An out of state packet is one that was part of an established session but that session has since been torn down.  All of those blocks are for a FIN ACK (or FIN PUSH ACK), you will note.  The pfSense side says "I'm going to tear this connection down and close it!"  The other side says "OK", but pfSense has already torn the connection down so it sees the OK reply as an unsolicited new connection attempt and blocks it.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

Awesome.. thanks Nachtfalke! I wasn't aware of that "System Patches" package.

I tried this with my SquidGuard changes today and Squid + SquidGuard were working perfect.
Everything seemed great until I did a final reboot test. Something went wrong after that to a point where Unbound and DHCP wouldn't load. I was getting some weird certificate type errors on Unbound.
I had to revert back to the other slice to recover.

I'll have a bit more of a play though and see if I can get it going.

Thanks again!

@gersonofstone:

Hi

reinstall the proxy reports

Hi, I've already re-install. Uninstall and install. But still the same. No log after June 1. :(

Confirming this worked for me as well.
my error message was:
ERROR: No forward-proxy ports configured.

Hi Blendin_Blandin,

For HTTP health checks you can do the following:

enable 'ssl' on the backend server Http check method : HEAD
Though i would probably set a very low check frequency (once a minute or so.?.) or maybe not check at al..

As for the certificate, as your passing the traffic with mode tcp so haproxy doesnt need any additional settings there, a valid certificate needs to configured for the webgui though for the name your typing in the browser.

Regards
PiBa-NL

@steve1515:

(…)
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that?  :D

If you know the FQDN of all other clients, then just put these clients into the alias. But to be honest. Because you can do it it is not always the best way to do this. In the thread there are mentioned other possibilities like WPAD and so on.

Other ways are to configure DHCP with static entries so that the three clients will always get the same IP address. This will make things easier.

Good luck!

Thanks for the answer but i am still confused.
Its Squid 3.x.x the package currently listed as just "Squid", which LightSquid is calling Squid3, or are we talking of different things here???
In the case "Squid3" means any version starting from version 3, maybe would be better to make that a bit more clear, or other ways rename the current "Squid" as "Squid3" as quoted on the note on LightSquid to avoid confusion…...

Thanks for the responses, checked the reports again today and another ip is pulling down over 4GB from windows update

@aGeekHere:

Have you increased Maximum Object Size to an insane value like 1000MB for big updates ?

Yea I have it set to 1GB but still no luck. will try the refresh patterns posted.

Regards

That is exactly my set up

not to forum jump this but not really sure why so many misses

Like I said earlier, if you have a large cache structure that is mostly full on a slower hard disk then you will have elevated Cache Miss times.  The longer it takes to search the cache before declaring a MISS, the worse your numbers will be.

See if this helps:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html

There appears to be a setting you can adjust related to how AnyConnect treats a proxy connections, however it appears that if your configuration is the 'Always On' or you are IPv6 in your home, I believe Cisco AnyConnect doesn't support and your out of luck.

As far as Netflix I would try excluding it from sites to proxy.

I've solved the problem :
1. enter this configuration on lighty-proxy-wpad.conf

# # lighttpd configuration file # # configured for WPAD/PAC serving # ## set static document-root server.document-root        = "/usr/local/www/wpad/" server.modules                  = ( "mod_access", "mod_fastcgi", "mod_cgi" ) ## where to send error-messages to server.errorlog =      "/var/log/lighty-proxy-wpad.log" # mimetype mapping mimetype.assign            = (         ".dat"          =>      "application/x-ns-proxy-autoconfig",         ".da"          =>      "application/x-ns-proxy-autoconfig",         ".pac"          =>      "application/x-ns-proxy-autoconfig" ) ## bind to proxy address and port server.bind  = "10.170.60.40" server.port  = 80 fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) cgi.assign                      = ( ".cgi" => "" ) ## unqiue pid to other lightppd instance server.pid-file            = "/var/run/lighty-proxy-wpad.pid"

and copy the /usr/local/www/sgerror.php in /usr/local/www/wpad/

Now all working.  ;)