Thank you very much for your help! Fortunately after extensive troubleshooting, I found that my subnet mask on my WAN interface was wrong, because pfSense requires CIDR prefix, I just got it wrong during my initial configuration of my box. Now after this fix, the box behaves stable. I'll continue monitoring the system, but I think this was the root cause of my problem. Thanks to all of you, who take time to help me! Have a nice weekend!

It is consistent with other descriptions.  e.g. "Low and high thresholds for latency in milliseconds. Default is 200/500." Also please be sure to read the explanation and example at the bottom of the advanced section. Given those, it should become clear that it is a time, in seconds, that is being entered.

Its working now with "Enable (NAT + Proxy)" Thank you! I do now have proxy running what does that option mean? [image: edit.jpg] [image: edit.jpg_thumb]

Get my vote for the unfi stuff as well.. I recently got their AC indoor AP, and run the controller software on a linux vm..  Not saying their 3.x version of the software is perfect yet..  But they are making great progress.  Update of the controller software and firmware on the AP is simple apt-get upgrade and then click upgrade on the firmware to update your APs.. Be it you have 1 or 100 of them. For the budget minded – clearly the way to go.  This was only for my home setup - so the the $300 cost of the AP might be on the high side for some home users..  But I like to play with the current stuff - this gives me something to play with in the AC world, while picked up a pce-AC68 3x3 card for my pc to play with.. So you currently managed your 40 AP all my hand??  That would suck ;)  I would really look into the unifi stuff for the doing it in an enterprise way while on a soho budget ;)

Anyone? Please! Kind regards, Joao

"I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever." I'm almost positive that it is Snort. The HTTP INSPECT goes wild often and for me anyways when pictures are loading on Amazon for instance this will happen: #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 AND when downloading a file this happens sometimes: #ET POLICY PE EXE or DLL Windows file download suppress gen_id 1, sig_id 2000419 I would just try suppressing those. Maybe even clear out your alert list afterward and try accessing the site again and then check your blocklist in Snort to make the necessary suppressions. That's the thing about Snort. It's a wonderful program but it also needs babysitting to make it work right. I have found that if my firewall rules are good then I don't even need it but then again I don't have anything facing the public. I would also just run one package at a time to see where the problem may be coming from as well. "After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing. " This can also be an issue so you're on the right track. I have noticed that for instance with HAVP, if I disable the proxy but I don't clear the checkboxes strange anomalies happen where things would just be very slow etc… Especially if you checked something that uses a RAM DISK. That needs to be unchecked along with any other customizations. I know that other packages have that option so you might want to check that out. Also, one way to fix some problems is to go to your console and run a shell and then type fsck.  I think that you only have to run a shell if your console is password protected. Normally I could just press CTRL C to get the # to popup and then you can type fsck. It will check your file system for integrity problems. "Hopefully a vanilla install will work.  Although after seeing all the things squid is detecting," That may be your best bet. Until you get a handle on a package I just wouldn't use it and if you're really concerned about younger users and where they go, HAVP worked very well for me when I needed it for that purpose. Simply because, say they go to a site that you don't want such as something complicated where it's not just zzz.youtube.com or whatever it may be. Say it's zzz.cn.thissite.dontgothere.com Let's say the prefix changes from cn to zb. If you put an item on your blocklist like this the site and the whole domain would not be accessible. These are the formats that are available for HAVP. *Enter each destination URL on a new line that will be accessable to the users without scanning. Use '*' symbol for mask. Example: .github.com/, sourceforge.net/clamav-, /.xml, /.inc So you could type in the blacklist area something like this  .thissite.dontgothere.com/  so that even if the prefix changes it's blocked still. You could do it all the way up to just .dontgothere.com/  .  HAVP is very powerful in that effect. As you can see, by typing something like /.xml  you can block all of xml.  You can do the same thing to any extension. You could block anything like .org, .mil, .cn, .php or whatever your fancy is that day. You could essentially do the same thing with the allow list but I don't recommend that. Another thing to consider is to just make your own blacklists. I have found that downloading blacklists is not nearly accurate enough to provide a lot of use. Also, there is a great set of rules in snort that prevent going to sites that young people shouldn't be going to. Which is emerging-innapropriate.rules. Just enable them all and if there is a problem find which rule is doing it and suppress it. I had to remove that because it did not work for me. Perhaps Dans Guardian would do a better job. Back to HAVP though. Just like any other package of this sort there will be false positives such as when Adobe flash needs to be updated it will flag it as a virus so that's when you have to do your homework and find out exactly what addresses it needs to do the updating without problems and then use the allow list.  Like I said before though. If your Lan rules are golden then you really don't even need these packages. You could just make aliases and block the sites by way of ip address that you don't want people to go to. There's a lot of ways to use pfsense that are made redundant by some packages. Just something to keep in mind. Get used to using the ping tool in pfsense to help with sorting out IP addresses. Then go look it up at CIPB if you want to block an entire IP range via cidr. Have a good day. Cmellons

A third VLAN as a management VLAN is another option.  Or choose one and use that as your management VLAN.

@newburns: Is it beneficial to continue troubleshooting the HVAP issue? Well, I'm thinking that your initial concern is now resolved - the WAN traffic has been identified and stopped. If you want to keep working on the HVAP issue(s) perhaps start a new topic in the Packages forum? https://forum.pfsense.org/index.php?board=15.0

Same problem for me. I came from 2.0.1 and upgraded to 2.1.3.

Hi, thanks for the reply. the advantage of the url filter was to make it easy to set limits. I use it in a school and I just have to say no porn no violence, etc put some sites in white list (my webmail is considered as porn…) No need to be a geek for that, just need to know how to read. I found on the internet an howto about  Squid + Squidguard, I will give it a test thanks Philippe

Reading docs and FAQs has never been a good substitute for hands-on, IMO.  From what I have seen in these forums, not very many people use all or most of the features, so not many people other than pfSense staff are going to know the answers to all of your questions.  pfSense is built on FreeBSD, and while it has a GUI, it isn't for the faint of heart or network noobs in general. 1. Bandwidth rules and traffic shaping are not easy topics in pfSense.  Easy start but quickly can get complex. 2. Too vague, what do you mean specifically? 3. There are several real/near-time views, depending on what you're looking for 4. This is easy using the Traffic Shaping wizard 5. Lots of logging, some reporting 6. It can be confusing here too 7. HAVP antivirus available but rudimentary, no password bypass that I am aware of 8. No spam detection or email handling in any way 9. Yes 10. Not that I;m aware of 11. If HAVP doesn't catch it, tough luck.  Use client protection. Install it and play with it for an hour.  You'll likely end up knowing more than an hour worth of abstract web searches would give you.

Pretty much.  All your LAN clients would use your AD controllers for DNS & DHCP, and your pfSense box as the gateway.  That's it.

Has anyone managed to get the OwnCloud Client to run in pfSense? I'm thinking I could use it to backup our configuration files automatically.

It's probably 128 characters: "Its total length must be less than _PASSWORD_LEN (currently 128 characters)." http://www.freebsd.org/cgi/man.cgi?query=passwd&apropos=0&sektion=0&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

As the saying goes: Patches accepted. I don't see anyone here going through the trouble, but if the code shows up…

Odd that you added the card months ago by the problems only showed up in the last few weeks. I suspect you have worked around the problem rather than repaired it. By removing the Atheros card you will have switched up the system resources, possibly freeing some RAM etc. You will have reduced the power draw on certain components. Most likely you opened the case to remove the card moved everything slightly, cables, connectors etc. Anyway, glad you're not suffering lockups any more!  ;) Steve

@DaReaLDeviL: Jun 3 08:21:25 miniupnpd[98076]: SSDP packet sender 192.168.1.199:64391 not from a LAN, ignoring Jun 3 08:21:25 miniupnpd[98076]: SSDP packet sender 192.168.1.199:64391 not from a LAN, ignoring You appear to be using a routing daemon of some kind, are you running RIP? Without knowing your exact routing setup, I'm just guessing, but you could probably prevent these log entries with a firewall rule on your LAN interface since they are all from the same IP and port… but if you are actually using UPnP on your network then filtering it out of your router could break things. (I suspect it won't, but what do I know?) I'd try a rule like this: ID  Proto  Source        Port    Destination  Port      Gateway      Queue        Schedule block *  IPv4  192.168.1.199  64391    LAN Address  *        *            * @DaReaLDeviL: Jun 3 08:20:20 dnsmasq[12752]: read /etc/hosts - 32 addresses Jun 3 08:09:07 dnsmasq[12752]: read /etc/hosts - 32 addresses This one I can't help with other than to suggest you double-check all your dnsmasq settings? Maybe reboot the router to see if it clears up?

@kpa: Remove the LAN gateway in the LAN interface settings. It is an error to have a gateway for the LAN network because there's no other way out of the LAN network than the pfSense router itself. AWESOME! This was the issue. Looking back, the 192.168.1.1 gateway was set to default … I removed the bogus gateway and bam were up and running! thanks a lot!

Would I have to bridge the connection/how do i set it up that way?