Hmm, not quite sure what to suggest here. A directional antenna perhaps? An external access point would almost certainly be easier. I'm tempted to suggest a tinfoil hat.  :P Steve

That's definitely what I'm going end up doing. What about the P2P and website filtering? How would I achieve that?

I guess I don't really understand the "filesystem/mounted on:" that is displayed when issuing df. "Filesystem" is the actual device that contains some dirs and files - an actual partition on a disk (these days "disk" means spinning disk, CF card, SD card, SSD or even memory-resident virtual-disk). That is physical space that can (and does) fill up. "Mounted on" is the place in the logical dir tree that the physical "disk" appears - e.g. partition "/dev/ad6s1" files are found in "/var/squid"

Here are my hmailserver settings and my results using mxtoolbox to connect to my mail server. [image: hmailserver-MyComputer.jpg] [image: hmailserver-MyComputer.jpg_thumb] [image: hmailserver_internet.jpg] [image: hmailserver_internet.jpg_thumb] [image: IP_Range_SMTP.jpg] [image: IP_Range_SMTP.jpg_thumb] [image: mxtoolbox-mail-test.jpg] [image: mxtoolbox-mail-test.jpg_thumb]

You may find the 'pftop' console command helpful.  Like the normal 'top', it's interactive by default., but it can be scripted as well.  There's a man page here: http://www.eee.metu.edu.tr/~canacar/pftop/pftop.8.html, though I'm not sure the pfSense pftop is in sync with the one described there.  The help text from pftop in a recent 2.2 snapshot:   pfTop Help       c  - toggle state Cache            f  - set state Filter       h  - Help (this page)              n  - set Number of lines       o  - next sort Order              p  - Pause display       r  - Reverse sort order            s  - Set update interval       v  - next View                    q  - Quit     0-8 - select view directly     SPC - update immediately     ^L  - refresh display     ^G  - clear command entry line     cursor keys - scroll display   Sorting shortcuts:       A  - Age            B  - Bytes          D  - Dest. port       E  - Expiry        F  - From          N  - None       P  - Packets        S  - Src. port      T  - To       R  - Rate          K  - peaK

WAN is everything going via WAN, so if the VPNs use WAN, then yes, the WAN graph would include the VPN's external/transport traffic.

What you're asking for is not practical. If you want to block HTTPS, simply add a rule to block port 443. The problem is that you'll also block most major services that your users use (Google, Yahoo, Gmail, Microsoft, etc.). If you're concern over what your users are doing behind the HTTPS layer, simply setup an SSL proxy in pfSense. That way, the connection between the client and gateway will be secured, as well as the connection between the gateway and the website. However, the proxy will still allow you to see what's happening inside the HTTPS tunnel and thus block anything that you don't want the user to have access to.

You can get a list of proxy IPs and block them but you will be into a never ending cat and mouse game with your users. Even if you block all available proxies there are plenty of other ways users can get an direct external connection. The way to prevent this is by setting client based policies, restrict what users can install. Steve

Hi, i checked the virtual conainer and its ok. so i think it must a corruption in the filesystem of freebsd / pfsense. i boot into shell and run fsck, it found some error but could repair. i think while its the root. so i tried with option -f -y but no success. i also found a command to make it writeable, but it didnt work. my problem is i dont know freebsd. i think i have to boot from an cd and run fsck. the question is there a iso to download which works well for freebsd / pfsense? i also ask myself where the failure cames from. i simple update the pfsense and install snort, nothing more on the system or custom things. thx

What traffic goes over the VPN and what goes over the normal WAN is defined by the firewall rules. So if the criteria can be defined by firewall selection fields (IP address, protocol, ports and more) then it will work. Certainly what you describe is easy.

And what rules did you create on lan2?  Out of the box lan that is created has an any any rule that allows outbound traffic, when you create another interface opt1, 2, 3 etc.. there are no firewall rules and you would have to create them if you want any traffic to work. So seems this e4200 could just be removed as it seem to serve no purpose other than your pppoe connection, which can be done on pfsense.  Why would you not want to remove that?  Its just something that could fail..  And complicates the setup with a double nat, performance hit if nothing else.

Yeah I was thinking that a workaround would be to schedule the graphing backend to disable and re-enable every 2 days to get around this.

This thread is an interesting read: https://forum.pfsense.org/index.php?topic=78062.0 I don't agree with all of it, or at least that's not quite how i'd do it. The huge variation in user experience, network size, hardware etc amongst pfSense installs makes writing such a document very difficult. It would likely be both unreadably complex or patronizingly simply depending on the reader.  ;) Steve

oh my…. Just solved the problem. I create 2 rules in windows firewall that allow ICMPv4 and 445 port for SMB-In. what a mess with my windows firewall. (tried restore windows firewall setting before but still blocked). Now works like a charm. Thanks

Normally pfSense will do NAT out the WAN, so traffic going out WAN will appear to come from the WAN IP. When WAN is on the public internet, and LAN is private address space, like in your example, you have to do that. Because the public internet cannot route back to your private address space. If you have public IPs on LAN, then you could switch to manual outbound NAT and delete all the rules. That will send packets out from LAN clients with the real LAN client IP as the source IP. Why do you think you need to do this?

Thank you very much for taking the time to respond. Will disable pfblocker and see how it goes.

Fair enough. As you can see 4GB is way more than pfSense uses without any packages running. I have a test box running 64bit that I upgraded from 32bit, the process was painless. You should check the firmware update location is set correctly if you do try this. I would probably go for a full re-install on a production box to be safe. There have been several hints from the devs that 32bit will eventually be phased out so that's one reason to be running 64bit. I hope it's not for a while though since I have several boxes that aren't 64bit.  ;) Steve

Exactly. Because your box is over-powered for your requirements? What is your WAN bandwidth? What packages are you running? The only problem you may have is that you're consuming more power than is necessary.  ;) Steve

Just kind of happened.  ;) Steve