One problem per thread.  This thread was about Enforce Google Safesearch.  Since you have solved that problem, move on to a new thread with a new title that reflects your problem.

Hey, could you share your rules with me? I've been trying over and over but I cant get this to work.

https://doc.pfsense.org/index.php/2.3_Removed_Packages Sarg - deprecated in favor of lightsquid

Well what is your budget or what is your needs?  Go with the PRO, if your needing to pinch pennies go for the Lite.  I am assuming you would go AC, if not they do have cheaper N models still. https://www.ubnt.com/unifi/unifi-ap-ac-pro/ If you have money burning a hole in your pocket, and budget is not really a concern I would prob go with something from aerohive to be honest.. http://www.aerohive.com/products/access-points/ap550.html But it retails for $1400 vs the unifi ac-pro you can get for $130 ;)

What are the settings you are using in System / Advanced / Notifications / E-Mail?

PFsense CP with pass-through is another solution but flexibility of cumulative time usage the issue.

Assuming you're talking about OpenVPN. Sure. It would take some config to get the policy routing right but you could have clients of OpenVPN Remote Access server one use OpenVPN service 1 and clients of OpenVPN Remote Access server 2 use OpenVPN service 2.

@kpa: How is the DLNA service supposed to be advertised, mDNS or something else? If it's not using mDNS the Avahi package is not going to help. Yes, using mDNS, with these settings: [image: index.php?action=dlattach;topic=120158.0;attach=89718;image] I'm happy to provide and specific info if you wanna know more. I just don't know where else to look. -San [image: mDns.jpg] [image: mDns.jpg_thumb]

HAproxy can also do this…...not sure which is better/more suited to this task (Squid vs HAproxy)

@KOM: Anything in /var/log/nginx-error.log? tail /var/log/nginx-error.log produced this: I noticed that I can still use the webconfig as long as I dont visit the dashboard. I think I broke the widgets haha 2016/10/29 05:24:14 [error] 59307#100175: *106 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /getstats.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 12:31:23 [error] 59541#100285: *243 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.79, server: , request: "GET / HTTP/1.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket" 2016/10/29 13:22:58 [error] 59541#100285: *245 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /widgets/widgets/thermal_sensors.widget.php?getThermalSensorsData=11477707597287 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 13:22:58 [error] 59541#100285: *247 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /getstats.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 13:22:58 [error] 59541#100285: *249 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /widgets/widgets/ntp_status.widget.php?updateme=yes HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 13:22:58 [error] 59541#100285: *251 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /widgets/widgets/log.widget.php?lastsawtime=1477676679 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 13:22:58 [error] 59541#100285: *253 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/" 2016/10/29 13:22:58 [error] 59541#100285: *255 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.103, server: , request: "GET /ifstats.php?if=em0 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "http://192.168.0.1/graph.php?ifnum=opt1&ifname=AP&timeint=2&initdelay=6" 2016/10/29 13:39:39 [error] 59541#100285: *271 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.0.79, server: , request: "GET / HTTP/1.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket" 2016/10/29 15:43:14 [crit] 46634#100346: *1 connect() to unix:/var/run/php-fpm.socket failed (2: No such file or directory) while connecting to upstream, client: 192.168.0.3, server: , request: "GET /system_advanced_admin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "192.168.0.1" Cheers.

.: Update #2 - SOLVED :. Ok, after running the packet capture I found that I was dropping my tcp packets for some reason. Googling lead me to this; https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear I do in fact have a Realtek card I am routing this through. After making these changes… Internet worked as it should.

I have a 2220 in my home setting, just between a DSL-cable modem/router and a D-link 24p managed switch. (modem just as a modem, double NAT until I bridge my modem…) Now 1.5 years, and not a single problem. For me it was a starter-thing just to experiment and learn with, whitch was, and still is. And it only consumes less than 10 W. Verry happy with it. But if you've got a high wan-bandwith >200 Mbps (fiber e.g.), maybe you've better look for an more sophisticated version.

@gibbers82: … i don't have time to migrate everything... Have you considered using the professional services offered from pfSense/Netgate? https://www.pfsense.org/our-services/#professional-services They are there for you, for exactly these reasons. To get you started ASAP.

Pretty much by having a backup of the config ready to go. Other than that it seems like you managed pretty well.

@Derelict: somehow got automatically converted Sigh. well they weren't changed by me, i'm not on site, if you're sighing then i imagine the guy who moved it must've done something, I'm just trying to figure it out remotely after the fact, in which I have now succeeded thanks to your help.

Since you said you are fumbling through Snort/Squid, etc trying to learn them, do yourself a favor and read through the Snort Rules under the Categories Tab of the interface.  Some in there may not pertain to your organization.  The best security would probably be to have them all on but categories like "Games" would likely load unnecessary rules and put extra overhead on the system.  I'm not sure why you wouldn't want people playing StarCraft in the office but you don't need every packet evaluated against those rules even if you didn't. :)  Chat could be disabled if you're not having a problem.  No on-prem email server?  Consider disabling POP or SMTP.  The more you can disable the better the system should perform, especially on config reloads.  By default we have like 18 groups disabled when we install at a clients and add some back in if they need.  And make sure to add supressions or your logs will overflow with useless info.  Search around here and you should find some good info on those. Also, know that squid, with transparent HTTP proxy enabled, works pretty well out of the gate but only on HTTP traffic, not HTTPS traffic.  If you want HTTPS filtering then you'll have a lot more to work through.  Add some extra definitions into the Freshclam section of Antivirus under Squid.  Search around here for SaneSecurity as we had a thread with that info floating around not long ago.  It'll greatly increase the effectiveness. Once you have things set up, make sure you try some speed tests and downloaders and Quickbooks and Firefox.  It has been my experience that snort blocks them.  You can easily add the exclusions from the Rules and Block tabs of Snort.  You may also want to consider altering the SquidGuard block pages to something that reflects your organization and your policy as well as information on who and how to contact in the event of a false positive.  Also check things like LogMeIn and GoToMeeting to see if they have problems getting through your new Proxy.  With all that addressed you should have things mostly under control. Most of all, Good Luck!  Personally, I'd put your new filter outside of your Firewall if you could as it likely has a lot more power than the ASA (they are generally over featured and under powered) to free its resources up, but I'm not sure exactly how you'd do that without long consideration.  It's probably easier to have it on the LAN and force all traffic to filter through it.