@kejianshi: Do you have a practical reason to be using /19s? And bridges?

Yeah - Mine is using 128.0.0.1 locally and the root servers in unbound, so maybe thats why I'm not getting the huge delay. At any rate, with such a big delay but without failure, I figured DNS must be involved.

Don't forget, PfSnese is a stateful firewall. Best practices would be to reset states after creating rules/nat mappings, so that states must be reestablished based on your restrictions or lack there of.

That's what I started with. I had to get support to get the config back and things working. The attached the old pfsense  this is on a Xenserver and read off the config.xml

pbi_delete did the job. Thanks.

Post some logs. Alternatively, try a crystal ball.

Ah, well spotted. Unusually narrow WAN pipe. Steve

Yeah the networking support in virtualbox is lightyears beyond what the simple player is, atleast last time I played with player.

OK, not sure if what I am seeing is a feature or a problem. I have registered a host sip.mydomain.net      98.114.XXX.YYY  on no-ip.  I can ping it without any problems from my ipcop setup. I switched over to pfsense. I then went to DNS Resolver and checked the following: Enabled DNS Resolver Enabled DNSSEC Support Enabled Forwarding Mode Enabled Register DHCP lease in the DNS Resolver Enabled Register DHCP static mapping in the DNS Resolver I then created a new entry under Host Overrides: Host: sip Domain: mydomain.net IP: 192.168.3.6 I then went to Diagnostics -> DNS lookup and entered  sip.mydomain.net in the field.  The DNS lookup returned 98.114.XXX.YYY! I repeated the command some 6-7 times. only once it returned 192.168.3.6, the other times it returned the outside IP. What is causing this? Thanks again for the help Renato

Thanks for your help guys. I learnt something new today.

Who said it was being forwarded anywhere?

I still think my problem was their 'cloud' middleware.

Yes, it's not a good idea to block with almost all of the countries selected. In regards to your boot issue, you should have previously received "pfctl" memory failure notifications?? Also, unless you have open wan ports, you should use "permit outbound" rules as pfSense is a state full firewall by design. pfBlockerNG, is more than a country blocker, you should read the thread I linked above for other threat source lists which can help protect your network from known malicious ips.

So, Resolved.  I submitted a trouble-ticket with support.  Since I couldn't find any reference of this on the search engines or within this forum, I'll post the fix: From the looks of your errors, it seems that /etc has become corrupt on your filesystem. The safest thing to do here is a clean install. The memstick image you'll need to download is located here: https://firmware.netgate.com/firmware/memstick/netgate-memstick-serial-2.2-RELEASE-amd64.img.gz Instructions for extracting that image and writing it out to a USB memstick can be found here: https://doc.pfsense.org/index.php/Writing_Disk_Images Once written, connect to your serial console and boot device from the USB memstick. You may need to pick Option 3 to boot from USB device at the first menu. At the install menu, choose quick/easy install. When prompted for the system type select APU/VK-T40E.

@Wolf666: Half-Bridge is not supported, as far as I know. I was in the same ship, my ISP only supports PPPoA, when I moved to pfSense I changed my modem. Now I use a Draytek 120 which has a sort of PPPoE<->PPPoA relay. I simply configure my pfSense to use PPPoE, I put my ISP account there, pfSense passes them to Draytek which takes care of PPPoE->PPoA connection. It works flawlessly (low pings, latency near 0), my connection is 20/1. Since Vigor is a chip box, I bought 1 more as a spare. I found this site talking about something similar to my configuration: http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet so I tried this commands: route add -net gatewayip/32 -iface em0 route add default gatewayip gatewayip is my isp gateway ip address received by dhcp from the half-bridge modem. With this system it works but I have dynamic IP, so every time the connection drops or the modem is restarted I have to digit the commands and find the new gateway… I've done like you, I bought 2 Vigor 120. Thanks for your reply! If somebody knows how to automate the commands above every time the connection drops please let me know! Thanks!