Squid is running but not enabled in the configuration. Do you suspect that causing the issue? I've stopped the service for now to test. -S

Thanks. Deployment went down without a glitch!

Provide more information. Hardware? Pfsense/ ISP modem configuration? I have 300/300 PPPoE over Ethernet working with near full speed including traffic limiters and shaping.

@Kahomono: I do need to be able to power these devices off and on.  When my devices power on, they default to 2015-01-01 00:00:00.  They are not synching successfully off the firewall.  I suspect the time adjustment they would need is too great so it's refusing to make it. Any way I can (A) confirm my suspicion and (B) make it happen anyway? Override of large time offsets has to be done on the client and cannot be done on the server. How this is done varies greatly by client. If you provide information on the client, someone here might have experience a similar device and be able to provide you with some guidance.

@divsys: I'm not a Minecraft/gamer aficianado by any means, but I would have thought you could simply provide a FQDN (eg. "thisisthegame.here.now") that would reference through DNS setup on pfSense to get you across the VLANS. So far, it seems to be working just fine with the bridge.  Typing FQDN for children on handheld devices might be a bit much for them.  Android complicates it more with their default hostnames that (sarcasm) seem to be deliberately constructed to test the buffer size limits of any DNS server. (I can control the DNS hostnames for the devices that "live" there, but not for the ones that are only guests.) I think (hope) they are moving away from the minecraft phase anyway, so once that's gone, I can drop the bridge. Another thought is to just write a quick daemon that listens for broadcasts on whatsoever port minecraft is using and retransmits the broadcasts on another interface.  (I'd have to do packet captures to figure out exactly what is being broadcast.)  A sort of broadcast forwarder.  (Actually, something like that might already exist… hmm..)  I'll freely admit that something like that would be COMPLETELY unsuitable for use on a larger LAN, but it might be a good learning experience for me even if it turns into a disaster.

Admin vs root was my issue.  Thanks to everyone who helped out.

you can sniff (packet capture, diag menu) on either wan interface or your interface your traffic enters pfsense for the IP of this pop3 server and port.  Prob need to update from the default limit of 100 packets and let it run for a while.  Then download that capture into your fav analyzer say wireshark and take a look see what is going on.

What radius server, the pfsense package or standalone.. I thought mac auth was not available til version 3.. Does it work in the current pfsense package which is only 2.2.9, how are you setting up the unifi controller to use radius if not on wpa enterprise? Oh your letting your switch set the vlan?  What is the point of that since your wifi traffic would not be tagged?  I don't see how your setup is of any use.. So user A gets on and is in vlan 100, how does user 2 get vlan 200 ??  If the switch is changing the vlan of the port? How do you then talk to the AP since the managment interface does not allow tagging and if you port on your switch changes its vlan based upon user mac.. I am confused.. Here is normal setup with unifi you can have untagged ssid, you can have ssid with a vlan tag or you can have radius determine the tag of the client on a ssid.  So you could run multiple users on same ssid with digger tagged vlans.  But the management interface of the AP does not do tagging and has to be on the native untagged vlan.  So I am confused how changing the vlan on the port connected to the AP from the switch allows for multiple tagged traffic? If you set unifi controller to wpa psk for a ssid you can not point it to a radius server even..  You can assign a vlan, when you go to enterprise then you can add radius server ip and port and then select to have radius control the vlan assignment of this connected user. I just confused how your getting mac based auth with unifi and wpa psk since you can not point to the radius.  If your letting the switch do it??  Your saying your switch can tagg traffic on the port based upon the mac??  That would be useful as well for my iot stuff..  What is the exact switch?  I have a cisco sg300 I will have to dig deeper into such a setting, I did not think that was even an option. [image: ssidvlans.jpg_thumb] [image: ssidvlans.jpg] [image: unifiradius.jpg] [image: unifiradius.jpg_thumb]

after reducing the squid memory to 10GB … no more swap memory usage .... Thanks you guys .....

@johnpoz: Why would you be using WINS anyway.. WINS has been deprecated for years and years.. Are you still running like windows 95/98?  Do you have some really really old application that still uses it.  Why are you still using it?  You more than likely have no use for it.  I would for sure evaluate why you believe you need wins still. "(InternalLAN - Virtual switch) DC/DHCP/DNS/WINS = 192.168.10.2, can ping 8.8.8.8, running DHCP scope 192.168.11.2-12 " Huh.. if your network is 192.168.10/24 why would your dhcp scope be 192.168.11/24 ?? Not sure what you mean by client PC - do you mean a machine on your physical network or another VM..  Your internal lan vswitch should be connected to your physical lan network that is also using 192.168.10/24 – only thing on your "wan" should be the interface on your host that is connected to your "wan" virtual switch that pfsense has its wan connected too. You sure wouldn't connect another vswitch and connect your dc to that as well.. You need to make sure all members of your Domain are using your AD for dns.. So they can resolve your AD, etc.  Your AD dns would then forward to whatever public dns you want or do roots directly, or could forward to pfsense for dns and then pfsense could forward or resolver external dns for you, etc. I am very new into it, just wanted to learn more about networking, i am trying to setup a testlab. Sorry, that was my error, it is sitting on 192.168.10.2-12. I am trying to connect hyperv VM client. On the pfsense VM i have 2 vNic attached, NIC 1 connecting indirectly to the router via hyperv server (on hyper-v i have ticked allow management OS system to share this network adapter) - this is where 192.168.0.19 is being obtained from NIC 2 is Internal only - this is used for LAN on PFsense soo… Router > Host    > 1 Network Adapter (shared connection)                                       /                           > 192.168.0.16 (HostIP) (using this to remote into the server)                           > 192.168.0.19 (pfsense VMserver) on pfsense interface de0/WAN = 192.168.0.19 de1/LAN= 192.168.10.1 Hyperv VM DC is using Internal vSwitch (IP192.168.10.2). "Your internal lan vswitch should be connected to your physical lan network that is also using 192.168.10/24" Dont have a physical lan network that is using 192.168.10/24 network. much appreciated for your help.

That's what happens a few hours after the desktop has been turned off. I have no idea what triggers that event in PfSense, is there any way to keep the link state UP? Aug 25 03:10:35 xinetd 25467 Reconfigured: new=0 old=1 dropped=0 (services) Aug 25 03:10:35 xinetd 25467 readjusting service 6969-udp Aug 25 03:10:35 xinetd 25467 Swapping defaults Aug 25 03:10:35 xinetd 25467 Starting reconfiguration Aug 25 03:10:34 check_reload_status Reloading filter Aug 25 03:10:34 php-fpm 69603 /rc.linkup: Hotplug event detected for LAN1(opt4) static IP ( ) Aug 25 03:10:33 check_reload_status Linkup starting em0 Aug 25 03:10:33 kernel em0: link state changed to DOWN Aug 25 03:10:33 kernel em0: RX Next to Refresh = 32 Aug 25 03:10:33 kernel em0: RX Next to Check = 33 Aug 25 03:10:33 kernel em0: RX discarded packets = 0 Aug 25 03:10:33 kernel em0: hw rdh = 33, hw rdt = 32 Aug 25 03:10:33 kernel em0: RX Queue 0 –---- Aug 25 03:10:33 kernel em0: Tx Descriptors avail failure = 16 Aug 25 03:10:33 kernel em0: TX descriptors avail = 40 Aug 25 03:10:33 kernel em0: Tx Queue Status = -2147483648 Aug 25 03:10:33 kernel em0: hw tdh = 890, hw tdt = 850 Aug 25 03:10:33 kernel em0: TX Queue 0 ------ Aug 25 03:10:33 kernel Interface is RUNNING and ACTIVE Aug 25 03:10:33 kernel em0: Watchdog timeout Queue[0]– resetting

nah KOM, we IT guys always encounters bad days, haha…lets try to research more of the product and share more of what we've experienced, haha. Thanks jepoy

@blackj: you have to do it in 2 steps, create a rule to block what you want to block as the top rule, and create another rule to allow what you want to allow as second rule. The rules are executed in order top down. Thanks blackj I attached snapshot from RULE–>LAN, NAT and Aliases [image: Rule_Lan.JPG] [image: Rule_Lan.JPG_thumb] [image: NAT_Port.Forward.JPG] [image: NAT_Port.Forward.JPG_thumb] [image: Aliases.JPG] [image: Aliases.JPG_thumb]

Guys, apologies for the lack of info. It's just that I lost focus in trying to figure the issue since this was a rush project but luckily in the middle of my overtime research, I've found the solution. Apologies for the initial post, though I know in asking for assistance, I should've provided more details. Ok, here what happens. I've  setup pfsense for the first time, followed an article in setting it up. I was successful and setup internal and external IP's What happened was in the middle of the setup, I've discovered that the only thing that reaches the internet was the pfsense server as I used diagnostics. So this shortened my troubleshooting by focusing on the "firewall rules" Later I've discovered that when I created the rule, it was set to TCP instead of any for the moment since I was doing troubleshooting. After that everything went online.

I would say you probably have to edit /etc/dhclient.conf.  I would start with the explanations here. I've never done this, but I would expect a tweak to one of these timers should do it. Now you get to figure out which one  :) the configuration options are listed here: https://calomel.org/dhclient.html

Hi John, I appreciate this wasn't done in the past but most of those models of firewall you state have turned up in the ShadowBroker NSA dump. Juniper, asa/pix, also fortinet, Hauwei. To my mind every small extra layer of security we can implement such as OTP on the GUI we should as network security devices are a key target. For someone like myself as an MSSP wanting to recommend pfsense to SMEs and then actively manage them it would be a nice to have. It's becoming standard on a lot of servers, honey platforms etc. Like long unique passphrases, password managers, as well as everything you mentioned in your posts. An attacker could completely pwn the terminal i use to connect and creds by they would need to have access to my iphone as well. every small layer adds another sometimes huge cost to an attacker than can make the difference, deter them and add weeks to their attack. Pfsense is a really solid bit of work these days, stable, small things like better clamav sigs & OTP and maybe a few more really help it compete with the increasingly security conscious. J

Hi, here is another manual for pfsense 2.3 in English. pfSense 2.3 WPAD/PAC proxy configuration guide https://nguvu.org/pfsense/pfSense-2.3-WPAD-PAC-proxy-configuration-guide/ Best regards