Well, I seem to have it working. I'll have to get a sanity check on my firewall rules for all my networks later this week. Since the two auxiliary APs get turned off when not in use they aren't exactly a security risk all the time.

It would be equal. pfSense allows by default any traffic from LAN to WAN, but no one from WAN to LAN. A consumer router does the same, unless there is no "service port" opened or something like that. You should take a look at the configuration to be on the safe side.

Thanks for your help but need to cut my losses and resetting to factory. I may have made a setting change along the way that's causing the issue. If not, this will help me narrow down my problem anyway.

How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection? My ISP most of time gives you a bit room over the cap. As can be seen when openvpn is off. Why would your speedtest server not be in area of your exit point? Chicago is the vpn exit point. more than 400 miles away from me. The test without openvpn was with a local server. That is why I cut that part away. Are you using UDP or TCP?  What cipher? etc.. UDP and ase-128-cbc And then check it going through the vpn I did not do a traceroute, but I always do DNS leak test making sure my IP is the IP as the VPN provider's IP, in this case the Chicago. If you really want to test then you need to make sure everything is same other than changing version I know this is not scientific testing. However, all the tests I ran were done with exactly the same setting and in the same way. I understand it will vary. But i have been consistently getting better result with this version. I am not the only one observed this. Here is another thread reporting vpn speed drop after upgrading from 2.1.5 to 2.2.2. https://forum.pfsense.org/index.php?topic=88758.msg490684#msg490684

Sincere apologies for the late response, The device is not yet in production, so i will test disabling the FreeRadius and again disabling the admin account and test SSH, will let you know the outcome. Thanks for your support it is appreciated. Regards Darren

https://doc.pfsense.org/index.php/Main_Page These?

ESX has a minimal performance hit. You won't notice it so long as you don't overload it. You don't need pfsense and Sophos UTM. They each have their strengths and weaknesses, but trying to use both would be complicated. You don't need a LAGG capable switch to use multiple physical NICs in an ESX box. You can configure ESX so that it keeps the same virtual machine MAC address associated with the same physical NIC. That way, a non-LAGG switch sees the same MAC addresses on the same ports and doesn't get unhappy. I may be wrong, but I think that is actually the default (I haven't looked for a while). With the setup you describe, you don't need multiple ports anyway. Your clients only hit the ESX box to hit the Internet, and you are limited to way less than gigabit speed there anyway. You clients will talk directly to each other, so you don't need high bandwidth to ESX/pfsense for that. Don't worry about the two unused NIC ports. Trying to force them into use won't make anything perform better, and will just make things more complicated.

All the log extracts in the original post show is the link cycling on the igb0 interface, with the inevitable consequences of pfSense stopping, starting and reloading various services. The original post is now 13 months old and refers to an obsolete and end of life version of pfSense that is based on an obsolete and end of life version of FreeBSD. If you have an issue with link cycling, it would be best if you describe your issue afresh, enclosing relevant log extracts.

@johnpoz: If your worried about dns queries being tracked by a specific dns provider.. Why would you not just use the resolver and send it out your vpn connection?? Would you care to explain how that works?  Not understanding still how the resolver would work in this case?  If it's still using root DNS to queries, then there is still logs of websites being accessed, though not by my IP, only through VPN's IP.

if you want to put those servers on their own network, just create a vlan in pfsense and move them there.  Then you can firewall those servers and your normal 192.168.1.0/24 and as KOM already stated vpn into your network would be the best way, then have rules so he can only rdp to those 2 specific servers in pfsense firewall rules for you openvpn connection.

@johnpoz: couldn't you just add sshfs and then mount what you want that way?  I know there is a fusefs-sshfs package.. Never heard of sshfs but will investigate

An old thread on the Overclockers forum suggests that this is a problem with apinger, the monitoring daemon. apinger is a very troublesome piece of code. In 2.3, apinger has been replaced by dpinger, which is vastly superior. Repeat your tests with the latest 2.3 beta snapshot - if the issue cannot be reproduced there, then the issue is resolved in a forthcoming version and no further effort need be expended on investigating the issue. Though it is still a beta version, the pfSense 2.3 base system is now pretty stable and contains numerous valuable fixes over pfSense 2.2. The main shortcoming of 2.3 at this time is with packages - some packages are unavailable for 2.3 whilst others do not have a fully functional GUI. To get a failed pre-2.3 system back into operation, the chances are that all you need to do is restart apinger (for example using Status -> Services). If you don't need gateway monitoring, you may be best choosing "Disable gateway monitoring" for the affected gateway(s) until such time as you can upgrade to 2.3.

Thanks, that worked.

I am currently using VOIP.  It is set up on my LAN behind my (off the shelf) D-link router.  As far as I know, nobody has has invaded my network - this was more of a theoretical question, as I pondered whether there might be a security vulnerability in my network (i.e. could someone take over my VOIP device and use it to launch an attack on other devices in my LAN?).  Would it be considered best practice to run the VOIP on its own vlan or is that overkill? And also for open VPN - this was also theoretical - how difficult would it be for someone to penetrate through that hole if I used 2048 or 4096 bit keys, and combined it with user authentication?

Thanks. I'll keep an eye on internet connection.

=changed OS to 2.2.4 and it works =replaced the ssd and it works with 2.2.6 as well

ok that did not seem to matter I set the MTU to 1470 and no difference. I even ran ifconfig and the settings did change to 1470 in there. Does the hard drive affect the throughput on the network cards? I have another PC in the shed I might drag it out and test that. See if it produces the same results, I had another 3 NIC brand new as well in the shed will try them also but this board only has 1 PCI slot why I had to go with a seperate dual port intel card for it lol