@doktornotor: Do NOT put gateways on your LAN! It's even written in the GUI! That did the trick thanks !

I have a small/home network. So with raspberry pi is enough just for collecting logs. But, I'm thinking in mount a virtual server (proxmox) and I could use a virtual machine for logs. Also I would like to install in that virtual server: kali linux, honeypots, web servers, etc. I have to start saving!  :) Thanks.

What? Yeah have lots of dc in multiple customers I support.. Not one of them has public internet talking to them for dns..  If they even suggested such I would think they are on drugs..  If you want to use MS to host dns - sure go for it.. But not your AD dns using the same domain for sure.. You still have the problem that you only have 1.. same freaking IP, that your registrar even let you do that is beyond me.. Fixing your DNS is priority one.. Your name delegation is completely borked no matter what you want to use to host it, etc..  FIX YOUR DNS!!!  I have already told you what is wrong with it.  First step is at your registrar - having actually 2 different dns serves that should NOT be on the same network that is for sure..  If you set on hosting your own public dns off your connection and off your DC ok.. But get s secondary somewhere else. If you do not know anything about dns - then get someone in your org that does.. Hire some one if need be..

Thanks for the response. I ran /etc/rc.conf_mount_rw via SSH - it returned successfully very fast. I then ran /etc/rc.conf_mount_ro - it took a few seconds, then also completed successfully (both commands verified by looking at the output from "mount") After the filesystem was mounted read only - I ran fsck -y /cf - and it produced the following result: ** /dev/ufs/cf ** Last Mounted on /cf ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 33 files, 8520 used, 92535 free (39 frags, 11562 blocks, 0.0% fragmentation) ***** FILE SYSTEM IS CLEAN *****

You could block all outbound traffic from the offenders, then when they complain you remind them of the policy they are violating and you'll unblock when they stop violating.

Well you should not be natting between 2 lan segments.. So you checked the arp table and pfsense arp table showed correct for the machine you were putting the .40 address on?  Could the .40 ping pfsense interface? I have never had to reboot pfsense because something wasn't working, I have had to clear states for a specific connection sometimes when trying to block something when there was a state already.  Only time had to reboot pfsense was when updating it. So your connections to pfsense from this .40 box is just to switch and then pfsense interface on same switch.  Your just doing dumb switch or do you have vlans setup, etc. etc.

Ah dang,  yep didnt catch that…...thanks for pointing it out!

I use the pfSense box to run captive portal and a seperate vlan for wireless network.  I also use it just to monitor bandwidth and get stats.  I want to keep the Comcast box as the lans main dhcp server/gateway for now.  That will change down the road but at the moment I'm not ready to make that switch.

@pfcode: But they are tied to the Month (e.g. September_15), which isn't what I want,  aren't they? No, they are not (also, read the notes there) - it's just the GUI calendar being completely confusing

@tobiascapin: Sorry… https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage You're doing better than most people who ask questions.

We have a $250,000 high end firewall that is loaded with bugs and limitations and could be easily replaced with $10k of machines and some opensource software that many companies use. Instead of learning the underling issues, "admins" resort to pre-configured systems that are really expensive, and if the system doesn't have a check-box for a certain situation, not much you can do.

Can you explain more about what exactly you're trying to do? Port forwards have a "No RDR", and a "Not" flag for the destination… Outbound NAT rules have a "Do not NAT" option and "Not" on the destination. If you're looking to exclude certain things from NAT, usually those are not necessary even. If you can describe the scenario with more detail then perhaps we can help figure out a solution.

yeah a cable tester is good tool for the belt for anyone that deals with cabling be it you make your own or buy predone, etc. Simple testers can be as cheap as <$50 for sure.. Now if you want a fancy specification validation tool you can get into the 1000's so kind of out of the realm of home user diyer ;) The cheap ones won't point out issues in quality of the cable but will real quick tell you if wiring is wrong, shorts/opens, etc.  So nice tool to check a cable before you put it into use, etc.  And that you crimped them correctly, etc.

http://wiki.mikrotik.com/wiki/Manual:RouterOS_features https://www.pfsense.org/about-pfsense/features.html

@SoonerLater: After some hours of reading the Wiki, I still have some pre-sales questions. I am considering buying a SG-2220 to replace my existing Wal-Mart quality Linksys router. Q. - Can I create complex access schedules under pfSense which restrict certain MAC and/or IP addresses from (1) all network and internet access, (2) all internet access, (3) filtered internet access?  Sometimes I don't want my kids (teenagers) to be able to access anything outside their own computer (no local network and no internet). Sometimes I just want to limit their access (e.g. Wikipedia is OK; Blood Guts and Gore Gaming is not). Yes.  It's not easy and will be a lot of work, but it can be done. Content filtering can be done with a package or something else like OpenDNS for example.  Both require configurations. Q. - Can I create schedules which start one day and end another? One would think this is obvious, but on my existing cheapie router, I can't have a schedule that runs from 10pm to 6am, because the moronic interface on my router can't figure out that I mean 6am the next day. Yes, see the Schedule screen shot enclosed. Q. - After programming pfSense with my schedules, can I create simple toggles that my wife, who is even less tech than I am, can login to toggle on or off restrictions for certain MAC and/or IP addresses? No.  Schedules are time-based firewall rules.  You would need to modify those rules in the pfSense interface.  So there would be some navigation, identification of the appropriate rule, and enabling/disabling that rule.  Since you seem to have complex schedules, there will be quite a few rules. Q. - Can I setup the DHCP service so that certain MAC addresses are always denied a lease? I like to setup my router so that everything that is normally on my network has a reserved address. The only devices to get DHCP leases should be guests, and I want to be able to easily toggle DHCP service on and off. Yes, but it might be easier to use Captive Portal instead.  You can exempt your devices from using captive portal by MAC, and those that you want to allow access onto the network would need to go through the captive portal. Q. - Can I setup logging for specific MAC and/or IP addresses which logs all addresses that devices visits and when? When you're used to spending <$100 for a router, spending $300 is a big step up. No doubt that pfSense is incredibly robust, but after much research, I still can't determine whether I can program it to keep my kids from wasting hours in the middle of the night playing games and surfing the web. No.  There may be a package that does this, but none that I've used.  pfSense is a firewall/router, not a networking monitoring appliance.  I think E2guardian might do this, but I'm not sure.  It's a package that is awaiting approval, so you'd need to install it on your own in the meantime.