Thanks jim that should hopefully hold off any posts about it.. If not will have a place to point the questions too.

@BBcan177 Proxy has regex indeed, however without SSL inspection it simply ignores anything that goes over https including those adverts. That will be useful feature for the pfBlockerNG once implemented. Thanks for the great package btw!

thanks man.

Do you see anything blocked in the firewall log? Do you see any states in the state table when you try to connect through it? What version of pfSense are you running? pfSense 2.4.4 is built on FreeBSD 11.2 and ESXi only supports that from v6.5 officially. https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software&details=1&operatingSystems=232&productNames=15&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc&testConfig=16 Steve

Mmm, I would think there are better ways to do this. But if you wanted to do it like this you will need to setup an OpenVPN tunnel between the two sites to route traffic across, you can't route over IPSec for this. You will need the OpenVPN interfaces assigned at least at the UK end to get reply-to states on traffic coming across the tunnel. Then: Move the VMs to the 192.168.20.0/24 subnet in the UK. That may well be non-trivial! Change your port forwards in the US firewall to point to the new internal IPs. Add policy routing rules on the UK firewall to route traffic from those VM out via the US if that is required for traffic initiated by the VMs. Add outbound NAT rules on the US side for the 20.0/24 subnet to allo that traffic out. Steve

Thank you very much for your comprehensive answer. It is highly appreciated.

Hey, thanks for all the replies folks. I can go either way - already have an isolated DMZ for my chinese cameras - but I think I'll use VPN for external access and disable that NAT rule altogether. I have been leaning in this direction - the only reason I have not done it is that it another thing I have to teach my wife to do on her phone - make sure she has a VPN session up - when she is attemping to access an internal resource on my network. I'll do some reading on setting up the vpn server feature on pfsense... Romany

So does Anyconnect indicate that its down? If it does not than you that implies there something else going on. I would suggest you go to a DOS prompt and have a constant ping going to some internal address at your business (ping xxx.somecompany.com -t) and leave it pinging. When the problem comes back - see if your pings are still sucessful. If the internal host is no longer pingable than that confirms you have some type of loss of connectivity. You can also bring up your Anyconnect window - click on the "gear head" symbol - and go to statistics. You should see send and receive frames incrementing. I run Anyconnects for days thru my firewall and never have issues....

Did you disable checksum off-loading in System > Advanced > Networking? You can probably configure a mirror port on the switch to send all the packets going to/from the ISP to a capture device. Steve

Hi Sorry for the confusion. The diagram is just the current setup and how i would like it to work as it looks like my only option. I am not saying that the iphone MAC address is passing through 2 routers. I would like to however know how it is possible that companies like purple wifi and wifi spark can get it to work like the way in the diargram https://purple.ai/?utm_source=google&utm_medium=cpc&utm_campaign=764304889&ppc_keyword=purple%20wifi&gclid=EAIaIQobChMIx_z_j7mI3gIVCZ3VCh29KwZIEAAYASAAEgK-I_D_BwE https://www.wifispark.com/ What type of server would they be using, windows, linux, cloud based?. When i tested with purple wifi, my iphone mac address was passing through me router and then through purple wifi's router then onto their server. Unless it was carried out another way. Im just looking for a free open source way of achieving this as i have over 2500 AP's which can be costly if i go with purple wifi. Thanks

The sha256 file is a text file containing the expected checksum. The checksum of that txt file is not expected to be the same. Steve

thanks man I solved XDDD

@grimson Thanks for your time, but I usually don't trust people enough to send screen shots. I usually don't want anyone to know 'anything' about my firewall settings. But it's solved so unfortunately I'm afraid you've wasted your time. Sorry for that. I tend to not respond to anyone I really don't want to help, so as to alleviate such "wasted time," if in fact I decide to deem it such. Though I usually don't see helping someone as wasted time. We each decide for ourselves what is and is not wasted time, as such we each should act accordingly. I would hope that everyone understands this fact, because it'll usually yield more happiness during ones lifetime. Have a good one my friend! And thanks again for your time!

OK, I got it working! Here is what I did, Found the needed script, it's at https://svn.nmap.org/!svn/bc/3320/nmap/scripts/make-mac-prefixes.pl Downloaded the latest file from the IEEE, at http://standards-oui.ieee.org/oui.txt Ran said script ... :-). It's perl make-mac-prefixes.pl oui.txt nmap-mac-prefixes And it works - thanks for the help! Would it make sense to include this latest file in pfSense somehow?

I want to setup multiple OpenVPN servers using a common CA, with the ability to revoke users from a central location.

An Ethernet connected modem is by far the best way to do this. If the delay is simply in the USB modem booting you can set a longer boot delay in pfSense to allow for that. Maybe use: https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html?highlight=kern%20cam%20boot_delay#booting-from-usb You can also add 'ue' to the list of interfaces to ignore in the mismatch check but that's an ugly workaround. Steve

Are you elsewhere when you do that? If you do that from your local LAN, it's normal.

@swmcl_pf -- I powered off by momentarily pressing the power button and then re-powered. The system says it is doing a backup or re-install in the background. This is the same as before. The process finished and I confirmed the message as read. I then did a backup. I'm not entirely convinced that it was doing anything in the background at the time of my post but I am happy that the backup has been completed. Case closed ?