Well, looks like both physical USB ports are in UHCI-mode (USB 1.1) that's why the 12Mbps up/down limit….. Nope, it's connected to USB 2.0 ugen4.2: <huawei mobile="" huawei="" technologies=""> at usbus4, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON</huawei> But still the speeds are about 12Mbps down / 15Mbps up

Hmm, not really sure here. If you look in the main system logs do you see any apinger entries at the same time? It could be the gateway doesn't respond to pings causing apinger to mark it as down. Steve

The information available via SNMP depends on what SNMP modules you have enabled and what they are capable of. You can get a list by checking out the SNMP service page on your pfsense. Below is what I currently have. I think probably some of the things you want via SNMP may not be monitored/available without something third party. The traffic graph shows what IP the generated traffic is coming from. I am not sure where it is looking or with what at the moment but you could have a look at where its getting its data from. After  you can figure out how it could be piped via SNMP SNMP Modules MibII Netgraph PF Host Resources (Requires MibII) UCD Regex

Where are you putting this rule - why would you not put the rule on the vlan interface?  And the source would be that vlans network. Why do you think you need to create an alias to contain all your vlans?  To allow them to access the internet? Can you post pictures of your rules.

Nothing to do with rc.conf gets touched, you can't manually configure lagg or anything else in rc.conf (with or without .local). WAN can't be deleted. If you want to use its NIC for something else, assign WAN to a different NIC. Or make up a non-existent VLAN if you don't have a spare NIC.

You skipped the important part - what about the fxp sysctls Steve asked about? Usually such timeouts are a bad NIC, or a poorly-seated NIC, or on occasion with some systems where the NIC is sharing an IRQ with something else and that something else somehow messes up the NIC.

Somehow using the php/develper shell? Or via similar commands? The issue maybe that the password is held as a hash in the config file so you can't operate on it directly like you can with other settings in the file. https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell Steve

@txadmin: Regression 2.1 RC0 -> 2.1.3: Firewall logs don't show names of rules That is an option in the system log settings. They can be configured to show as their own column, their own row, or not at all. Your old snapshot may have been before it was moved to its own option. @txadmin: Bug: Reject rules show up in the logs with the red "block" symbol That's how pf logs them, nothing we can do about that. @txadmin: Feature request: Make the firewall log rule names consistent We are doing this on 2.2 each rule is getting its own tracking ID that won't change. This is already done in 2.2 and should be working now.

Does this issue still exist? If you don't use limiter due to the IPV6 issue, how do you ensure fair bandwidth use by users when only using HFSC traffic shaper?

First create an alias of the internal IP address in firewall aliases ie 192.168.1.10 -> Johns PC Second create an alias of the website you want to allow / block add a rule  [ABOVE the allow all to all rule] ,  to LAN or OPT1 or however your internal LAN config is in pfsense and you are done… P.S i use aliases so i can have a clear view of what device goes where.. its easier to understand applied firewall rules if its  "Allow Johns PC to Google" or "Block Johns PC to Google"  than "Allow 192.168.1.10 to                    173.194.113.39           173.194.113.32           173.194.113.38           173.194.113.36           173.194.113.35           173.194.113.46           173.194.113.41           173.194.113.37           173.194.113.40           173.194.113.34

@Harvy66: Few things Sender attempts to resend seq 66773 5 times over 9 seconds I do not see these resends on your WAN capture Your receiver capture cuts off at 2.7sec and I can't see if any ACKs were actually sent, but from the the perspective of the other two captures, it doesn't look like it. The sender eventually gave up because of no ACKs and timed-out the TCP connection with a RST, which the WAN capture did show, even though it didn't show the prior resends Thanks again for your reply, Sender attempts to resend seq 66773 5 times over 9 seconds I do not see these resends on your WAN capture Yeah, the receiver has ACK'd up to seq 66773, so sender needs to send it again. But these packets are not reflected in the pfsense WAN capture so I guess pfsense is dropping these retransmission packets for some reason (which I don't really understand and that is the problem here). The second time I run the software it works fine! but after few seconds or rebooting the firewall the first time I ran the software fails. Your receiver capture cuts off at 2.7sec and I can't see if any ACKs were actually sent, but from the the perspective of the other two captures, it doesn't look like it. Yeah, the receiver image shows the last ACK message it sends. Because pfsense rejected to send more data to the receiver as is shown in the pfsense capture. After the 20 second the firewall will send the RST to receiver to quit the connection. (which is not reflected on the receiver image cos' I stop capturing before) The sender eventually gave up because of no ACKs and timed-out the TCP connection with a RST, which the WAN capture did show, even though it didn't show the prior resends Exactly, that is actually the expected behaviour of a TCP connection of a sender, "try to send few retransmissions but if no ACK release the connection". What is really weird is why pfsense if not accepting these retransmissions packets but it does accept the RST one. That is the key of the problem. I have tried different computers as sender and I always got the same behaviour. Another thing to consider is the packet 72 from the pfsense capture which is 536 in length (the minimum MTU value I think) and that it takes 2 seconds to be forwarded from WAN to the LAN!! thanks

Hit a couple snags but it's still coming soon. You can use OpenVPN if you use a TLS auth key. Also if you update your clients, it's fine. Please read all of the text I quoted earlier in the thread.

Hmm, I'm not sure this is possible in the conventional manner. This user did it by NATing between the subnets but that's not ideal: https://forum.pfsense.org/index.php?topic=64700.0 I'm not sure it's necessary either. Check the system routing table, do you have route to both subnets via the LAN connection? Which virtual IP type are you using? This user seems to have acheived it using just floating rules which is probably more what you're looking for: https://forum.pfsense.org/index.php?topic=58943.0 Steve

THANK YOU VERY MUCH!!!! Glad its work great and thanks heaps again mate!!! More new lessons to learn :) Cheers

Yes, it's not an issue with CF card space nor, normally, with space in /tmp or /var which are the same size across all Nano installs. That said I had to increase the size of /var on my home box to 80MB to avoid errors a few versions back. Can't remember the details now.  :-\ I have 512MB in the box, and could easily add more, so it's much less of an issue. Edit: Yes here we go, anything in this thread look familiar: https://forum.pfsense.org/index.php?topic=66588.0 I was running out of space in /var every time the RRD backup ran at midnight. No, I'm not sure of anything really.  ;) I haven't investigated the code closely but I seem to remember something reported by one of the devs to that effect. Maybe it's more of an issue when the compressed data is extracted. Like I said moving data onto a USB stick would be a last ditch solution. Ah, I see what you're saying about the modem interface. If it doesn't have a gateway on it that there won't be an RRD quality file created for it though. Steve

@bjm3805: Is there an easy way to simply block all traffic and only allow a few sites? The short answer is yes: Assuming you have a default configuration with only two active interfaces… Create LAN rules to allow the sites you want and then disable the "Default allow LAN to any rule" on the LAN interface. (I highly recommend that before you do this, you ensure the anti-lockout rule is enabled at System: Advanced: Admin Access: be sure that  "Disable webConfigurator anti-lockout rule" is not checked.) NOTE: I am assuming you want to block outbound from the LAN and not pfSense's outbound which would require floating rules. Just for some clarification: Are you asking how to restrict outbound traffic? (The default for pfSense is to block all inbound traffic already and allow all outbound traffic. ) What do you mean by "sites", IP address(es) like "192.168.1.1", or websites like "www.google.com"?

What kind of site-site, OpenVPN (PKI or Shared Key), IPSEC, other? Are both ends pfsense, what versions, network details etc? How do you know the VPN is up and running? Have you tried a simple ping of the firewalls from each side?