Then make the pass rule on VLAN10 to be source VLANnet and destination LANnet.

@sneakking: @jezzy: Is there anyway to only route certain local IPs via the VPN (my downloaders..) so the remaining devices don't get bogged down with the VPN speed? For how to handle traffic per host: https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/ Thanks, I just setup pfSense and wasn't able to route IPs via my VPN.

Draw a schematic of your setup & include all involved subnets

It's blank when I do that (i.e. blocked by the default rule)…which it shouldn't hit because of the allow everything rules

Turns out the tech who said I was having router issues was a little less than "spot on". I swapped out my pfsense with a dd-wrt I had around and got the same issues. A complete cable replacement from the pole to my home including a repair to the cable inside and I am good to go. Pfsense wasn't the cause of this issue; but rather, was a scape goat for a tech who was out of ideas…

workgroup in windows has zero to do with shared resources.  All a "workgroup" is what list to put it in the browselist, nothing more - it really is just utterly useless..  Might of be somewhat useful back in the day of windows for workgroups to group machines in specific lists like users, servers, etc.. dept A, dept B, etc.. But they have zero to do with authentication to who can access shared resources off a machine. Might was just leave it at the default workgroup for the name.  The DNS domain that you setup in pfsense is just that the domain part of a FQDN (fully qualified domain name) so when you lookup pfsense.something.tld or whatever you want to call pfsense. Or other machines in your network.

Ok, thanks.

@Harvy66, This happened again today and, knowing network utilization was the likely cause, I was able to track it down right away.  You definitely put me on the right path.  It was as simple as the network being saturated. Specifically, I had a CrashPlan server on one VLAN and it's data store on another VLAN.  When CrashPlan would (deep) compact data, it would saturate my firewall for the duration. Thank you again for the help.

I would suggest simply unplugging the defective USB device.

@Derelict: Then: 1. create an inside network, just like any other LAN using that subnet. 2. Put any rules for what that network can access on that interface, just like any other LAN. 3. disable outbound NAT on WAN for that source network 4. pass any inbound access you want on WAN, like from source any to destination 24.240.16.10:80 for a web server there. 5. take the rest of the day off. Actually, there turned out to be a 0. step - call Cox level 2 and get our REAL CIDR block.  The technical info from the install gave us completely wrong CIDR info.  The original 24.249.160.0/28 wasn't even close to our assigned block for the MODEM  :o … Almost 80 hours down the drain on this  >:(. Now I don't fee like such a noob. Thanks to all for bearing with me :-\

@phil.davis: I attached a screen shot from a 2.3.4 VM. You can just install pfSense in a VM on a client system to have a play and see all the webGUI pages etc. Thanks Phil!  Appreciate the screen shot.  I forgot about the VM, I will definitely do that and experience the whole package.

@johnpoz: So did you pull one of the cables during a transfer?  The one that was being used to see how fast it moved over to the other path? No I didn't do any actual testing. What I meant by that was that the network functioned. When I set it up on the TPlink my network just went down completely. I'm the stands on the zyxel for lacp it has the option to set a time limit of 30s or 1 sec. It looks like this is the frequency it checks to see if all ports of the lacp are working? I left it at 30 sec since I'm not actually using it now. Would the test you mentioned work with just one client or would I need to use multiple clients transferring files to see the difference when I unplug a cable?

If you're looking for something quick and dirty, then yes… you can leverage, Squid, Lightsquid and SquidGuard for simple monitoring needs.  Here are some wiki's to get you started: Setup Squid as a Transparent Proxy -> https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy SquidGuard ->https://doc.pfsense.org/index.php/SquidGuard_package Lightsquid -> Could not find a configuration wiki, you'll have to use google For anything more advanced or more detailed, you'll need to implement a UTM.

No, it is ZTE MF65. https://www.grameenphone.com/shop/routers/product/gp-3g-pocket-router

Great, thank you for your quick answers. Dario

@jahonix: Setup your DHCP server to only hand out leases to known clients. I've tried this, but don't work…!