@NOYB: Install pfSense on the micro-box and use VLANs.  Only one NIC and a smart/managed switch required for VLANs. Good idea. Thanks!

I've updated squid but not pfsense - I think that's the next option as it still won't stop resurrecting itself. No service watchdog installed.

@Balanga: @pan_2: This is again depends on placing - you could not wire a 100 meter cable, attenuation will be to big. Also - you need to find a compatible PCIe LTE modem, this could be troublesome in some places, depending on your location  (don't forget different bands!) I would be very much interested in building such a box, but don't know where to start… I guess I first need to find a PCIe LTE modem that works with pfSense - apparently there is quite a choice, but I'm not sure what  you mean by 'compatible'. Compatible with what? Also I need a box and a motherboard. I was thinking of some sort of NUC but haven't come across one which has an opening for an antenna. Having acquired a 4G/LTE USB modem, I've abandoned the idea of using a PCIe LTE modem. I have it working under Windows because it comes with its own software which it installs. It's called Mobile Partner which is provided by Huawei and is described as Open Source Software, so I guess it could be built on FreeBSD. Maybe a FreeBSD version already exists….

Once you disable the any/any rules they'd be separated by the firewall and you'd have to add pass rules for any traffic that needs to go between them.

Firewall > Virtual IPs You cannot have multiple interfaces on the same subnet.

@bradtn: @guardian: @bradtn: @guardian: Make sure that you don't have Block Private Networks enabled (or a pfBlocker/Suricata/Snort) rule that trips when it sees a 192.168.x.x packet.  I've been trying to get up to speed on setting up pfSense and for now have to run behind a similar NAT… box has been up for about 3 weeks no sweat, so unless the modem is going down, you should be fine. Where Do I find said settings? Look under    Interfaces / WAN or    Interfaces / LAN - at the bottom under Reserved Networks (If you are using the new 2.3.1 or 2.3.2 interface) are you using any of  these: pfBlocker/Suricata/Snort?  If so, then you need to check the rules/blocklists - Firewall log should give you a hint if you are seeing stuff blocked. Its a fresh install so I do not believe so? If I recall correctly they are CHECKED BY DEFAULT

That's it exactly.  

If you can ping the pfSense LAN interface (or bring up the pfSense gui when connecting to the LAN interface address) from the OpenVPN client then your tunnel is probably up and correctly configured. If you cannot connect to other devices on the pfSense LAN, that is almost always the local firewall on the TARGET host preventing access from foreign subnets.

When bridging is necessary, it generally works fine. If you have to ask "should I use a switch or a bridge" the best answer is pretty much always a switch. You really don't want layer 2 traffic between the two switches going through a bridge.

@heper: csrf error does not occur on interfaces. So if you assign an interface to your vpn, then it all works indeed. And IPSec will do it too: once sites are connected through IPSec tunnel, this is as simple as defining FW rules  8)

I also agree, but some packages, like HA Proxy, might exist so pfSense can function as a proxy OR a firewall. Not necessarily a proxy AND a firewall. That is just an example. HA proxy generally runs fine on the firewall though it could certainly be argued it is not the best place for it. Just because the packages exist doesn't mean they can all be run at the same time on the same node without issues.

What version did you upgrade from? You can generally run into trouble if you use something like AD and google as "Primary" and "Secondary" DNS servers (there really is no such thing as it is completely up to the client which DNS server is used first. Some query them all simultaneously and take the first answer, some query one, time out, then try the next, etc.) All of the DNS servers used in a particular context should return the same answers to every query from the same source. Your AD will have AD information, google will not. Problems such as these are best investigated using DNS tools such as dig/drill. Without seeing the actual queries and answers it's tough to tell what you were seeing. I can't see deselecting All interfaces to listen on having any effect. The forarder was either listening on the interface in question or it wasn't. All binds to all.

The crap software in most consumer grade routers makes them good as an access point, but not a lot more.  The C9 should be pretty decent - a lot better than the WRT54GL (running dd-wrt) that I'm using-but even that works… good enough to stream a bit of Youtube or browse.

ok  I try it ， thank u。  ;D

you can create a limiter on lan https://doc.pfsense.org/index.php/Limiters check dynamic queue creation