This has been discussed on the mailing list many times.  Google up the discussion for the explanation.  If its really that important to you, feel free to start a bounty project to help fund the development.

@jimp: You also need to configure your ssh client to prefer key-based login over password-based. Excellent.  For those reading this, one easy way is to add to your ssh command line this option: ssh -o KbdInteractiveAuthentication=no ... This has the effect of supressing interactive authentication for one session while leaving your default options untouched.

Hi all,     Well better get 2.0 stable soon then hehe :) Tks for the replies Eric

Easy way to test if it's hardware: swap the config files for master and backup, see if the "master" still hangs.

ARP Table is also in Diagnostics > ARP Tables However, that will only show systems which have recently connected to (or through) the firewall. It's not an accurate representation of online systems, for that you would need a monitoring system which actively pings/monitors PCs/servers.

Thanks for the reply. The most weird thing to happen with this issue is that suddenly a few days ago - the behaviour just stopped! There was no switch reconfiguration done and nothing changed on the firewall. The only single 'incident' that linked dot around the same time was a J2EE application restart on the server in question, around about the time when this weirdness stopped. I will keep monitoring and have enabled sys log on the device to see if I can catch any events if/when the issue returns…. Cheeers, JD

@Supermule: The billing issue is the ISP downside to PF….. Nah, you have Netflow, which is what most ISPs use for that purpose (regardless of network gear).

It takes thousands of simultaneous connections to get to that point, if you're seeing that, you have that many connections through reflection. We generally advise against using reflection at all, but it's a fine solution in most circumstances, just not when you get to higher numbers of connections that need to be reflected. High throughput environments do it "right", i.e. split DNS. Efonne does have a branch in git that does reflection in pf, which gets rid of the nc scalability issues. That's for 2.0 only, and may have other drawbacks as it hasn't been nearly as widely tested.

If you need to save the log, you must redirect the logs to an external syslog server. Even if you increase the log sizes, there is no guarantee you will save an entire day's worth of entries, especially if you endure a lot of port scans or other random traffic on the WAN.

It works fine on a WRAP if you flip the bits as described here: http://doc.pfsense.org/index.php/NanoBSD_on_WRAP 2.0 might be a little heavy on CPU/RAM for a WRAP but it might work. I haven't tried it on my WRAP yet.

Snort has a p2p policy category, would this help?

just a follow up.. I tried this http://forum.pfsense.org/index.php/topic,10409.0.html then http://forum.pfsense.org/index.php/topic,6998.msg49266.html#msg49266 seemed to load the config.xml file, upon reboot webconfigurator failed again? (NFI) probably missed a step resolve, just did a re-install from CD…. which fixed the web configurator problem, then restored from the same back up.... seems to be working again... one strange thing was during re-install of packages.. snort was reinstalled, then removed then reinstalled? (is it possible to have installed twice by mistake?) I only say that as it went through the 5% 10%...100% routine twice as I went a made a coffee and came back to find the message "removing snort" then installING snort 5%..%100.... no biggie!

True enough :)

If the additional IPs are routed to your main shared CARP IP, you can use the "other" type VIP. You'll just need to set them up on the backup unit by hand the same way.