hola, He activado el proxy transparente sólo http. Me puse las opciones de "Proxy Interface(s)" para salir de la mina a la red LAN posee, que se activa la opción "Allow Users on Interface" y "Allow Users on Interface" sólo para mi lan también. El problema es que estas máquinas de la red pueden navegar a través del proxy, incluso sin que se establezca en "ACLs->Allowed Subnets".

I understand I need the ARP entry because I use the IP address instead of the broadcast address. But using the broadcast address didn't work for some reason. To be honest I only use it once a month(ish) so this is OK for me. Thanks though for all the info, appreciated!

Thanks, it worked!

Yeah would not really be a good idea to go about messing with the compile of your firewall kernel on special use distro like pfsense.  If there is something specific you would like to see included or excluded from the kernel best to put in a feature request to the dev's. If you want to compile stuff in general for freebsd, prob best to fire up generic freebsd install for such play.  Not something that really should be done on system used for your firewall, etc.

It always surprises me the lack of understanding transit networks and downstream routers.  Even from people that supposedly work with routing all the time.  So don't feel all that bad ;) There is this article int he docs https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules This article seems to address work arounds and causes to it that might be set on pfsense itself.  But doesn't really address a common mistake not using transit networks and or placing hosts on what amounts to a transit network, etc.. Should prob take some time and round out the information provided in the above doc, this would prob be a good location for more information on the issue.  I currently just don't have the self motivation to do so ;)

Why not start your own thread. Performance issues are almost always customer per person. No point in ruining someone else's thread by muddying up the discussion.

I doubt it. Your situation seems new to me. All of the walkthroughs that cover routing traffic out public VPN providers should apply. You will just be doing everything twice, making a gateway group of the two VPN endpoints, and routing to that gateway group instead of the single gateway.

For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same.                         Vlan 1000: 10.0.0.2/29                       Static route:  0.0.0.0 0.0.0.0 10.0.0.1 Yeah, that is wrong. the netmasks should both be /24 or both be /29. Can you ping 10.0.0.2 from pfSense and 10.0.0.1 from the switch? Did you create a pfSense gateway for 10.0.0.2? Did you route 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24 to that gateway on pfSense? Does the firewall rule on your transport interface on pfSense (LAN) allow traffic sourced from those subnets? Does outbound NAT on WAN contain rules to map those subnets to WAN address? That's really all that is necessary. Check all those things. I would, personally, make some design changes: My transport network would not be associated at all with the networks on the switch. I would make it something random like 172.18.218.224/29.  I would probably not use 10.0.0.0/8 for anything, but if I did I would make it something random like 10.253.192.0/18. I would route that supernet to the switch, pass traffic from that supernet on LAN, and add outbound NAT for that supernet on WAN. That would enable you to add networks 10.253.192.0/24 through 10.253.255.0/24 on the switch at will without making any changes to the firewall. Assuming 64 /24 networks is enough for the project's maximum anticipated requirements.

Hi , Friends , I have configured pfsense 2.3.1 , I am unable to get internet from lan and I can have a ping on wan and I am receiving ping data in WAN , I have attached the rules which I have assigned and I have connected wan in DHCP with private ip as 194.168.2.104 from my home Tenda router , please help me how to get internet as output from wan to lan. I have kept NAT in outbound as automatic and I have also checked NAT by keeping manual though I am not getting Internet from LAN , Please suggest me the configuration and help me out.

Thanks very much dennypage! For the benefit of anyone reading this thread, this patch solves the problem… You can now send mail from a non-root account without any sudo or other privilege escalation.

I found the documentation https://www.duckdns.org/install.jsp#pfsense

Yep, I must have been doing it right sincce the beginning, but pfblocker having crashed was still blocking incoming connections (still have to be determined why)… COmpletely killing pfblocker and rebooting pfsense, then the port forward has been working fine since 4 days now.. Thanks Johnpoz for pointing out pfblocker in your last post, and thanks for the help!

What is the subnet mask on your LAN? My first suggestion is to change the subnet mask on your IPsec mobile Virtual Address Pool to /24 but that really depends on the subnet of your LAN as to whether that will actually fix it. You could just change the Virtual Address Pool to something like 172.19.241.0/24 and probably fix it, regardless.

Happy I could help.. If your new to vlans or don't have experience how the different makers do things or call things then yeah it can be confusing.  Glad you got it sorted!

@kpa: The underlying FreeBSD OS does not care, it will autodetect and autotune whatever there is to autotune depending on the amount of currently installed RAM.  There might be some parameters derived for installed packages but I can't help with those since I don't use any of the more advanced packages like the Squid proxy. That is good news. I don't have any packages installed except one that exports vpn settings. Thank you so much for the reply. It means I can up my home server with 8GB and run my pfsense on 2GB :)

that looks like websever optimizations  NOT a firewall

If the daemon is disabled/stopped, just ignore the page or remove the lease files /var/dhcpd/var/db/dhcpd*