I'm no expert but here is what I think. pfSense does not have any built-in tamper detection that I am aware of other than IDS like snort or suricata.  You must use other tools to enforce the use of the proxy, such as firewall rules, domain policy, WPAD policy etc. HTTPS proxy support requires SSL certificates to be installed or manual proxy configuration on each client, but it can be done.

It all depends what your WAN connection is as to what's 'normal'. However 25% packet loss looks pretty bad. Steve

Your initiator shouldn't be sending the connection to the gateway, have you tried using the server local IP address instead of the FQDN instead? The machine/ dns server might not be resolving your fqdn to the internal server ip.

It's normal.  The continuous ping is to allow pfSense to ascertain that your upstream gateway (in this case, it's your modem/ router) o verify that the connection is active and usable. This is helpful in multi-WAN connections where the router can detect connection failure on one link and switch to the next.  It's also used to restart certain services or connections to force downstream services to change their state to reflect the loss of connection. The ping latency results are also used to generate the link quality RRD graph. You can change both the frequency and the destination to ping - you might want to change this because your router can be up and contactable but the actual internet link may not be. To do so, go to System -> Routing -> Gateways.  Click the "e" button next to the default gateway. Under Monitor IP, enter an alternative IP address that is on the internet and contactable through your link.  e.g. Your ISP's DNS server IP or Google DNS server IP Click on Advanced to expand it. Under Probe interval, enter a new value (in seconds) to change the interval between pings.  If you are using an external server, you might want to increase the interval in case this behaviour is deemed to be an attack.

I know the people I have suggested them too have been very happy and get great speeds on the ones I have tested have more than capable of solid 100mbps connections.

@BBcan177: Google "Fatal trap 12: page fault while in kernel mode" and there are lots of people with that error. What kind of machine is it? Are you virtualizing this machine? 'tIs the first machine in my sig, BB; not virtualized  ;D I don't think it was hardware; I uninstalled these packages mentioned before, and so far no hangs anymore. I'll see what happens next.

Thank for answer Can you tell me how to block free proxy or anonymous proxy?

I won't be able to help out any further alexxtasi. You've exceeded my ability to assist through the forums. It's often difficult enough to get the base system running properly because of it's numerous bugs and quirks much less when you customize to the extent that you have. Good luck my friend.  :)

LOL, never mind guys i have resolved this issue, the problem as usual, was with the meat-ware .. rolls eyes have a great day .. ;) Cain

Hi , Thanks for your answer. i had a sohpos asg 110/120 . i installed now on the same HW pfSense. here are some information about network devices: [2.1.4-RELEASE][root@c02506ccd392]/root(5): dmesg | grep pci pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0 pci0: <acpi pci="" bus="">on pcib0 pcib1: <pci-pci bridge="">at device 1.0 on pci0 pci1: <pci bus="">on pcib1 vgapci0: <vga-compatible display="">mem 0xf4000000-0xf7ffffff,0xfb000000-0xfbffffff irq 16 at device 0.0 on pci1 fxp0: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xff00-0xff3f mem 0xfdfff000-0xfdffffff,0xfdf80000-0xfdf9ffff irq 16 at device 9.0 on pci0 fxp1: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xfe00-0xfe3f mem 0xfdffe000-0xfdffefff,0xfdfc0000-0xfdfdffff irq 16 at device 10.0 on pci0 fxp2: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xfd00-0xfd3f mem 0xfdffd000-0xfdffdfff,0xfdf60000-0xfdf7ffff irq 17 at device 11.0 on pci0 fxp3: <intel 10="" 100="" 82559er="" embedded="" ethernet="">port 0xfc00-0xfc3f mem 0xfdffc000-0xfdffcfff,0xfdfa0000-0xfdfbffff irq 17 at device 12.0 on pci0 atapci0: <via 6420="" sata150="" controller="">port 0xfb00-0xfb07,0xfa00-0xfa03,0xf900-0xf907,0xf800-0xf803,0xf700-0xf70f,0xf000-0xf0ff irq 20 at device 15.0 on pci0 atapci0: [ITHREAD] ata2: <ata channel="">at channel 0 on atapci0 ata3: <ata channel="">at channel 1 on atapci0 uhci0: <via 83c572="" usb="" controller="">port 0xf600-0xf61f irq 21 at device 16.0 on pci0 uhci1: <via 83c572="" usb="" controller="">port 0xf500-0xf51f irq 21 at device 16.1 on pci0 uhci2: <via 83c572="" usb="" controller="">port 0xf400-0xf41f irq 21 at device 16.2 on pci0 uhci3: <via 83c572="" usb="" controller="">port 0xf300-0xf31f irq 21 at device 16.3 on pci0 ehci0: <via vt6202="" usb="" 2.0="" controller="">mem 0xfdffb000-0xfdffb0ff irq 21 at device 16.4 on pci0 isab0: <pci-isa bridge="">at device 17.0 on pci0 the trunk port is configured correctly and i can see also the traffic on the pfsense. I can see just requests packets and when i dump on fxp0_vlan5 (Valn 5  interface) i can see that the pfsense didn't answer this traffic at all. the firewall rules are set correctly and i am not seeing any blocks. i have done test with the client as you suggest before i post my question . in this case i have the same issue. perhaps i miss some configuration. could you please send me your sysctl -a output ?</pci-isa></via></via></via></via></via></ata></ata></via></intel></intel></intel></intel></vga-compatible></pci></pci-pci></acpi></acpi>

I have no idea how you would even calculate how much time is spent on something like Youtube. There is almost no correlation between bandwidth used or time spent transferring and actual viewing time. The only practical way is to just have time slots that allow/block the services. Otherwise you may have to do parenting the old fashioned way.

Hi Steve, thank you, I uninstalled pfBlocker and now it runs better. But there are also some killed services from time to time. I now ordered a new APU board with 2GB RAM, a faster CPU and a 16 GB SSD. Then I should have enough memory and the possibility to swap on the disk. Thank you for your support, Regards

@zohaib where you able to resolve the issue? Having the same problem.

Sorry to pile on, but I'm looking at the same problem.  I want a SPAN port, mirrored off my DMZ port, but I am unable to create the SPAN because it wont let me bridge a single port(DMZ).  Is there a better way to accomplish this? I'm thinking I might tinker with the vSwitch and this pfsense is running on ESXi, but I would like to understand how/if pfsense can SPAN a single port not a bridge.  Thanks.

It's pretty straight forward really. Add an extra virtual NIC to the pfSense VM. Now assign that as a new interface in pfSense, it will be named OPT1 but rename it as you wish. Set the subnet/mask etc. Add DHCP if you want to use that. There will be no firewall rules on the new interface so all traffic will be blocked. Add appropriate rules to allow/restrict access to/from your server. Steve

Sorry to bump this back to the top, but I'm still having this issue, and it's also happening on a new APU 1.C board running the latest version of pfSense. If I cannot resolve this issue, I would like to at least know when a pfSense box is rebooted, is there a way I can be notified of a reboot? Sendmail? What about having the pfSense box open a url on my website, which I can code to notify me that it's been opened etc etc?

The 'files' package allows you to store custom scripts within the config file such that they would be reinstated after a firmware upgrade. You can only store text based files though so no images or binaries. You may be able to store images in /conf , the config slice, and then point at them in the theme instead. I'm not sure I've never tried any theming. Steve