@hda: Put a managed switch, global rate limiting, between pfSense-LAN and your LAN-members. That's a great suggestion,  I hadn't thought of that.  I was thinking I'd need a Managed switch in the near future anyway, they are fairly cheap now, and that would buy me some time to explore some budget upgrades for PFSense and let me keep using my service in a slightly reduced performance mode that I can control. I also appreciate the other folks confirming it's time to update the hardware.

@johnpoz: You need to look at what the direction of the traffic is, who is the requester who is the responder. Ah, now I understand. Need a incoming rule for the ping request (Internet -> WAN -> pfSense) and pfSense can send the reply, right? @johnpoz: So a destination unreachable.  When would you need this to be allowed to pfsense wan? https://docs.openvpn.net/how-to-tutorialsguides/administration/troubleshooting-openvpn-connectivity-issues/ My OpenVPN work now fine with TCP.

Quite a while ago I figured out what's wrong: While running pfSense in a KVM setup make sure you don't use rtl8139 as network interfaces but virtio instead. Positive aspects: 10G instead of 1G No broken traffic Less overhead Negative aspect: You have to remap your interfaces in pfSense. I don't know the exact cause of of the problem but the workaround is pretty nice.

Is there a better walkthrough available for pfSense 2.3.2? No. :) Using an admin port should make it ezpz since you're configuring the bridge out-of-band. BRIDGE0 is the "interface" on which the IP configuration is placed. It is a virtual interface consisting of a layer 2 bridge of the bridge members. With the sysctls set as in that walkthrough that is the only interface on which firewall rules will be honored.

Hello KOM. Thanks very mutch. When I change to DEMO works fine. Thanks a lot. Best regards.

I did something similar just this week. My work around was to go to the console and "Restore recent configuration" Option 15. Think I had to reboot it after that too but it worked.

OK I followed the original instructions and got the stable branch of the Unifi controller, which was fixed to major version 4. You have to explicitly set the repo to version 5 to get the latest. The latest controller has the ability to "Enable RADIUS assigned VLAN", which is what I wanted, so all good. However, it still isn't passing through the tagged VLAN attribute. I guess before I figure that out I should figure out another problem - I have assigned a test client device a static IP in Freeradius/Mysql. The Framed-IP-Address attribute contains the value I want and this is correctly returned in the Access-Accept message from the Freeradius server (along with the VLAN tag). However, pfSense is overwriting the IP with a DHCP-assigned IP from within the pfSense LAN's range. The Unifi AP has "Using DHCP" set on it. I think that means it's acting as a client, not as a DHCP server. I can also force it to have a static IP from within pfSense's range, but I haven't tried that. It's actually getting a statically set IP from pfSense, which I specified in pfSense's DHCP server page. I have no explicit setting in pfSense's LAN DHCP server for the client device I'm testing with (the one being authorized by Freeradius). In Freeradius (as I mentioned) it's getting a static IP but in pfSense's DHCP leases it gets a totally different dynamic IP and all traffic is to/from the dynamic IP. Is it possible that pfSense ignores the Framed-IP-Address attribute? Should I be looking at pfSense, Freeradius or the AP to fix this?

Well, considering you have provided almost nothing for information, all we can do is wild guesses.  How do you recover, reboot?  Anything in the System log at the time of the hang?  Is it possible that NIC has a problem?

Teaching you how to use Wireshark is beyond the scope of what I'm willing to do here.  Sorry, but it's a big topic.  I know about enough to be dangerous after having worked my way through this book: https://www.amazon.ca/Troubleshooting-Wireshark-Performance-Problems-Solution-ebook/dp/B00I2VL1WA/ There should be YouTube videos that can get you started, or feel free to post your .cap file here for the gang to look at and assist with.

can you suggest any hardware x64 to run it not so much pricey? Axiomtek NA342D or Axiomtek NA342R

Update: I've just upgraded to pfsense 2.3.2 release p1 and the unit rebooted and then i could not access some sites once more. I disabled and re-enabled the lan0 interface and everything was fine again. This a bug?

ok i see

@KOM: become part of a botnet That is something I haven't thought about! But I still see no evidence of any remote attacks on my version of pfsense.

@dotdash: If it's not on the menu, you have to do it through the gui. Anything added from the shell will not survive a reboot/filter reload. Thanks!

I think what is next of that is optional, isn't? Yes and no.  If you don't want your users going around the proxy just by disabling it in their LAN connection settings then this step is mandatory. I haven't worked through aGH's guide.  I use squid in explicit mode with WPAD.  I only use it as a platform for URL filtering, not caching at all.  Everything works for me. Do you see any evidence that https is being processed by squid?