Thanks for your response.

I had removed Squid, Squidguard and PF BlockerNG, trying to get back to a generic configuration without any major packages installed but couldn't get the Apple TV to work.  I reinstalled Squid thinking I could get back to where it worked but it wouldn't work.

I have since removed Squid and power cycled the Apple TV and now it works on my pfSense with no major packages installed.  If you google the issue, everyone says you need a VPN for it to work but I didn't want to do that.

Not opposed to using pfSense and just having Cisco basically act as a switch, but if possible I'd like to utilize it as a router since I bought it and also use the content filtering. Extra layer with the redundant firewalls and filtering.

oh yes , i got it

many thanks

@chrispeden:

I am not exactly sure how though.

I don't understand.  2.3.5 is available for download.

1. Save current config.
2. Download and re-install 2.3.5 from scratch.
3. Restore config, this will also re-install all packages.

I realize this is total necro, but this post shows up on the first page of DuckDuckGo results.

I was getting Ds and mostly Fs on DSL Reports bandwidth test.

In 2.4.2, setting CODELQ without bandwidth was not permitted by the interface.

Setting bandwidth to a number higher than my ISP advertised rate resulted in no change in bufferbloat.

Setting bandwidth to my ISP's advertised rate resulted in all As.

What I found interesting is that even though I can get ~10% higher than advertised actual speed, setting bandwidth to even 50 kbps higher than advertised resulted in increased bufferbloat.

Found the way.
in radcheck table:
Auth-Type = googleauth
in radreply table:
MOTP-Init-Secret = (Secret code)
MOTP-PIN = (PIN Code)
MOTP-Offset = 0

Thanks!

As far as I remember, the speedtest's results are the peak results, not an average  :) But you're probably right… The VM could be taking overhead, but I was very surprised that it was taking over two times the peak of the speed test!  :P

For anyone looking for similar assistance. I found this article to be extremely helpful.
https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/

@KOM:

I don't see a reason to leave them out of Squid

Squid will sometimes interfere with some downloads, like Windows Update or antivirus updates.  Until I updated to latest squid a couple of weeks ago, Kaspersky updates would always fail unless I exempted the client form the proxy.

That it is. For some updates and for other reason i have to exempt some users from the proxy. And with that configuration i don't know how i can get their logs.

Raspberry PI can run as a Syslog Server.

So very little costs  ;D

No.

If cost isn't an issue then most of the vendors have demos you can log into and check out.  If you just want simple networking with basic statistics and such the Ubiquiti is nice.  I've also had great success with OpenMesh and their cloud controller.  Neither are on the level of something like a Meraki.  The big guys let you do things like require a PC to have AV installed to connect to the network, have each AP scan traffic for virii, and application reporting so you can see what programs a user is running to pass the traffic.  It's been a couple of years since I took the training but it's just page after page of features.  They cost a lot more and have annual fees but there are a lot more features.

@hahnice:

Hi
This is my first post but would like to say what a fantastic product pfsense is.

With regards pfblockerNG, I have read a lot of posts describing why you dont need to block the world and only allow certain countries due to the fact that there is a explicit deny on the inbound WAN connection - excepting any configured open ports.

My question revolves around IoT devices like security cameras and Smart TVs that 'call home' on a regular basis. The other worry for me is APPs downloaded from Google Playstore that have the ability to open ports outbound to a unknown destination.

Using Pfsense I found a camera app on my phone that was calling home to mail.ru. This is a worry. Also, my Swan security cameras (hikvision) regularly try to connect to china but are blocked by the country blocker.
I understand that DNSBL stops large amounts of this traffic so if I use DNSBL with regularly updated feeds should i deselect these Countries and let DNSBL stop the traffic?

pfBlockerNG is a great tool if you want to block geographic areas from accessing a viable service since the default WAN block rule wouldn't apply to a port forward.  For example, if you have a Terminal or RDS server with a port forwarded for remote access then the service is out there and available for people to connect to and it needs to be secured.  In this case you can throw RDPGuard on the server (an inexpensive and great product btw) to protect and lock out IPs with failed logon attempts but it would be a better use of resources to just block the packets altogether at the firewall.  That's what pfBlocker would do.  Same thing with an FTP server or a web server.  Once the rule is in place (unless you specify the source IP) pfBlocker becomes useful.  If a needed IP is blocked it can always be whitelisted.

UPDATE
I have created a CA and activate HTTPS/SSL Interception with this configuration :
SSL/MITM Mode –------------- Splice All
SSL Intercept Interface(s)----------- LAN
SSL Proxy Port----------3129
SSL Proxy Compatibility Mode ----------- Modern
DHParams Key Size-------------2048
CA------------- CA Filter (the cetificate that I have created)

other fields are default

At this point everything is ok the blacklist is blocked and the whitelist works but after some minutes some of whitelist goes black for example gmail.com. I have add it as gmail.com / mail.google.com in both Target Categories as whitelist and at Squid Proxy as whitelist at ACL.

Here : System => Advanced => Miscellaneous => Load Balancing => Use sticky connections
Wonder why … Jamerson never spoke abound load balancing.

@Scotts:

yea… windows is nuts

No argument here.  ;D

Steve