Basically in the DNS forwarder where you can specify a domain override, I had to also specify the LAN IP of pfSense (172.26.10.254 in my case) as the "Source IP" on the domain override configuration. You usually have to do that when the DNS server that services the domain in question is over a VPN, because otherwise the source IP of the request (from the pfSense, across the VPN to the DNS server) will be some IP address of a VPN tunnel endpoint, or some internal tunnel address. The remote DNS server typically won't have a route back to that and so the reply to those DNS queries would never make it back.

Cable attached, yepp, both ends…

If I am understanding correctly, you basically want the pfsense box to be the modem and your homehub just to provide wifi? if so you just set one of your interfaces up as WAN, IP and DHCP, connection as PPPoE and username and password as you say. I have done that for my infinity without issue. Then you can setup one other interface on a separate VLAN and plug the WAN port of the homehub into that pfsense port. Place rules on the guest vlan to deny traffic to your other main interface, deny ports 22 and 443 (so they cant SSH or get to the router management pages) and allow other traffic. Theres plenty of tutorials on the subject just google "pfsense guest vlan" HTH.

I went back to the provider with the information we had obtained through this test, and they 'have identified an issue with the host node' my VPSs are on. Thank you for your help, at least I could go to them with some idea of what I was talking about. Per your signature, I'll be buying some Nepalese children a Christmas party. Thanks again.

@cmb: @cabnet: so i better switch to the lower version which lusca cache is supported .. Hell no. Use Squid. There is absolutely no reasonable reason to use Lusca. you always say to use Squid but there is no noob step by step tutorial to make it work like lusca does. lusca caches everything and there is a lot of step by step guide to make it happen. and that satisfies our needs. I tried to install Squid many times  and try to follow every procedure in the net but still fail to cache everything that i browse like webpages, patches for games, specially videos from the net, etc. i guess some of us are maintaining 5 or more pc's that is why pfsense lusca is very handy. hope you get what i mean and why we still insist to use lusca.

In Nano it's in the same place as the /var and /tmp ramdisk options, in System: Advanced: Miscellaneous: Originally that option was in Diagnostics: NanoBSD: which obviously doesn't appear on the standard 'full install' type. I don't have a full install to check that. As Phil has said those options are there to make things more like Nano rather than for speed advantage. Though obviously a ram drive will be much faster than any standard drive type. If you were running a full install from a Disk On Module device you might want to move /var and /tmp to ram to reduce writes to the device. In pfSense things mostly run in RAM anyway. I doubt you'll see much improvement in performance unless you have something custom going on. Steve

I would definitely go down the path of getting a serial cable - you really want one for the day when the system is power-cycled and nothing seems to come up. Being able to see the real console output is a must. I bought 1 of these serial cables for every site a few years ago: http://www.amazon.com/Tripp-Lite-Modem-Serial-P450-006/dp/B000067SCH/ref=pd_sim_sbs_indust_1?ie=UTF8&refRID=07T1K2VK31YGRK09HC5Z and they have all worked fine. and you need a client (laptop, desktop whatever) that has a serial DB9 port, or a USB to serial device. If you do re-flash, then make sure to use an image from Netgate. The Netgate images have whatever special parameters need to be set to get a successful boot the first time (e.g. boot_delay …). I have no idea if the FW-7551 needs anything special like that, but by using the Netgate image you should have no trouble. But don't do that - wait for a serial cable!

@esampathj: Never heard it before. Any idea how to disable it ? Under dhcpv6 on the services tab - see attachement Windows is going to prefer ipv6 out of the box..  If your not using ipv6 on windows, just disable it would be my suggestion.  Security 101 - if your not using the protocol, then the protocol should not be active.  Simple as a elevated prompt in windows reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255 No more ipv6 to worry about.. [image: underdhcpv6.png] [image: underdhcpv6.png_thumb]

Check the firewall logs. Check the state table to see if any connections are being opened. One possibility is that PPPoE introduces some overhead to the packet size, an MTU issue. Steve

@jimp: No, but it should work until you reboot, at least from what I remember Got it. I'll just check the BIOS then and will report back. Thanks.

With Snort, set the Memory setting to: AC-BNFA-NQ. Also make sure that you don't manually click the start/stop interfaces icons while Snort is attempting to start as this can lead to duplicate pids. pgrep snort This command should only show one pid per interface.

Why I asked is because, for some reason pfsense is acting weird. It started blocking send/receive without changing any of the proxy configuration. Further, it blocked the usual http connection on 80 port whereas proxy users are on 3128. The configurations that I have edited aren't even been applied though it is saved. I'm suspecting that may be due to the unexpected shutdown. It didn't even after replacing an old back up of it. What could be the reason

I had the same problem.  I connected via the serial port and backed out of the change. I temporarily made my WAN a static address and used it for configuration, I changed everything over to VLANS on the interface that was once the LAN, now I don't have a "LAN" interface per se, but a physical interface with several VLANs using it as the parent interface. I had to add the VLAN interfaces to the DNS forwarder to have them all work correctly.

You will have to know the IP address of the switch somehow, and I doubt it really comes from the ISP. Anyway, if I understand what you want to do, take a look at this https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall  Works great for me, generally going to cable modems.

@jimp: No, and you really don't want to. So long as you give them each a unique hostname (which you should be doing anyhow), you can filter the logs entries to separate files on the syslog server. Thanks - I already did the filtering. I'll just put some non-logging block rules up for broadcast and multicast traffic to limit the noise. By the way, for users googling this thread: To separate logging on rsyslog (in case you're on linux), do this: :FROMHOST-IP, isequal, "192.168.10.3" /var/log/pfsense/pfsense-01.log & ~ :FROMHOST-IP, isequal, "192.168.10.4" /var/log/pfsense/pfsense-02.log & ~ Lars

sorry… ftp clients are on my LAN where pfsense is installed. This pfsense box has two WAN IP. they connect to an intenet FTP server

Thanks Phil, I was going to go back and check that, appreciate the help!

First, you should upgrade immediately. You're absurdly far behind at this point. @kejianshi: When you have rules you don't need, its too many. Exactly. You'll impact performance at some level, but it's way beyond what most any reasonable system will use, well into the hundreds of thousands of rules to make a minuscule difference. If you're running in a high traffic datacenter scenario, that's potentially different. For most office and all home use scenarios, no consideration.