.: Update #2 - SOLVED :. Ok, after running the packet capture I found that I was dropping my tcp packets for some reason. Googling lead me to this; https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear I do in fact have a Realtek card I am routing this through. After making these changes… Internet worked as it should.

I have a 2220 in my home setting, just between a DSL-cable modem/router and a D-link 24p managed switch. (modem just as a modem, double NAT until I bridge my modem…) Now 1.5 years, and not a single problem. For me it was a starter-thing just to experiment and learn with, whitch was, and still is. And it only consumes less than 10 W. Verry happy with it. But if you've got a high wan-bandwith >200 Mbps (fiber e.g.), maybe you've better look for an more sophisticated version.

@gibbers82: … i don't have time to migrate everything... Have you considered using the professional services offered from pfSense/Netgate? https://www.pfsense.org/our-services/#professional-services They are there for you, for exactly these reasons. To get you started ASAP.

Pretty much by having a backup of the config ready to go. Other than that it seems like you managed pretty well.

@Derelict: somehow got automatically converted Sigh. well they weren't changed by me, i'm not on site, if you're sighing then i imagine the guy who moved it must've done something, I'm just trying to figure it out remotely after the fact, in which I have now succeeded thanks to your help.

Since you said you are fumbling through Snort/Squid, etc trying to learn them, do yourself a favor and read through the Snort Rules under the Categories Tab of the interface.  Some in there may not pertain to your organization.  The best security would probably be to have them all on but categories like "Games" would likely load unnecessary rules and put extra overhead on the system.  I'm not sure why you wouldn't want people playing StarCraft in the office but you don't need every packet evaluated against those rules even if you didn't. :)  Chat could be disabled if you're not having a problem.  No on-prem email server?  Consider disabling POP or SMTP.  The more you can disable the better the system should perform, especially on config reloads.  By default we have like 18 groups disabled when we install at a clients and add some back in if they need.  And make sure to add supressions or your logs will overflow with useless info.  Search around here and you should find some good info on those. Also, know that squid, with transparent HTTP proxy enabled, works pretty well out of the gate but only on HTTP traffic, not HTTPS traffic.  If you want HTTPS filtering then you'll have a lot more to work through.  Add some extra definitions into the Freshclam section of Antivirus under Squid.  Search around here for SaneSecurity as we had a thread with that info floating around not long ago.  It'll greatly increase the effectiveness. Once you have things set up, make sure you try some speed tests and downloaders and Quickbooks and Firefox.  It has been my experience that snort blocks them.  You can easily add the exclusions from the Rules and Block tabs of Snort.  You may also want to consider altering the SquidGuard block pages to something that reflects your organization and your policy as well as information on who and how to contact in the event of a false positive.  Also check things like LogMeIn and GoToMeeting to see if they have problems getting through your new Proxy.  With all that addressed you should have things mostly under control. Most of all, Good Luck!  Personally, I'd put your new filter outside of your Firewall if you could as it likely has a lot more power than the ASA (they are generally over featured and under powered) to free its resources up, but I'm not sure exactly how you'd do that without long consideration.  It's probably easier to have it on the LAN and force all traffic to filter through it.

It's not a false positive, the AVAHI service on your pfSense is really advertising SFTP even if you don't have the SSH service running. To turn it off you have to edit the AVAHI configuration.

my pfsense ip is 192.168.2.1 i tried using isp dns and google ip 8.8.8.8 all websites open perfect but one new problem cant ping any thing other then google dns and isp provided dns ip. it looks like they are restricting us from using third party dns and not allowing us to ping any ip what wrong dig :( im so frustrated you asked me for "dig @pfsenseIP www.whatever.com" lubuntu@lubuntu-:~$ dig @192.168.2.1 www.facebook.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.2.1 www.facebook.com ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached lubuntu@lubuntu-:~$ Tushars-MacBook-Pro:~ tushar$ ping 208.67.222.222 PING 208.67.222.222 (208.67.222.222): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 Request timeout for icmp_seq 4 ^C --- 208.67.222.222 ping statistics --- 6 packets transmitted, 0 packets received, 100.0% packet loss Tushars-MacBook-Pro:~ tushar$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=8.675 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=11.394 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=10.896 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.675/10.322/11.394/1.182 ms

I think you might be on the wrong forum.

You don't set source port requirements in the NAT rules. What the rule is now saying is "Perform the RDR only if the source port in the incoming packet is 80" (and of course the other requirements have to be met as well). This is never going to be true for regular HTTP traffic arriving to your end, the source port is going to be a randomly chosen port from range 1024:65535.

thank you

Correct, Dirty COW only affects Linux.  BSD's (Net/Open/Free)BSD are not affected because they are not Linux.

You can configure that on the client, or if you're using WPAD you can include the IP ranges and DIRECT keyword.  If you're using Transparent mode, you can use the Bypass Proxy for These Destination IPs option on squid's General page.  Lastly, the proper forum for squid & squidguard questions is the Cache/Proxy forum.

Hi folks, Wondering if anyone is using Cisco SMB switch for the QoS setup for the Google fiber.  If so, it would be much appreciated if the setup/configuration can be shared. -rsa

https://www.google.co.za/url?sa=t&rct=j&q=&esrc=s&source=video&cd=2&cad=rja&uact=8&ved=0ahUKEwjinL_jqPjPAhWFF8AKHZbGCg0QtwIIJjAB&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DnMMFxn7Z3nk&usg=AFQjCNF3_0_xk3YlNLxCwbp_UcTtuWdtyw&sig2=qXkDLFwOIuOzdye8MLpygA&bvm=bv.136593572,d.bGg

Please read the seventh entry in this post: https://forum.pfsense.org/index.php?topic=119731.msg663026#msg663026

What would cause the issue with devices not getting automatically added to the ARP table on pfSense? Not getting the ARP broadcast from the switch. Diagnostics > Packet Capture on LAN_1 and see what's really going on.