@Harvy66: I just leave mine at Adaptive and my 3.2ghz CPU is pretty much always at 300mhz any time I check it. I'm using Adaptive too, it works pretty stable. But I usually switch into minimum at midnight to save little more power. However, if I could do that in cron job that would be perfect. In Adaptive mode : Intel(R) Pentium(R) D CPU 2.66GHz Current: 1329 MHz, Max: 2659 MHz 2 CPUs: 1 package(s) x 2 core(s)

It's apparently the default for us and not explicitly set

@hege: @eskild: ipsec is unable to read the private key. with ipsec listcerts you should see a line like   pubkey:    RSA 4096 bits**, has private key** If that's not the case, try the following commands ipsec rereadall ipsec restart (restart not reload!) What's the output of ipsec listcerts ? I had the same issue with pfSense 2.2 after creating a CA and a certificate (annoyingly, StrongSwan apparently does not and will not support wildcard certs).  IPSec log when I connect: charon: 05[IKE] no private key found for 'C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net' ipsec listcerts output: List of X.509 End Entity Certificates: subject:  "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net"   issuer:  "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1-ca"   serial:    02   validity:  not before Mar 17 23:10:33 2015, ok             not after  Mar 14 23:10:33 2025, ok   pubkey:    RSA 2048 bits   keyid:    xxxx   subjkey:  xxxx   xxxx $ ipsec restart Stopping strongSwan IPsec… Starting strongSwan 5.2.1 IPsec [starter]… no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! After those commands, I get "pubkey:    RSA 2048 bits, has private key".  Unfortunately despite that, I still get error 13801 from Windows when using the common name or IP address.

I literally haven't had a single watchdog timeout on an interface that wasn't set to WAN. Both interfaces I tested are on the same card, but that doesn't explain why they stop misbehaving IFF they aren't WAN. I'll try another mobo when I get the chance, but it's odd that only the WAN interface complains. I'll try setting the 10/100 NIC as WAN too, 100Mbit is better than nothing!

2.2.1 has fixed this issue. WOL works again for me.

I'm posting an update to my struggle with this issue with the hopes that someone might be able to help. Since my original post I have installed new hardware with a fresh (non-upgraded) install of 2.2 and with all my settings rebuilt from scratch. The problem remained. So I admitted defeat and reverted back to 2.1.5. This fixed the problem and made it very clear that something in 2.2 was the cause. I may just need to report this as a bug, but I'm going to bounce it off the community one more time just in case there's something I'm overlooking.

As dok has mentioned if your using the windows cmd line ftp, it has NEVER supported passive.  So you must of been using active, pfsense before 2.2 had a ftp proxy/helper that would of helped with that. Now there is none, use the new package if you need active connections to work. In a passive connection the server sends you the port to connect to and the client connection.  Unless your filtering outbound traffic from the client there would be no issues in using passive from a client behind pfsense to a server on the public internet or on then wan side of pfsense. https://doc.pfsense.org/index.php/FTP_without_a_Proxy Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead. Another option is the recently added FTP Client Proxy package which leverages ftp-proxy(8) in FreeBSD to allow clients on local interfaces to reach remote FTP servers with active FTP.

The OpenVPN log will show more specifically what's happening, what does it show?

Well - If you have settings that SHOULD chew up 70% of your disk but instead all of your disk space is being used, then you have a problem.

Thanks you so much for your reply! I did what you said, and now the network is cleaner. Unfortunately I'm not able to put our ISP gateway in any sort of "Bridge mode" but the DMZ setting on it is set to my PFsense box (so the ISP router will stop blocking ports) and I setup a static IP address on the adapter that is facing the ISP router.

@j@svg: Anyone know the name of the DHCP relay daemon? dhcrelay. Worth checking whether that's running, though if it's not configured under Services>DHCP Relay it won't be. Even if it is, it can't loop things endlessly in a properly setup network. Not a bad next step in trying to figure out how the requests are being forwarded at all.

@2chemlud: To me this "feature" is absolutely counter-intuitive. If you want to block access to the pfsense from a local net, e.g. OPT1 or LAN, completely, I guess lots of people miss this point. It should be locked from the very beginning (GUI not listening on the WAN IP until further notice). Yeh, there has been discussion about this before. People might try: Add a separate management OPT1 interface with pass all. On the workplace LAN delete the anti-lockout rule, put a block rule at the top that blocks anything to destination LAN IP (thus blocking webGUI, SSH…) Have effectively pass all on LAN after that They think they have blocked webGUI access from LAN, but actually LAN users can get to webGUI on WAN IP or OPT1 IP. In pfSense 2.2. there is "This Firewall (self)" that can be used in rules (e.g. as destination for a block). Using that will block out all webGUI access to all interfaces.

NTop or NTopNG can give you these general stats for any devices connected through the firewall. You can install them in the Packages section.

how do you have these indoor AP mounted at a beach?  They must actually be inside structures?

@stephenw10: What do you have it set to ping there? <1ms pretty much means it's something local in which case apinger can't do it's job properly. Set it to monitor some external address so you know when your WAN connection goes down not just when your modem stops working. Steve Its the address of my modem. The point isnt what I am monitoring but the different result I get. I understand that this function is broken.

Thanks for your clarification.. That helps.. have a nice day  :)

The part you're paying for isn't necessarily the uptime, it's the mean time to repair. You'd be surprised how long even a "five nines" uptime can be down when that's averaged out over a year. If you cable line does go down, how long do they typically take to fix it? What is the time stated in the leased line SLA for repair? An example here in the states, a cable line could be down for days depending on how busy the cable co is and how much yelling is done. A leased line is typically repaired in less than 4 hours, but in either case it depends on the nature of the problem. If someone cuts a line with an excavator it's typically going to be down longer than if it's a bad card or other easily solved issue. If you can handle a bit of downtime in either case, then the extra cash for the fancy SLA may not be worth it. If you can get lines from different providers that enter your building from different wire paths that's even better for redundancy. If the telco provides both the leased line and the ADSL, then odds are if one goes down, they both go down, but if you have a line from cable and another over phone lines then odds are one will remain up. And not that it's relevant in your case, but even on a leased line between two sites, you'd still want to encrypt the traffic. Best practice (and by some standards, a requirement) is to encrypt anything that leaves your location and the network you physically control. Even if the line is "private" it's still equipment that could be compromised, either unknowingly by a third party, or willingly as in a telco granting access to a government agency.