I will try to explain more about our setup, since this problem continues to bug us. Network Setup WAN PfSense LAN > VPN > Remote site with IPTelephones (H.323) The gateway to our remote site has the pfsense as its internal default gateway. So, all traffic from our remote site passes through the VPN , then to the pfsense and from the pfsense out. I´ve tried to find the iptelephones ipnumers in the state table, but they dont seem to be there. When we for example changes a static route on our pfsense, the filter reloads and the calls on our phones on the remote site breaks. The telephone system is Solidus Ecare on a MX-ONE telephone system and really has nothing to do with the pfsense itself, only that the clients on the remote site speaks through the pfsense to our telephony systems. The clients seem to bee unaffected otherwise when the filter reloads. They maintain communication to all the systems. Only the iptlephones traffic breaks. Any comments tips or the like is much appreciated. Best regards

pkg_info arc-5.21o_1        Create & extract files from DOS .ARC files arj-3.10.22_1      Open-source ARJ bandwidthd-2.0.1_1  Tracks bandwidth usage by IP address clamav-0.95.1      Command line virus scanner written entirely in C db41-4.1.25_4      The Berkeley DB package, revision 4.1 gamin-0.1.10_1      A file and directory monitoring system gd-2.0.35,1        A graphics library for fast creation of images gdbm-1.8.3_3        The GNU database manager gettext-0.17_1      GNU gettext package gio-fam-backend-2.20.1 FAM backend for GLib's GIO library glib-2.20.1        Some useful routines of C programming (current stable versi havp-0.90          HTTP Antivirus Proxy jpeg-6b_4          IJG's jpeg compression utilities lha-1.14i_6        Archive files using LZSS and Huffman compression (.lzh file libiconv-1.11_1    A character set conversion library libslang2-2.1.4_1  Routines for rapid alpha-numeric terminal applications deve libusb-0.1.12_2    Library giving userland programs access to USB devices lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser lzo2-2.03_2        Portable speedy, lossless data compression library mbmon-205_4        A tty motherboard monitor for LM78/79, W8378x, AS99127F, VT mc-4.6.2            Midnight Commander, a free Norton Commander Clone mysql-client-5.1.44_1 Multithreaded SQL database (client) neon26-0.26.4_1    An HTTP and WebDAV client library for Unix systems net-snmp-5.4.1.2    An extendable SNMP implementation ntop-3.3.8          Network monitoring tool with command line and web interface nut-2.2.2          Network UPS Tools openldap-client-2.4.10 Open source LDAP client implementation openvpn-2.0.6_9    Secure IP/Ethernet tunnel daemon p5-GD-2.39          A perl5 interface to Gd Graphics Library version2 pcre-7.9            Perl Compatible Regular Expressions library pcre-8.00          Perl Compatible Regular Expressions library perl-5.10.1        Practical Extraction and Report Language perl-5.8.8_1        Practical Extraction and Report Language pkg-config-0.23_1  A utility to retrieve information about installed libraries png-1.2.35          Library for manipulating PNG images python25-2.5.4_1    An interpreted object-oriented programming language rate-0.9            A traffic analysis command-line utility snort-2.8.5.3      Lightweight network intrusion detection system squid-2.7.7        HTTP Caching Proxy squidGuard-1.3_1    A fast redirector for squid squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later unzoo-4.4_2        A zoo archive extractor Nothing special at the logs, mostly ntop messages. I tried tcpdump and figured out that all packets are going correctly. Seems like NAT doesn not send/recieve all packets to clients…

Yikes!  I need to take notes. This has gone away and I can't remember what Ive done in the last few weeks…  Ive been using I.E. to admin the router so did not notice it go away. Ill compare notes with anyone who may stumble across this later.  Hopefully no one!  :P

It depends on where they were blocked. There are two tables in pfSense that can get IPs in them from different triggers, but it's pretty rare, and they are periodically purged. If you want to check, run the following from Diagnostics > Command. pfctl -T show -t sshlockout pfctl -T show -t virusprot If they are empty, that is not your problem. If you see an entry, you can delete it with -T delete <ip>or just flush it completely: pfctl -T flush -t sshlockout ```</ip>

pfSense is not linux and there is no glibc by default in pfSense ;)

For lagg to work, your switch has to support it as well. If you look at the feature list of your switch, see if it supports 802.3ad (this is the official standart defining link aggregation) more info here: http://en.wikipedia.org/wiki/Link_aggregation

hi. because you are using Squid Guard and Squid proxy with your main pfsense box. its better you use another pfsense box with Squid Guard and Squid proxy. in my exprience Squid Guard and Squid proxy in most case they slow down the system. at first they run like charm. but when ever they start to full flow(heavy load) they start to slow down the system. Me i am using 6 pfsense in six different internet cafe. All those cafe has 20+ work station. when i started to use Squid Guard and Squid proxy. They let me to face lots of problem. so i uninstalled those package and then all those problem gone. I think you are facing similar problem. BUT NEVER EVER DOUBT ON PFSENSE. It's Awesome…........

@rcbandit: What framework are you planning to use? Which framework do you find best for pfsence I don't think that has been decided. There has been talk of CakePHP but some people like it and others say it's too slow. Given that it's so far in the future for a topic, it's far too early to say.

There is a board just for CARP here, that would be the best place.

Thanks for replying. My ISP is plusnet.  I'm not LLU, I'm on a normal BT exchange with 21C, but not ADSL+ as I'm too far from the exchange to take advantage of it. On plusnet's forums I can see that other folks are using PPPoE just fine with them. They use the standard BT VPI/VCI 0/38. Yup, using PPPoE means my MTU has to be a little less than 1500.  I'm using 1492. I'm on the latest non-US firmware for the DG834Gv4.  It's currently in dumb-modem/bridge mode via the standard url hack. So far, my old d-link dgl4300 gaming router is working fine with the DG834Gv4 in PPPoE mode.  No uncompleted page loads. However, I'd far rather use pfsense.  That's why I'm here :) I'm not pegging the CPU on the 533mhz Via chip that I can see.  Downloading 20 SSL connections from my usenet server works a dream.  Going full rate. It just seems to be spikey web pages loads… like loading a new web page with lots of images that causes things to get lost/go wrong.  Things like page loads aborting... or image loads hanging.  Just regularly enough to be annoying. Note I did have to disable DMA on IDE for the CF chip, or pfsense wouldn't boot. I'm wondering if the network chips need a workaround.  They seem to be that model that everybody's complaining about.  realtek?  I tried disabling the checksum offload, but that didn't make any difference.  I tried device polling, and neither did that. -- gyre --

We've roughly 70 employees; I guess that's big.  Thanks for the link mhab12.  I will check it out.

You probably just need to copy /usr/bin/tip from a suitable FreeBSD host of the same vintage, and then from the shell you could run: # tip com1 Which would connect you to the serial port. To disconnect, press enter, then type ~. cu might work but I'm partial to tip. If you have a blue "Cisco" serial cable like they include with the router you do not need a null modem adapter.

It's a long ways off from that. 2.0 is getting better and better every day, but in many ways it is still a beta. In most cases it should not be used in production still, but lots of things do work properly (at least for the time being :)) There is no schedule or time frame. It will be ready when it's ready, but hopefully it will be sometime yet this year.

Thanks jasonlitka, that worked

That'll be it  ::) I'll go edit that post (if I still can).  Thanks.

Awesome, thanks for the information!