIC is the most important part. You must get a high quality one that has good driver support.