Thank you.

I really do not see the point of lagg on a cable modem.. If your over 1gig then the local side should be 10ge, or the up coming 802.3bz (2.5 and 5ge) Lagg would just be kind of pointless..  Its not 1+1=2, its 1 and 1 for a total of 2 combined across all sessions.  No single client would ever go above 1 gig.  And there is no real promise that even 2 clients would load share.. You need lots of clients talking to lots of different devices to spread the load across the lagged connections. With a cable "modem" and not a router even - means for example your pfense is going to be behind it.  So now you have a different layer 2 between the router and the clients so really only mac being seen is the pfsense mac - so when would you leverage the lagg?

Hey guys, Myself I found the answer for the problem. Squid need to be given access to use Google api. In Squid proxy filter, Add new category for adding some of the domain name, those domain names mighty be blocked in the  group categories. For example the category under social chat , web.whatsapp.com mighty be blocked. So we need to manually specify to open the website. Add the following domain ( copy paste below all sites ) drive.google.com googledrive.com plus.google.com hangouts.google.com web.whatsapp.com accounts.google.com docs.google.com sheets.google.com slides.google.com talk.google.com gg.google.com script.google.com ssl.google-analytics.com video.google.com s.ytimg.com apis.google.com googleapis.com

Just wanted to add I have similar setup for my guest network , the only difference is pfsense is my wan edge device… I have 2 networks on lan , one hosting my home network wifi and lives in meraki world the other is for guest and is in ubiquity world.. I also have usg since I want to test out the low to no functioning usg for a beautiful all in web Interface... do let me know if  u have further questions as I have spend enough time on topology and setup and will try and answer ur questions if any

pfsense is a great edge device and makes for a great piece of a layered network design opendns secure internet gateway service prosumer version (20.00) annually isp modem pfsense with snort annual paid subscription(29.99)  same definitions as cisco firepower modern honey net targets on isolated vlan << great for seeing who is probing your network wifi pineapple to keep wardrivers at bay splunk log aggregator free for up to 500M of logs daily antivirus/antimalware internal home network on cisco layer 3 switches for less then a nickel a day you have a pretty solid security system that can rival most corporate institutes or better them!

I just tested the latest 2.4.0 build and it does not seem to work with a CSR that has been generated on a separate system  also there is no option to choose server or user signing.  To solve my issue I: 1. Created the server certificate on PFSense (make sure it is set to server cert, the default is user cert) 2. Exported the new cert 3. Exported the new Key 4. Moved them to my JBOSS server 5. Converted they two to a PKCS12 (openssl) 6. Converted the P12 file to my keystore (Keytool) Example:   mv /home/ncadmin/par.local.enms.net\ (1).crt ./par.crt   mv /home/ncadmin/par.local.enms.net\ (1).key ./par.key   openssl pkcs12 -export -in par.crt -inkey par.key -out par.p12 -name par_na_crt -CAfile RootCA-Pfsense.crt -caname root   keytool -importkeystore -deststorepass chgme -destkeypass chgme -destkeystore truecontrol.keystore -srckeystore par.p12 -srcstoretype PKCS12 -srcstorepass chgme -alias my_alias

Looks like an ACPI table error. Are you running the latest available BIOS? Possibly this or related to it: https://quickview.cloudapps.cisco.com/quickview/bug/CSCuc96148 Steve

Hmm, hard to say how that would be any different then from pfSenses view. Maybe compare the connection logs from each case for differences. Steve

To get the full url you have to install squid  proxy and use ssl man in the middle, that by the way is a can  of worms

@jimp: The crash is in dummynet. You can't use limiters with pfsync (part of HA). https://redmine.pfsense.org/issues/4310 You'll have to remove limiters, and things that also use limiters such as captive portal per-user bandwidth limits. Either that or disable pfsync on both nodes. Hi Jimp. I need some help, please

Thanks for the reply.  My question is more topology related.  Following your lead (which I have been trying similar strategies, and I believe is correct):  So, I would connect the pfSense wan port directly to my ISP provider connection (not a modem, just an ethernet port).  The LAN port of pfSense I would have to connect to a switch, so that I could break out 4 of the ips for outfacing computers, and plug the wan port of the router (for internet on my other computers) into the switch also. I've tried that with a layer-2 switch, with less than satisfactory results.  I've ordered a layer-3 switch to try that. The other thing I've been trying is a switch right off the ISP (as a DMZ switch), and then plug both the router and pfSense into the DMZ switch.  That doesn't work either, though this also might work with the layer-3 switch. Please keep the ideas coming!  Thanks!

@yodaphone: Does this mean that the AES-NI in Intel chips are vulnerable & since i use one do i need to do anything now? I know its not a pfSense issue, but just want to know if this is something i need to watch out for It looks like "AES-NI" is just the name of the ransomware and may have nothing to do with Intel's instruction set by the same name.

Hi Oleg, Check the routing table on the firewall (Diag > Routes) make sure those static routes are present. You may need additional outbound NAT rules to actually access anything on the private subnet. Devices there may not have a route back to your internal subnet. Or your traffic may be hitting the default outbound NAT rule and being translated to the public IP incorrectly. Steve

@Dave: Hi, First day with pfsense. I'm trying to configure SMTP notifications. My mail server is behind a NAT on 10.10.10.2 and uses SSL on port 62933. I can connect to the SSL service over telnet from pfsense, but the pfsense gui says "Could not send the message to user@host.localdomin – Error: could not connect to the host "10.10.10.2": ?? Do I need to load the SMTP server (self-signed) into pfsense somehow? If a self-signed cert is being used, yes it will have to be trusted by pfSense.  There is a thread or two in the forums that should have enough how to info. https://forum.pfsense.org/index.php?topic=115884.msg644702#msg644702 https://forum.pfsense.org/index.php?topic=115884.msg644709#msg644709

Thanks for answering my dumb question all!

I've got a number of voip setups using voip.ms as the DID provider. I use pfSense as the central router and I've never had to "register" the router, just the end device(s). In most cases I setup an Asterisk box to handle local phones, but I have registered phones directly. In many cases, pfSense has not needed any special configurations at all, others required a few NAT tweaks depending on the ISP at the local end.

It's actually easier said than done… I didn't find the option of setting the gateway, and wouldn't have been able to work out how to do this without this post:- http://community.virginmedia.com/t5/QuickStart-set-up-and/SuperHub-2-Cannot-change-LAN-IP/td-p/1870936 but I do have it working now, and I guess it makes a decent wireless access point.