You can try that but I don't think it will help. It behaves like some low level mismatch or limitation. Like for example the TTL limitation I mentioned. If that router only allows a limited number of clients one way they can enforce that is to prevent you using another router behind it. Steve

Port 22, so scp/ssh? Nothing special should be required. If you are still seeing that same error and the passive ports are open then the server is probably misconfigured and handing out it's internal IP to connect to. And the client is not clever enough to see that and ignore it. The Filezilla client will do that for you. Steve

@KOM thanks, I'll check !

@Gertjan Thanks for pointing me in the right direction! It was a DNS blocker.

If you just have ONE Access Point and are not interested in all the charts, logs and graphs that is generated with the controller software, just use the Apple IOS app to install and setup the access point. Since the app is FREE, it's a lot cheaper than the Cloud Key and easier than configuring the controller software. That's what I did and it works great. You can change IP addresses, update the firmware, etc all from the IOS app.

Yes, if you are using one of the other modes Squid can be in. See: https://www.youtube.com/watch?v=xm_wEezrWf4&feature=youtu.be&t=935 Steve

I prob has fix it self. I find out my phone wire is shorting out my isp fix replace the cable

Mmm, hard to see what we can do here without patching something quite low level. Ideally we would want it to remain in CARP maintenance until the states have syncd. That would probably need to be selectable though as some people will not be syncing states. We could probably force the Primary to boot into maintenance mode at every boot requiring manual intervention to failback. It would still failback automatically if the secondary went off-line entirely. Would that be in any way practical for you? Steve

Glad to hear you got it working.

The health feature would be a good idea. Although it's been over a month now and Snort has been stable with-out Service Watchdog, the problems we had with Snort in the earlier versions of pfSense no longer appear to be present. At this stage I suspect the crash may have been the result of a conflict between Snort and Service Watchdog possibly while Snort was updating.

@stephenw10 said in Use of hostname inside LAN: Yes, like that. You don't need static ARP just static DHCP mappings. Steve Got it. Thanks!

There may not be a GUI on that. pfSense its its own operating system that happens to be based on FreeBSD. You appear to have a FreeBSD system that someone manually configured to be a firewall. pfSense can't help you get any information from that. You might try posting on a FreeBSD forum for help in tracking down the information you need from that system.

Hi @stephenw10 Them is better to trust what 'top' show us insted of the GUI, right? Thanks.

Thanks Steve. I have opened a new topic here: link text

Ha, no problem.

The thought was more of a "defense in depth". If something gets through pfsense, the second firewall may catch it (or vice versa). I will take another crack at it tonight by shutting off NAT on the internal firewall. Thanks for the timely responses all.

Openappid in Snort is the only option for filtering at the application layer. If it does not detect the traffic as anything other than https there's not much you can do. There probably are blocklists available for most of that though. I would try installing pfBlockerng-dev and look at the feeds there. Steve

I mean just what configuration have you made to enforce Google safe-search. Redirects in Squid/Squidguard? Local DNS overrides? Configured in Google Chrome locally? Or something in Google remotely? Steve

Yes, setting the other router to whatever bridge mode it might have available would affect anything using it directly. Really you should look at using pfSense instead of that router and having a separate wireless access point behind it. You may be able to use the ISP router for that purpose: https://docs.netgate.com/pfsense/en/latest/wireless/use-an-existing-wireless-router-with-pfsense.html It depends what sort of connection you have and whether it has a separate modem. Steve

thanks, you are very helpful and sorry for me beeing so untalented