@kpa: I agree that the checkmark should have the same function regardless of the interface type, be it enabling/disabling the interface completely or just enabling filtering/NAT on the interface. Neither the GUI or the existing documentation give you any hints of different semantics of the checkmark's function depending on the type of interface now. On Reddit I discussed in more detail other problems of the "pfSense Interfaces" architecture, such as different meanings of "IPvX Configuration Type" depending on the corresponding FreeBSD interface and on the selected field value itself. Right now pretty much nothing is consistent, it's a bunch of hacks to make common (and less than common to some extent) scenarios work. I hope they will fix it soon. It is, imho, one of the worst downsides of pfSense in comparison with major commercial solutions (e.g. Cisco).

Looks like you have 512MiB of memory and it tried to allocate ~64MiB but there was not enough free. Add more memory? Possibly disable additional services that you may have enabled, like Snort or squid.

@jimp: The login beep is not done with a call to the beep command, but a byproduct of that login log message being printed to the console. Did you password protect the console, perhaps? I don't think that would suppress the message but it's the only thing I can think of that might be even remotely relevant. Beep still works fine at login on the two boxes I have here which still have a speaker. I had the same problem.  Deselecting Password protect the console menu in System → Advanced → Admin Access → Console Options resolved it for me on pfSense 2.3.4.

Fantastic workaround!  Thanks for the idea.

@iska: @jimp: https://doc.pfsense.org/index.php/Why_was_FreeBSD_chosen_instead_of_another_OS I know OpenBSD is aimed for maximum security, and FreeBSD is for maximum performance, while PfSense is for security or firewall/router, why don't they chose OpenBSD. Because Theo.

Ok, if you insist, and will assume the liability  :) "Put it" at "/usr/local/www"  (or in a "new directory/folder"  /usr/local/www/XXXX )

Thank you, that did the trick.

I agree with you - but you stated this "they don't understand the underlying plumbing going on." So unless you do, you have no idea what they are doing - right?  You say it works when both on the same lan.. So look to see what is going on when on the lan, then you can make your firewall rules to allow this, etc. You for sure would not need to do any sort of natting here - since local networks to pfsense do not nat between each other.

Depends what is more important to you, you say it not too slow. Keep in mind that the vast majority of net traffic not static any more - most everything is dynamic.  So your cache is not going to buy you much.. Browsers cache most of their own static stuff anyway. Using explicit vs transparent would be better, since now your not forwarding all your 80 traffic to your proxy port and just hitting the proxy port directl.  Also what hardware are you running this on?  How exactly are you benchmarking your slowdown? Have your users actually complained about the performance hit?

I have no experience with NtopNG - anyone else feel free to jump in…

I am not sure this is the correct answer but I would test: Define a DMZ with the public pool. Add a gateway with  185.81.117.97 in pfsense in the rules allowing outbound traffic from the DMZ select in the advance option the gateway you have defined above. It should work but it might not be the best answer.

no.. i don't want assign a public ip behind the pfsense . i want simulate isp's reaction  how i assign an ip block over a line with a pfsense (isp simulator). there is end of this line my pfsense fw simulater (and then it is going to use 1:1 nat - this part is not problem , i will handle) the problem is how can i simulate isp's reaction (assign an ip block to my customer :) )

Wow. I don't know what is wrong. I spent several hours trying to get the CD to work for rebuilding the firewall and nothing worked. I used a USB CD Drive to burn and read, but the boot up took forever. I transferred the ISO to my main computer and burned it on the internal CD Drive. This made it better. The firewall doesn't have a CD-ROM, but it is a computer so I hooked one up to the SATA port and it would not load the CD. So I went back to the USB CD-ROM and it booted, right up until it detected the USB CD-ROM then errors with mount issues (error 19 or 16, don't remember). I don't remember it being this hard to install pfSense. I had several issues just getting a working copy of the software from the sites (ended up downloading it on my Linux laptop and the hashes matched finally). In case you want to try calling me stupid or something for not using the USB installer, I already tried that. It was my first set of attempts before going to the CD-ROM. The BIOS doesn't detect the USB Boot Drive.

Ok 'default_backend majesty' is probably the reason it ends up there.. could be that none of the acl's matched.. The current acl might not always match.: acl        OWA  req.ssl_sni -i mail.mydomian.com Could you add also a: acl        OWA  req.ssl_sni -i mail.mydomian.com:443 So including the port? that might solve something.. p.s. it seems you have to many 'default_backend' configured anyhow. but if the acl's pick up the traffic you shouldnt end up on majesty. (when requesting mail.mydomian.com)

I'm using a Jetway device for my build as well. I forgot the model number but its a fanless build with celeron quadcore and 4GB of ram. More then enough for PFsense and some decent packages. I've been running it at my house for 6 months now. Solid as a rock! I paid about $300 for the unit. Since this is a home network, you don't need to go crazy on a switch. I personally use two dummy Netgear switches. One for my main production network on subnet 192.168.1.x Eth1, and my second switch is plugged into Opt1 interface on a 10.10.10.x subnet where I host my servers. I have an old Linksys router configured to be used as an AP connected to it as well. Unless you want the experience of playing with vlans or something. I don't see a real reason to need a nice fancy switch. Two unmanaged named brand switches will work just fine. (you could get something like a 6-8 port for your OPT network and a larger one for your production etc… all depends on your needs). That is how I would start. Keep it on the cheap and expand in the future as needed. Now if you want to go fancy because you have the cash and want the learning experience. I'd do the following. Get something like a Cisco SG200\300 (you can get a 48 port for like $180). You could even get one with 4x POE ports for your WAPS on this switch. This is a great switch for playing with vlaning and has great support from the vendor and security. For WAPs. The UniFI AP-LR WAPs are awesome as hell. They are easily managed by Unifi software and can support vlans along with seemless automatic wifi jumps between waps. They also last ages, I've had mine for years and sturdy as hell still. Just an idea.

I deal with this pain on a daily bases as a network engineer. It's really annoying when the ISP doesn't really do any testing other then using their built in software to perform a 5 second test… How important is this connection? Are you doing duel WAN for balancing load or for failover? What I would do is disconnect that connection that is dropping packets. Connect it to a laptop and configure your laptops NIC to the static IP settings. Then perform a continuous ping or use a network monitoring tool to capture packet loses. If you lose packets then, it is for sure the ISP. If you do not, it is for sure your device. This is the only sure fire way to rule out ISP equipment from your own. It's a pain but it is pure proof that they can not disagree with.