pfBasic, There is no enough way to say thank you, you just made my day, Thank you for taking the time to write every letter, I really appreciate your valuable time for sharing your knowledge and experience with the community. I have a AMD PC with FX 8350 and 8Gb ram + gts 450 sitting in the basement, I will start immediately playing with it to get my hand dirty in pfsense. I am waiting for Ryzen 1920x to arrive, as I will use it 24/7 for VFX and I hope to run pfSense at the same time with this rig through KVM. so here is what I am going to do: I will run two KVM, one with Win10 and the other with pfsense, and I will plug my wan cable directly with the PC(dual intel Nic) and make bridge from PC(pfsense) to the DD WRT router to have dual band wifi network access. can I make kvm windows 10 to use pfsense not my ISP wan as gateway (they are both running on same machine) ? can this done virtually or I need to add more nic and port link from dd wrt? Have a wonderful weekend

Get a VPN account from somewhere.  Configure OpenVPN to connect pfSense to it.  Use policy-based routing to route whatever traffic you want over the VPN link.  No idea how well this would work (if at all) in conjunction with squid.

@johnpoz: "But when i plug my laptop into the switch thats on OPT1 it doesnt give me a valid IP address." What does this have to do with vpn client connection on pfsense? Did you enable dhcp on your opt1 interface on pfsense? Hi, thank you for bearing with me on this.. I am learning :) I have followed this guide for OPT1 https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ When i check system logs/gateways i get sendto error: 65 I have OPT1 setup on static IP as per that guide. I have also changed it to DHCP with not luck.

Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks. The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial, USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.

6. I've gone into firewall > NAT > outbound and set it to hybrid (as we still have an actual private LAN behind the PFSENSE which still needs NAT). I then created a mapping rule for interface WAN with source ANY destination 192.168.158.168/29 (network) and set the option to "Do not NAT" in the rule This is backwards. Should be: interface WAN with source Network 192.168.158.168/29 destination any and set the option to "Do not NAT" in the rule I assume the 192.168 is simply a place-holder for the actual, public IP addresses. You can avoid this confusion there by using 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 in your examples where you want to use BS address space and want everyone to know you're really not talking about RFC1918 space. https://tools.ietf.org/html/rfc5735 (eta: oh already asked and answered. Not many people know about these example/documentation subnets so I'll leave it here).

problem solved. all the thing was about setting acl rules "allow" or deny" list. i set the rules its working now.

Hi JohnPoz I reinstalled the PFsense and configured the servers as you outlined - success! Thank you for your help - I obviously changed something post set up.  Your outlining of the way it was to work has made the process much clearer - once again thank you for taking the time to help me.

Just going to follow up on this and bring some closure to this thread.  I continued to have crashes with the APU2 unit as well.  I tried a fresh install and reconfiguration by hand instead of restoring the config, which still resulted in many crashes per day.  We resorted to OPNsense and reconfigured by hand, things are stable since deploying it on the APU2 this past Sunday.  I did submit a few more crash reports in hopes that there would be some key info there to help the guys behind pfSense, if it is indeed some kind of bug.  Will revisit this issue when I can afford some more downtime, or when 2.4 is released. Thanks for all of the input and help, sorry we couldn't get it figured out.  Some kind of bizarre quirk specific to my configuration/environment I'm sure.

Disabling the default setting "Enable DNSSEC Support" lets things work correctly again with Forwarding Mode enabled.  The OpenDNS public DNS servers do not use DNSSEC.  Should forwarding lookups fail when DNSSEC support is enabled but where forwarding DNS servers do not support DNSSEC? I would expect lookups to fail only when DNS servers support DNSSEC but where what is returned does not validate correctly.

Well…. turned out some user put a Tp-link managed switch in somewhere that was using 192.168.0.1, which by chance is the same as pfsense LAN. I dont know why, but this did not show up in the system log until hours later, and then it was in there every 20 seconds: Jul 27 11:15:40 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:35 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:03 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:14:46 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1!

We have noticed the change at several systems: One Example: 8 vcpus Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz 8 CPUs: 8 package(s) x 1 core(s) Version used before:  2.3.3-RELEASE-p1 Throughput: 1 - 2 Gbit/s States < 10k Conns/s < 100 We have changed several parameters (virtual-infrastructure, hw-firmware, and pfsense-update) We noticed that sync traffic is reaching 10% of WAN-Traffic which is a real huge increase. I have attached two files (after_update is the sync-traffic, wan_traffic is the wan traffic). At time our solution is to turn sync off. I have also noticed that high traffic rates ( > 4 Gbit/s) are only achivable with sync turned off. [image: 170727_after_update.PNG] [image: 170727_after_update.PNG_thumb] [image: 170727_wan_traffic_after_update.PNG] [image: 170727_wan_traffic_after_update.PNG_thumb]

I tried again using an OpenVPN setup. I followed this tutorial: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server I have the same problem. Either I can only access the internal resources, but no internet. Either I can access the internal resources but internet is from mobile provider. Can't get my phone to use the VPN internet connection. What am I doing wrong? Is this thing even possible? I did check the "Force all client generated traffic through the tunnel." option. No internet on phone, only LAN resources.

Thank you !

Unfortunately I think that's true. It would need to be something from upstream anyway. I have no idea where that device even is I was testing with anymore.  ;) Steve

Thanks for the hint. It does not seem that there is a switch to tune the queue length. I do not suppose you mean values in system tunables. I will try and set the adapters to vmxnet3 and see what happens.

@pfBasic: I think Unbound reloads every time a new DHCP is registered? Hopefully someone else can confirm or deny that. Also more to the point, if reloaded, is its cached data lost or service interrupted? That would be an important point for some networks. Samba for instance reloads config without stopping+starting.

Remove the FreeRADIUS 2.x package. Install FreeRADIUS 3.x. Visit the EAP tab under Services > FreeRADIUS, make sure you have a proper CA/Server Cert selected there, or set them to 'auto'. Save. Then make sure the rest of your settings are correct, especially the Interfaces tab, NAS/Clients tab, and Users. Review your setup against this document: https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS It mentions FreeRADIUS 2.x, but 3.x works the same.

I am on bt I have a HG612 with a lan cable running from that to my pfsense box. I have setup the wan interface as pppoe and supplied it with the login details of bthomehub@btbroadband.com and (password) if asked and it connected first time. as for the AP I just plugged mine into a switch served by the pfsese lan interface and it works great. if you get issues with that setup let me know.

You have some daemon on the firewall which is extremely busy, connections are coming in too fast for it to handle with the current queue size. What services and packages do you have enabled?