Squid & squidguard can do that.  In squidguard, you create Group ACLs and then apply policies to the group.

Yeah. dpinger can't ping the IP address you have set as the monitor IP address. Change it to something that interface can ping.

I've had this problem for over a year and didn't find a solution until now, when I did a dive into the code and put debugging around routing commands. I'm sharing my findings in case it helps you and others who Google this error. Symptoms: Reset a WAN interface and the routing dies. In the logs: Dec  6 06:46:35 fw kernel: arpresolve: can't allocate llinfo for 192.168.21.1 on lagg0_vlan21 In the routing table: Destination        Gateway            Flags      Netif Expire 192.168.21.0/24    link#14            U      lagg0_vl 192.168.21.1      192.168.21.1      UGHS  lagg0_vl 192.168.21.10      link#14            UHS        lo0 Root cause: The DNS server and gateway are the same. Fix: Either change DNS servers, or patch the code (pfSense 2.2 and 2.3.5): /etc/inc/system.inc, near line 257: Change                             mwexec("/sbin/route {$cmd} -host {$inet6}{$dnsserver} {$gatewayip}"); ```To if( $dnsserver != $gatewayip )                             mwexec("/sbin/route {$cmd} -host {$inet6}{$dnsserver} {$gatewayip}");

It's updating properly for me here. Maybe clear your browser cache.

Yes I have a Pro and lite and LR AP.. I bought the pro after they came out as update to my old gen 1 pro (square ones - someone on the pfsense forums bought it from me), and got the lite and lr when they first beta tested these - they had picked a few active people on the beta forums to test them.. They sent us FREE units to test ;)  It was way better then their new early access store ;) hehehe Yeah I have two echo dots, I used alexa for their names (I am very creative hehehe) added -cpu for the one in my computer room (den/office/lab) whatever you want to call my room ;)  If my wife was more techy she might call it the MDF room hehe.. The only one I know of around here that works or use to be around here and works for unifi is Chris… Miss him here, but he is great over there - very very active on their forums..

If you have to manually configure it, there's something wrong somewhere.  Both ends are supposed to auto negotiate and setting one end, but not the other can cause problems.  What happens if you connect another computer?  If it does the same, there's an issue with the modem.  If it stops, the problem is with your firewall computer.

@Gertjan: Google : @NollipfSense: …. "cam status unconditionally re-queue request" .... Saw wrong partitioned drives (using ZFS) and mostly dead drives, even new ones. also : Take your drive on a long S.MA.R.T. walk. Thank you for responding…it turned out that the new cable was bad...I just replaced it with another new SATA 3 cable...all is good.

@johnpoz: Yeah 64 is common default.. 128 is a lot of freaking hops ;)  Which is why so curious to why would need to change to 128.. Maybe he has a really BIG network.  ;)

@Harvy66: Doing a quick wiki, FIPS 140-2 is about physical security. Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access. It's logically impossible for software to comply with this. FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules. @jridings:  Perhaps a better question would be are "Netgate pfSense Security Gateway Appliances" FIPS 140-2 compliant?  Looking over the wiki it appears that any device could be compliant as long as it had a special certified encryption board.  It that case it is just about the physical hardware being certified and no off-the-shelf components will work.  Maybe if you installed a certified board into your build for it to do the cryptography work that would pass?  But finding one that has BSD drivers and getting it to work with pfSense could be a challenge.  I don't see anything that says the entire device must be certified, only the hardware responsible for encrypting but I'm not really sure on that.

@Derelict: Where are you testing from? I setup a laptop with a cable straight to the wan port. I'm out for now but, what if I set the ip address to the wan instead of the bridge? do you think this would help. Or it shouldn't be different?

This bug with IGMP Proxy seems to still exist in 2.4.2. I have a different ISP, Movistar Spain, with a different setup (IPTV comes through its own separate VLAN) and I still see the same "The IGMP message was from myself. Ignoring." message and no IGMP is forwarded to the right upstream interface.

"Waiting for your comments." I have a comment - use something that is current and supported..  2.0.1 released end of 2011, shoot its not even the latest version in that line. 2.0.3 was..  The version of freebsd it was on 8.1 was EOL July 31, 2012.. The OLDEST pfsense you could be running is 2.2.6, with even the resemblance somewhat close to being in the area of dragging your feet..

Ashima has the fix.  I tried a bunch of stuff to get this fixed AND NONE OF IT WORKED until I patched the boot loader! https://wiki.freebsd.org/SystemTuning#SYSCTL_TUNING "The kern.ipc.somaxconn sysctl limits the size of the listen queue for accepting new TCP connections. The default value of 128 is typically too low for robust handling of new connections in a heavily loaded web server environment. For such environments, we recommend increasing this value to 1024 or higher. The service daemon may itself limit the listen queue size (e.g. sendmail(8), apache) but will often have a directive in its configuration file to adjust the queue size up. Larger listen queues also do a better job of fending off denial of service attacks." Thank you Ashima!  I gave you a thank you bump too…if that matters, 5 gold stars, best in class, grade A <-- whatever nice things you can think of. This was driving me friggin crazy!!!  :-)

I seem to have found my solution https://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites Step 9 seems to have done the trick: Check Clear invalid DF bits instead of dropping the packets on System > Advanced, Firewall/NAT tab Jason