It didn't "work so well" though, you just didn't happen to have any issues with it yet. The main problem is that the backup does not yield a clean filesystem. It's a BWOS (big wad of stuff) that gets spammed over the top of what you have now. If a file doesn't exist in your backup, but was there before the backup was restored, it's still there. That can wreak havoc on several areas that rely on loading things dynamically based off directory contents, and have other negative consequences. We've seen it break PHP before, and packages, just to name two big ones. Reinstalling+Restoring is so fast (Especially if you use PFI or 'rescue config.xml' in the installer)  that taking the risk rolling the dice with the old "full backup" just isn't worth it anymore.

Hi, I think what you did is useless for what you want to do but perhaps I misunderstand something you wrote. So Are you using transparent or non-transparent proxy? And are you using http and https on your proxy or only http? In general if this is a non-tranparent proxy configuration with http and https you have to configure something like this: 1.) From LAN to pfsense interface port 3128 (squid Port, will handle http and https traffic) 2.) From LAN to pfsense interface DNS (don't allow it to the internert. pfsense/squid will do the DNS lookup. Your client's browsers will just ask the squid proxy and it will do the rest) 3.) Block anything else from LAN to Internet but at least block http and https to ANY (except for your admin clients the need to have access to pfsense WebUI or you enable the "anti-Lockout" rule. In your browsers (Firefox, IE, Chrome) you have to enter the IP address of pfsense LAN interface and port 3128 for http, https and so on. This would be the way to avoid proxy bypass. Regards

Check about:config, look at the value for security.tls.version.max It should be unset (default '3'), someone else seeing a similar error had somehow managed to set it to 1, and we now disable TLS v1 for security reasons.

@fusionp: Hi all, I'm a WISP and my current setup is multi-wan, I NAT over 8 load balanced WAN connections, I have 4 VLANS currently configured on my network, one of these I will be using for Captive portal on pfsense (right now it connects to a downstream mikrotik which routes over to my pfsense). My future plan is to change over from multi WAN to a single fiber connection, at this point I would like to move over to BGP so that I can give each user their own public IP. The likelihood is that I will need a total of 1000 addresses, so I may twist my ISP's arm so that they can issue me a /20 or /21 depending. I've tried to investigate BGP on pfsense but I still have a few questions, if I receive a /21 range from my ISP, can I divide this into 2x /22's so that I can issue a range of addresses for a particular vlan such as my captive portal vlan? I've seen some tutorials where OSPF is needed? In my case I will only be routing out through my pfsense…will I still need to use OSPF for any purposes? Will captive portal work with BGP routed instead of NAT? Please excuse my questions if they don't make total sense as I have zero experience with BGP. Any help much appreciated. Unless I misunderstand what you are doing, you don't any routing protocol at all - let your ISP deal with that. Simply subnet whatever range your ISP gives you into what ever ranges suit your needs.

@TecTI: Problem solved. By selecting the custom_home_net in the pass list drop-down selector on snort interface I could block internal alerts source IPs. Thanks for your help. Yes, this part is key (selecting the desired custom list on the INTERFACE SETTINGS tab).  Simply creating a list on the PASS LIST screen is not enough.  You must then tell Snort (or Suricata, if using that package) to use the new list. Bill

forgot to set the VLAN ID in Hyper-V and now i can reach it but I would still appreciate a good guide for this one :)

Further to the above, we seem to have resolved the IPSec issue by lowering the MSS clamping to 1300 (from 1392). However, we're still left puzzled as to how this all worked fine under 2.2.6, and suddenly we need to be manually lowering packet size settings under 2.3. – Ross

Looks like they've started talking about this in another thread: https://forum.pfsense.org/index.php?topic=47210.270 Probably would require a full redo, particularly since the version of asterisk used by the old packages is, well, old, too. Rather would see freeswitch… >:(

ACPI throttling / P4TCC don't actually reduce the clock frequency; instead, they just insert idle cycles into the pipeline. This limits peak power, but usually increases average power, as it keeps the CPU awake for longer. You should remove the hint.acpi_throttle.0.disable line and just use hw.acpi.cx_lowest=C2.

Under OPT1 general configuration, I have the IPv4 Config Type set to DHCP. Everything else is left at default settings. You are telling pfSense to obtain an address for the OPT1 interface from a DHCP server. What DHCP server is that? One typically sets a static IP address on a router interface and enables a DHCP server on the same.

rectified….was AV

It's pretty easy to get active directory authentication going. Nothing is really specific to pfsense I guess. The general idea is the same on pretty much any software that uses LDAP/AD. Is there a particular part you are stuck on our having trouble with? You pretty much need to choose SSL or 389, provide a base dn like DC=domain,DC=local, uncheck anonymous and price the disinterested name and password of an account in ad to do the sync and the distinguished name of an OU to look for accounts in. Hit select containers to choose multiple ou's One thing I noticed about 2.3 web ui is that if you choose SSL and it isn't configured right on the AD side so you switch back to 389, then try to hit the select containers button, it won't work. This gives you the impression that your settings are wrong even if they are not. To get around this, I think I had to save my strings then go back in and hit the select containers button again. It will then show you containers to choose from.

Three or four probes isn't sufficient for a meaningful standard deviation.

Go to Status/System Logs/Firewall. There you will see the blocked logs as you mentioned. Under the Destination header in the logs there will be a blue + icon. Hover over that with mouse and a pop up will read "Easy Rule: pass this traffic". By clicking that a new firewall rule will be made. Next go to Firewall Rules and the new rule will be there. Then you can fine tune it to your liking or move it into proper order. Good practice is change the default description to something more personal (Sirius XM) so later you will know what the heck that rule was for. Other packages could block this also but not much info to go on so.

CPU usage? Most people who complaining about slowness is because they checked every box, like sync proxy, and install every package, ohh Snort, I bet that won't slow things down! What does your Diagnostics->System Activity look like when you're getting slowness?