@heper:

squid on pfsense can work with AD authentication. How well it integrates with squidguard/dansguardian i don't know.

You have to install the following packages

you will sea the proxy filter and proxy server on the service tab you have configure like this

You can't use two WAN NICs with the same gateway.  It'll only route traffic out of the default gateway.

If you have more than one public IP address that can use the same gateway, you can do it with one NIC, and VirtualIPs and 1:1 NAT routing. (http://doc.pfsense.org/index.php/1:1_NAT)(http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F)

On my WAN2 interface I have a public IP address ...39, and ...40, and ...41.  The ...39 is the LAN2 subnet.  ...40 is a single IP on LAN2, and ...41 is another single IP on LAN2.  I could easily have added another public IP and had that route to LAN1, but in my case I have a completely different WAN connection with a different (different than WAN2) gateway instead.

Create the one WAN interface and use 1:1 NAT with a VirtualIP.

If you are looking at building a new box it's hard to recommend anything other than a low-end Sandybridge/Ivybridge based board. As Tim suggests above, using an socket 1155 board gives you lots of upgrade options. This board:
http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622
Is slightly more but gives you a smaller footprint and DC power for greater efficiency.
Even a low-end Celeron will firewall/NAT at Gigabit wire speed so should be good for 120Mb of OpenVPN (I have no test results to confirm this). http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889
If you want less building then maybe something like the Shuttle DS61: http://forum.pfsense.org/index.php/topic,56950.0.html

To be honest you could probably get 120Mb VPN with a far less powerful system but it's probably easier and cheaper to go with something such as the systems above.

Steve

If they fix it upstream, we pick up the changes either the next time we shift OS versions (not very often) or if we bring their patch into our code (happens all the time).

You cannot expand it to fill the card, at least not at all easily. It's relatively easy to load up the 4GB image and restore the config though.
However there is very little point in doing so. It's very unlikely you'll run out of space in the 1GB image. The RRD data is stored in the config (50MB) partition and I think that is the same size in the 4GB image. I'd have to check that. The RRD data does not grow in size though, that's the primary feature of it.

Steve

**my system work on ESXI 4.1 , pfsense for merge 2 line my multigatwy then go to Mikrotik 5.20 for Distribution internet to clients ,
every route have bult in siwtch take cable form router 1 to router 2  and from router 2 cable to wan , ( i disable dhcp in bothe of them )  ( in ESXI creat  2 virual network adapter in pfsense , contact to wan by creat virtual  switch then acreat vm switch btween mikrotik an pfsense

this is my network every time restart my Routers only one is online and the other is offline to solve problem need to restart pfsense every time after restart routers  , hop to fond solutoin**

thanks for your reply..
@dhatz:

Your best bet to increase overall performance would be to switch to pfsense 2.1-BETA (based on FreeBSD 8.3, with new drivers for most hardware). As long as you won't be doing any disk-intensive tasks (e.g. squid) the most important factor affecting performance would be your NIC(s) e.g. Intel or Broadcom etc.

Since you have plenty of RAM, you could try
kern.ipc.nmbclusters=262144

thanx  for thats a  big help  now i  just need to  work out  installing  but it cant be  that  difficult    hopefully  ???

however that  not my  firebox 700  but its a big help

That's an IP conflict, the device with the MAC it's listing is using your IP. It won't be in the ARP table since that IP is local and it won't believe whatever the conflicting device is. But your upstream router will. What to do about it depends, if that's something on your network, turn it off or change its IP. If you're plugged straight into your ISP's network, you'll have to contact them about it.

That'll happen if that traffic makes it to the firewall. At that point you can either block or pass it, but it's going to show up in your RRDs either way. Whether or not it makes it to your firewall depends on the device its WAN is plugged into. Something on that upstream device must have changed to send out that multicast on all ports rather than just ports that have joined the appropriate group. Whether or not that's configurable or you can do anything to change the behavior, not sure, better chance of finding that out from your provider (if you can get someone with a clue) or a forum of theirs if one exists.

@dillbilly:

Is there any way to figure out what might be advertising itself on that port?

Traffic doesn't necessarily result from something "advertising itself" on the port. For example, some might "probe" a range of IP addresses on a particular port looking for a systems that responds. Or you might have a dynamic IP address which was recently used by a system providing a service on that port.

Do you see a range of IP addresses accessing the port in question?  Do you see the accesses in the firewall log?

Diagnostics -> Traffic Graph?

Thank You everyone for all you help!  It is now fixed.  I had to reinstall blacklist and this time setup the correct URL for the download and everything went back to normal.

Again,  Thanks All for your time and efforts.

ChiefTenToes

That does the trick. Thanks for helping!

IPv6 support is only available on 2.1.

2.1 is not "alpha" it's BETA1, and nearly a release candidate at this stage.

If you need IPv6, use 2.1. You may not like it, but that's the answer.

Try using something like BandwidthD, DarkStat, or NTOP. These packages can let you see what IP's (and thus PC's) are creating the most traffic. Check for both lots of upload packets and throughput.

Well, the error message is pretty much self-explanatory. Are you running some package that opens many files (e.g. squid) ?

On my system, uid 62 is proxy. You can check which process(es) are responsible, by running the following command on CLI
ps aux|fgrep proxy

The obvious solution would be to increase kern.maxfiles, by going to webGUI System -> Advanced -> System Tunables, assuming your system has enough RAM to handle it.

PS: Although many pfSense users run the squid package, my opinion is that if you have more than a few (~20) users it'd be best both for security and performance/reliability reasons to use an external caching proxy, appropriately sized & tuned (fs + kernel).