I think that using CARP + Virtual IP will help me :-) [image: My_CARP_and_VIPs.png] [image: My_CARP_and_VIPs.png_thumb]

@james_h: You can just create one rule under LAN firewall rules, allow any to WAN to get you up and running. Could you show me how I create a single rule? Its like subnet = lan any to wan any!?

Check the system logs on the secondary, odds are it's being pushed a setting that it can't properly apply (usually trying to add a VIP to a missing interface or similar)

@xenHR: What would my cables have anything to do with it. Because with rules like above, there is absolutely ZERO chance you'd get webGUI access blocked by firewall on LAN. Except that you claim that instead can access it on "WAN". Cannot see anything productive coming out of this. Wipe the mess and reinstall the box from scratch, making sure you set up both WAN and LAN properly at install time. @xenHR: The LAN is operating fine except I can't get out or to web gui. Sure. If you plug the cables to a dumb switch, no firewall is involved in traffic flow between boxes on that switch.

Snort has blocked things a time or two for users. You can test DNS from Diagnostics > DNS Lookup or using "host" from the shell. You can check general connectivity by trying to ping a host on the Internet by name. Usually if your DNS and routing are OK, and packages still do not load, it turns out to be either something like snort blocking or maybe broken IPv6 routing that makes pfSense believe you have IPv6 connectivity when you do not. See https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference for a fix for that.

Possible but not recommended. It's best that everyone have a unique certificate, otherwise you may as well not use certificates at all and use auth only.

@BBcan17: Is there a reason why the "COMM" command is not included in the pfSense /USR/BIN folder? Is there any way to download that file from a secure source? Reasoning is the same as any other "missing" item, we remove things that aren't needed and/or to save space. We don't have a need for that utility and nobody has required it before, so it's not included. You can copy the utility from any other FreeBSD installation that is of the same version as pfSense you're using.

yes i read that while searching for an alternative - dns blacklist. sad to say its not updated upto its current version of pfsense. well yeah i use squid3 in order to run smoothly squidguard. but i am hoping for an alternative, a web filter without having a proxy anymore - aside from opendns.

That should work OK with VLANs. You'd put pfSense on a trunk port, and make a separate VLAN for each WAN, and then in pfsense define the VLANs and assign them so they each appear as a separate interface.

That is possible with squid+squidGuard if you're just talking about an HTTP site.

@johnpoz: What about if the url is say https://something.ads.com/somepath/dir/ad.html ?  Since this does not exist on whatever webserver you point to your webserver would normally return 404, and your browser might bark that the SSL on the https isn't trusted.  So you would need to make sure your browsers trust whatever ssl cert your using.. That's still up to the web server. It's quite easy in Apache to have it answer any request with a specific file via mod_rewrite or similar. Other web server software probably has a similar mechanism. Beyond the scope of the forum here, but it turns up easy in a google search, or just look at what CMS packages like Wordpress use in their .htaccess files.

I have tried using the intel card for both LAN and WAN, and separate intel cards, one for LAN and one for WAN without any effect.

got it as I found it in the docs. https://doc.pfsense.org/index.php/Automatically_Restore_During_Install The example with the USB drive gave the answer.

@marvosa: Glad to hear everything is working! As far as the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option, I have it un-checked, although it's moot for me because I have a static IP.  You would only need this option if you're getting your WAN via DHCP and you want to be updated automatically if your ISP changes it's DNS servers. i.e. If you're static, un-check it.  If you're DHCP, check it. you make my Day, thank you so much, and everyone does helps !

The Emerging Threats Rules has a "Policy" category that has Flash alerts. I am using the Paid version, so I am not 100% sure if those rules are in the Free ET Version. If you use Chrome as a browser, Flash and PDF viewing of files is builtin. You can pretty much get away without installing FLASH and Adobe Reader for most installations by using Chrome.