Found a solution : Edit the file /usr/local/pkg/squid.inc Search for "acl sslports port 443 …" line Add the https port you need to access on this line Save Restart NB : I also added it to the line "acl safeports port 21 ..." but I'm not sure if it's necessary.

I know the reason, i checked the Static route filtering in advanced function. because i used some static route, so i checked it when i hasn't read description careful. [image: staticroutefiltering.jpg] [image: staticroutefiltering.jpg_thumb]

i figured out how to do this a while ago: http://forum.pfsense.org/index.php/topic,11318.msg62764.html#msg62764

Dear Friend, Thanks for the help.

Hi there My ftp-problem is solved. I had installed a pfsense (test setup) behind a pfsense firewall. So I’ve tried all these settings (with my test setup) and maybe that’s the reason of my ftp-problem. I’ve now installed pfsense 1.2.1-RC2 as my basic firewall and it is more stable than before. Even after installing Squid, SquidGuard and Lightsquid. Thanks to all who was so kind to help me.

@hoba: What do you mean by "started manually without flags"? This is not really supported and iirc we use ftpsesame for routed and bridged scenarios. I guess you could use a rdr rule from any to <ip of="" the="" blocked="" ftp="" server="">instead of from any to any and send that to some nonexisting port and let the connection time out this way. This is not doable through the gui though but it looks like you already are playing around below the hood anyway  ;)</ip> Could you point to any docs on using ftpsesame on a routes pfsense instance without "Fooling around under the hood". I haven't been able to find any, But my searchfoo might just be that week. I started using pftpx to do this because it was the only way I found to not have to open high ports. As for getting the RDR rule to stick.. I added it through the GUI…  so it is in the config and it shouldn't just "Go Away". I am starting pftpx manually though. I tried to add the command to start it to the config file manualy, but it is erased each time I make a config change. So manualy it is for now.

peterdh44, We run multiple PF boxes at work (A Data Center) and about a dozen pair of PFSense boxes.  On similar hardware a PFSense box has similar throughput. But it has a VERY nice GUI. PF is designed to be more efficient with a Last Rule Matching ruleset.  but that is generally not an easy rule set for people to think their way through. The rule sets in the GUI for PFSense are first rule matching, But either there is little performance advantage, or the PFSense kernel mods are such that the performance is made up. From testing I can tell you with certainty that there is VERY little difference in performance, And the difference I do see is small enough to be non noticeable in a real world situation. Basically, First rule matching is a better fit in this case. So the Quick option gets used.

Bump…. Anyone have any ideas??  This isnt really critical... But it is proving to be a hindrance. I would also be amenable to a solution to proxy ftp traffic that allowed me to use standard firewall rules to accomplish this. James

http://forum.pfsense.org/index.php/topic,7001.0.html

Create a port forward rule on the pfSense machine that forwards port 80 to your smoothwall machine. Then forward port 80 on your smoothwall machine to your web server.

Thank you much gmax, i did know that the 224.0.0.1 was the ALLDEVICES multicast group but i didn't know i could safely drop them: i did it but i was monitoring the network for problems or something else (i experienced some Skype quality problems while dropping these packets in the past but now it's working good, maybe that was a not-so-mature Skype version?): also very thanks for that link, i looked into my trusty Kozierok's tcp/ip guide but it's lacking some information about IGMP.

Fixed with a workaround, but not ideal…. Save config and restore it, however this reboots the firewall, which is not ideal in production.

No need to be crushed and destroyed :) Just read the availlable info more carefully ;) If you have any questions just ask again.

That tiny snippet, free of context as it is, looks like it might be half of an FTP session.

Generally a good read for similarly problems. http://doc.m0n0.ch/handbook-single/#id11641814 http://forum.pfsense.org/index.php/topic,7001.0.html

Hello guys Anyone has experienced this issue before with slow download times from web server behind firewall? If so what are some of the things you did to eliminate the problem. Thanks in advance.

Something that seems to work for me is creating an alias of RFC 1918 addresses and blocking that on OPT1 for WAN purposes.

well that no biggy gives me more reason to change it sooner.

I take back my previous post - it allows you create the rule but is doesn't load the rules.