Guys, apologies for the lack of info. It's just that I lost focus in trying to figure the issue since this was a rush project but luckily in the middle of my overtime research, I've found the solution. Apologies for the initial post, though I know in asking for assistance, I should've provided more details. Ok, here what happens. I've  setup pfsense for the first time, followed an article in setting it up. I was successful and setup internal and external IP's What happened was in the middle of the setup, I've discovered that the only thing that reaches the internet was the pfsense server as I used diagnostics. So this shortened my troubleshooting by focusing on the "firewall rules" Later I've discovered that when I created the rule, it was set to TCP instead of any for the moment since I was doing troubleshooting. After that everything went online.

I would say you probably have to edit /etc/dhclient.conf.  I would start with the explanations here. I've never done this, but I would expect a tweak to one of these timers should do it. Now you get to figure out which one  :) the configuration options are listed here: https://calomel.org/dhclient.html

Hi John, I appreciate this wasn't done in the past but most of those models of firewall you state have turned up in the ShadowBroker NSA dump. Juniper, asa/pix, also fortinet, Hauwei. To my mind every small extra layer of security we can implement such as OTP on the GUI we should as network security devices are a key target. For someone like myself as an MSSP wanting to recommend pfsense to SMEs and then actively manage them it would be a nice to have. It's becoming standard on a lot of servers, honey platforms etc. Like long unique passphrases, password managers, as well as everything you mentioned in your posts. An attacker could completely pwn the terminal i use to connect and creds by they would need to have access to my iphone as well. every small layer adds another sometimes huge cost to an attacker than can make the difference, deter them and add weeks to their attack. Pfsense is a really solid bit of work these days, stable, small things like better clamav sigs & OTP and maybe a few more really help it compete with the increasingly security conscious. J

Hi, here is another manual for pfsense 2.3 in English. pfSense 2.3 WPAD/PAC proxy configuration guide https://nguvu.org/pfsense/pfSense-2.3-WPAD-PAC-proxy-configuration-guide/ Best regards

Wanted to put my two cents into the NAT reflection necessity. I just replaced my existing firewall with pfSense and have a formal server DMZ  for servers that are publicly available and guest wireless DMZ in addition to the external and internal interfaces.  I initially created "no-nat" rules to allow desired traffic from the wireless DMZ to the server DMZ and the associated firewall rules. I configured the DNS forwarder to intercept my internal and publicly available domains to be resolved by using split DNS.  The situation I ran into that required Nat Reflection to be enabled for all the publicly available servers in the server DMZ had to do with mobile devices (apple devices like iphones and iPads but I did not test with anything android based). The issue was an inconsistent user experience when browsing to the publicly available sites while on the guest Wifi. If the device had not connected to the site before and did so while on wifi it was fine. However, when the device is no longer on wifi the internal DNS address was being cached on the mobile device and resulting in the page not being able to load. The opposite scenario was also true (access the site externally then attach to the guest wifi and have it not load). The only quick solution I found to this from the mobile device side was to put the device in airplane mode and disable airplane mode. The action of enabling airplane mode flushes the DNS cache of the device and allows the correct address to be queried and the site to be loaded. Of course this was only a per scenario solution as the user has to enable/disable airplane mode whenever they arrive or leave the building. While this is not a pfSense problem by any means, IMHO a user should not have to go through this extra step which they do not understand and will probably not remember to do anyway. In this case I described above I feel that NAT Reflection is the only solution that allows access and still maintains a secure network design. Thanks, Brian

So do I unwind the FreeBSD mods after I install TFTP?

Probably should have gone to Jim so I'll do that. ;)

If you use server grade network interface chips/cards that support SR-IOV and your CPU/Mobo supports IOMMU then you can have almost (like 95%) native performance. Without knowing your specs I don't know if it will work, but you could definitely do it with a fast CPU.

It's not important why it seemed to have worked in the past. Johnpoz already described how to set it up correctly. Use that and create a working system, don't you think? BTW: you can create your "groups" with "aliases" in pfSense.

Excellent news, thank you!

thank you replying to me  guardian , i'm using pfsense 2.3.1-RELEASE-p5 (amd64)  as web content filter. there is a requirement when any user access youtube and play a video we want to know what is the url that user access.i'm using authentication this squid config.  when i monitor that youtube url it's looks like this " video-sit4-1.xx.fbcdn.net:443 " this is the output of lightsquid package..please let me know how get real url that user access video.

@johnpoz: … 10/100 ... These Y-Adaptors use two of the 4 pairs in a CAT5 cable for each jack. This gives a maximum of 100Mb per host and that's why I linked such a switch. That's all. This is probably such an adaptor: [image: 41-hOHtyEyL._SY300_.jpg] and that's how it's wired: [image: YS-U11-D.JPG]

@heper: Diagnostics/Backup & Restore/Config History click the + on Configuration Backup Cache Settings. you can adjust the number of backups to keep. Thanks for that. Assuming the default is 30 backups and that is what was taking so long to process during boot, I've changed it to 5. I only had 1 previous configuration history recorded here (from yesterday), presumably because I deleted all the others. I'm not sure if an excessive boot delay caused by cleaning the backup cache is normal or not (my router has an SSD so it shouldn't be due to slow disk IO). Surely, there would be more complaints if this was a usual occurrence. Anyhow, I'll see if 5 backups helps boot times.

I did a Services / Snort / Update Rules - Force Update and that seems to have fixed it.

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Here's my comments: 1. You are going to be doing double NAT. Once through pfsense, and again through your DSL router. While this work for many applications, it will break some. You'd be far better off to put your DSL router into bridge mode, if possible, so that it is basically operating at layer 2. 2. Using your DC for DHCP and DNS is not a problem. Just configure DNS on your DC to forward unresolved DNS requests to some DNS server that has access to public DNS. You could point it to your pfsense box, or straight to something like google DNS (8.8.8.8) 3. You can access your DSL router's admin page at 192.168.1.254 (provided you haven't put it in bridge mode) by going into pfsense and disabling the WAN check for bogus networks since pfsense, by default, would block access to a private 192.168 IP address on its WAN side. 4. No DHCP relay needed.