Do I need to setup multiple NIC on my squid server for each subnets of VLANs?

Edydh, unless your problem is exactly the same as the one already discussed you should always start a fresh thread. In your case, please search for NAT reflection and start a fresh thread if you have further problems, to avoid your unrelated problem and CeilingKitten's problems being confused.

Does the VPN continue to work at all? When you mess with VLANs and/or interface assignments in 1.2.3 it goes through and reconfigures the interfaces which causes a hiccup in connectivity for a few seconds (it's much less invasive in 2.0), but I've never seen that cause any problems aside from having to wait a few seconds.

I figured it out. It was the outbound NAT. I have 15 static public IP's, with 13 of them being virtual IP's, and 8 of those NAT to the inside. When I tested the second, third, etc. servers - after building the VIP and NAT - they were showing the router's IP address (using whatismyip.com) in the web browser, not their assigned external IP. I turned the outbound mode to "manual" and ticked the "static port" box. Saved and applied the changes and now each server needing NAT to an external IP shows the correct IP.

No, the destination is initially 443 on the original web host address.  The router does the translation along the way when routing the packet for you.  Hence, the firewall rules will check the initial source/ destination before deciding whether to route (pass) or drop the request.

Log on to the web interface and look under Diagnostics at the States page.  On 2.0 there's also a States Summary page.

Those are local loopback rules and such used internally by pfSense so that it's functions work.  They're not the same as the ruleset exposed directly to the end user. For example,  8 B I Q drop inet6 all means to drop all ipv6 traffic because you have not enabled ipv6 in the webgui.  lo0 is the local loopback interface so on and so forth.

i am developing a customized application for filemaker and i have vpn client installed..i have to get content from linkedin and store them in a local storage…i need your guide

Try setting a static route on your server so that it knows how to route the traffic back to the LAN.

It should be fine like that. It's just some extra added cleanup. Some use cases require it not be present, but in general it's better left on. I wouldn't worry about running with it off, though.

Here is what I have built so far OPT4 net * WAN address * *   Work Segment *      TCP 192.168.14.x * OPT4 net * * Access to printer ICMP 192.168.14.x * OPT4 net * * ping access to firewall TCP OPT1 net * OPT4 net * * limiting access to 192.168.14.x TCP OPT2 net * OPT4 net * * limiting access to 192.168.15.x TCP OPT3 net * OPT4 net * * limiting access  to 192.168.17.x I hope I headed in the right direction.  I just want to make sure that the business and home network is completely separated.  I may have to make additions and subtractions based on the new equipment that I am issued.  Any thoughts on the direction that I am headed? RC

1. The address of the OPT1 interface will be 192.168.1.x, where x is any value from 1 to 254. 0 and 255 are reserved in a /24 network. 2. If you use pfsense's DNS forwarder and DHCP server then the clients will obtain their gateway and DNS server automatically when requesting DHCP.

The following rules on the interface GUEST worked for me: Block GUEST -> DMZ Block GUEST -> LAN Pass Guest -> *

while keeping on topic in a way, is there a way to "auto" block DHCP addresses that are not statically assigned by the DHCP server? or conversly "auto" allow DHCP addresses that have been assigned? For example: LAN = DHCP Server statically assigns IP by MAC. All foreign MAC are assigned IP from the DHCP range and forced to go through the captive portal on the WAN. DMZ = servers/etc… I would like to have a rule on the source tab that allows all DHCP assigned IP's on the LAN side to pass through to the DMZ, everyone else (which would not be statically assigned an IP by MAC) would be denied to the DMZ. If this deserves a separate topic I can start one, but I figured it is in a way related to the OP.

Just to keep this updated, searching for reverse captive portal eventually got me to "Netscreen WebAuth"1 which is almost exactly what I am looking for. I have winter vacation from school until the end of January, so I will work on it over that time. [1] http://s0.m0n0.ch/wall/list/showmsg.php?id=183/81

Leave them on 'none' And now that they're interfaces, make sure they also have firewall rules on their interface tabs under Firewall > Rules. That's about all there is to it.

Your WAN and LAN are one the same network, which means it is impossible to route between them. Try this instead: eth0 = 192.168.10.9 / 24  - wan (gateway 192.168.10.5, dns 192.168.10.5) eth1 = 192.168.20.10 / 24 - lan opt0 = 192.168.30.11 / 24 - wan2 (gateway 192.168.30.4) What are your 2 gateways in this example? Is pfsense connected to a couple of routers? modems? modems in router mode?

I dont think so, at least i cant find such a function. But how will it help ? I have dynamic IP :> so i cant put it on the dns provider.