So my best option is to use user name authentication instead of Mac or buy expensive cisco switch and do port isolation putting user mac in their own little vlan.

sounds like pwnage - someone prolly got logins to your box do you use a remote log server to see if there's any suspicious activity?  If they have your logins then local logs will be useless unless they were sloppy.

How many ms are you you talking..  Are you saying your having clients/apps timeout trying to resolve something that you do no have locally cached.  I really find that unlikely.. I think its all in your head.. Oh how come that took 12 ms, its should be 10 sort of thing..

I'm not quite sure I understand the question, I'm guessing the apache server will be connected after the pfsense. Like: client->wifi(router)->pfsense->apache server For now I can't test this setup since I don't have a second ethernet interface. Is there a way of using the internal wireless interface of the laptop to connect to the server? (Just for testing purposes) I tried a server under the same wifi like: client,apache server->wifi(router)->pfsense with no success and I believe I can see why. (The router is managing the traffic with no intervention of pfsense?) Essentially what I'm trying to do right now is turn the router into an access point and connect it to the pfsense laptop but I think I didn't quite manage that. For some odd reason the portal works with 192.168.1.4 but there is no machine using that ip. (btw vouchers are working perfectly) Shouldn't the firewall redirect me to the captive portal even if it didn't have internet access after I enter a www.example.com url in the browser? The ip's that I see from the logs are: Pfsense: 192.168.1.1 Router: 192.168.1.2 Client1: 192.168.1.21 Client2: 192.168.1.103 (or server if I try to enable apache as in the above scenario) I had seen the video and that's exactly my configuration in webconfigurator +dhcp server and DNS resolver enabled. Btw I had no success by connecting a client directly to the pfsense through a cable.

"but I'm confused on why the source field can be anything other than an address on that interface." Your confused to why the drop down lists other pfsense interfaces?  Or you don't understand how you could have downstream networks where this interface on pfsense is the transit network? Have you tried programming dropdown lists to filter out all the other interfaces?  When the dropdown is will be used by all the interfaces? ;)  So you want it to not show you opt2 network, because your on opt1 interface? [image: dropdown.png] [image: dropdown.png_thumb]

Not sure why you think you need to whitelist domains. Why not just protocols just log?  Keep an eye on the traffic.  Once you watch them for a while and where they go, then you can lock down to netblocks if you want, etc.

Hi! The only requirement would be to reassign the interfaces. What do you do when they are not an exact match? My pfSense box is behaving very erratically (my guess is bad caps on the motherboard) and I tried to, temporarily, setup a new box… Unfortunately even though both machines were more or less from the same era (Atom 330) they had different slots (PCIe vs PCI) and my real pfSense box had a mini-PCIe wireless NIC (Atheros based). They also had different onboard NICs... My real box has a PCIe Intel I340-T4 quad NIC and in the temporary replacement box I decided to reuse the old PCI Intel 21143 quad NIC I used in my previous non-pfSense based firewall. The onboard NIC was not used in my real pfSense box so I assigned it to the onboard NIC of the new machine. My WAN, LAN and DMZ which were provided by my I340-T4 were easy to match to to equivalent ports on the Intel 21143 based NIC... The last port on the I340-T4 I was no longer using. I used to use it to connect a wireless access point. The onboard mini-PCIe wifi card I could not match to anything... I am not sure if I was immediately able to delete it so it is possible I temporarily assigned to another port, I am not sure... Once everything was done I deleted the unused onboard NIC (which I had created anyway) and the port assigned to the wifi... What I ended up with was able to connect to the Internet since I was able to ping outside IPs but none of my Internal DNSes were working anymore... I also had this error message (or variants on it): There were error(s) loading the rules: /tmp/rules.debug:85: syntax error - The line in question reads [85]:  altq on  priq queue {  qLink,  qACK,  qVoIP  } I believe this is traffic shapping stuff… Obviously it was quite unhappy about something I had done.... Was it the cause of my internal DNSes not working? I don't know and could not investigate further when I tried this... I had to go back to the unstable box until I have time to try this again... Thank you and have a nice day! Season's Greetings! Nick

@singerie: Any update on netmap-fwd ? https://forum.pfsense.org/index.php?topic=119285.0

Hey BlueKobold, thank you for your suggestions. We also just recieved an answer from the pfSense-Support. But i will answer your Questions as good i can :) @BlueKobold: We use iperf to test the throughput between the firewall and a virtual machine. Are they both in a VM? I mean pfSense and the virtual server? We tried both of them. The virtual firewalls most limited by there amount of cpus and often by the featuresets. After activating TSO and LRO we also reach 5GBit/s with the virtual pfsense. @BlueKobold: If the firewall is the "Server" and the virtual machine is the "client" we only get a throuput about 3GBit/s. In normal you will be getting something between 2 GBit/s and 3 GBit/s as throughput in real life, from a 10 GBit/s link. Yes, of course we are talking about a theoretical throughput, but i would expect a similar throughput in both sides of communication, right? @BlueKobold: If we send from the firewall to the virtual machine we reach a throughput about 8/9 GBit/s. Perhaps the virtual machine is able to write the data faster then the pfSense, because there are a RAID in or more RAM that is acting as buffer for the packets, might this be? We never send a real amount of data over the cable :) with iperf you send an amount of packets with embedded timestamps and sequence numbers. With this content iperf calculates his statistics. @BlueKobold: It does not matter if it is a virtual or a hardware pfSense. It does for sure! How many cpu cores are given to the pfSense machine? See my answer above. Of course it matters, because of the amount of cpu - i had to be more specific i think ;) I mean, it does not matter with the strange behavior of different throughput. But as i said before, when the firewall sends his packets, it expect an ACK after everyone, the vm does not. So we activate TSO and now the firewall dont expect that anymore - just TSO @BlueKobold: We just activate TSO and LRO on the pfsense. Tunings can be often helping much more then we all would expect from! high up the mbuf size shorten down the NIC queues to 4 till 6 and other options or tunings might be helping also, please give them a try out, single or together! Anyone an idea or some experience with that features on a pfsense? Tuning and Troubleshooting Network Cards I checked that article, everything was okay. Tuning the machine is the first i thought about. Troubleshooting the second ;) BlueKobold, thank you very much for your help.

I'd strongly suggest flashing the thing with DD-WRT/LEDE/OpenWRT if at all possible. The factory firmwares are utter crap.

It's probably a filesystem panic. The site hosting that video is complete shit, serving malvertising trying to get people to install fake antivirus programs. Wipe and reload pfSense, restore the backup.

@viragomann: Check if pfSense has changed the outbound NAT rule to fit to the new subnet if you use automatic rule generation. If you have set it to manually rule gen the rules has to changed by yourself in any case. Thanks for the reply.  I will check it this week and let you know.

One of the motivations is blocking intrusive or unsafe scripts and datamining. Much of that can be blocked with conventional adblockers; where it gets difficult is when third-party scripts from advertising companies are used (e.g. jquery), which the website needs to work properly or at all. That's an interesting point about https connections, but it's not usually an issue in the above cases, mostly because a lot of sites still don't use https, but also because when connecting to a medium-sized website with say 20 different server connections, some might be encrypted, but not all, and especially not the scripts with known content. Anyway, back to the technical requirements: can squid handle the redirection and serve up pre-installed scripts, or would I need unbound/bind for the DNS or possibly a webserver like nginx as well?

My guess is that under VPN/ OpenVPN / Clients the option "Don't Pull Routes" (and "Don't add/remove routes") are unchecked. I've observed that in that case the VPN will take over as default when you start it. There are more than one ways of solving your problem which will result in slightly different configurations. If you leave the above mentioned options unchecked, you have to modify your LAN firewall rules and specifically select the WAN gateway for the "Default allow LAN rule to any rule". In this scenario, if you go to a DNS leak website on a device that goes through the WAN interface, you'll see the IP given by your ISP (as you should) and when you do a DNS test you'll see your VPN's DNS servers (correct me if I'm wrong). If that's OK with you, you're done because you definitely won't have DNS leaks on your VPN's side. If that's a problem, I found the following to be working: Check the option "Don't Pull Routes". This will result in the following: you won't have to specify the WAN gateway for the "Default allow LAN rule to any rule" since the VPN won't take over as default when enabled. The results on the DNS leak page will show your ISP - also for the devices going through your VPN. In order the fix the leak, you can give devices that you want to go through VPN a static IP and then manually specify your VPN's DNS servers under Services / DHCP Server at the bottom "DHCP Static Mappings for this Interface". Finally, as a precaution you can set up a firewall rule as outlined under "9 - firewall rules" in this post: https://forum.pfsense.org/index.php?topic=106305.0 (this how-to is generally pretty helpful with the issue). Keep in mind that I'm fairly new to networking and pfSense (started this project just a month ago), so someone more experienced might have even better or more accurate info. At any rate, hope the above will help.

Hello. We werent logging the system log (we are now - but the issue hasnt occurred again as the load hasnt been high enough yet), but on looking at the graphs it never exceeds 75% of max. I have increased some defaults as they seem like common sense (the blackhole change is to allow the Java/SQL to fail quicker): Firewall Maximum States 1,000,000 (was 398,000) net.inet.tcp.blackhole Drop packets to closed TCP ports without returning a RST 1 (was 2) kern.ipc.nmbclusters 262,144 (was 131,072) kern.maxfiles 1,000,000 (was 127,587) kern.maxfilesperproc 500,000 (was 114,822) kern.ipc.soacceptqueue 1,024  (was 128) Any other ideas please? Thanks

Services -> DNS Resolver -> General Settings add a host overide if your using pfsense for DNS.