You have firewall rules that allow your ISP to ping your internal interfaces? Seems unusual. Or your ISP is somehow able to determine your internal interface IP and it trying to ping it? Steve

Have a read this:- https://forum.pfsense.org/index.php/topic,72528.0.html oops it's more Filtering HTTPS not caching, sorry.

Did you setup a WAN rule for connections inbound to that Public IP at your ssh port? A little more info would be helpful, not clear if you made a Wan rule or a Lan rule.  Change your firewall rule and enable logging, try to connect, then see what is in the log. Actually, are you trying to ssh to get to the command line interface or to the web based UI?  Not clear on what exactly you are trying to accomplish. I'm not personally a fan of opening up direct access to the command line or web ui on your public IP.  Like I said in a previous post, I'd setup a VPN (something cert based like OpenVPN) and have it tunnel to the LAN, then you would simply connect the VPN and have access to both the web ui and the command line interface at their private/LAN IPs.

I've never been clear if I'm dealing with a pure packets-per-second problem (incoming packets driving a lot of interrupts) or a state table problem (too much state churn) or a combination of both.  The key part for me in this post is what I see under STATE in the output from top, it shows "*pf ta" - as I understand it this means that the CPU is waiting on the pf process for something.  I'm guessing the "ta" part relates to the state table.

/etc/rc.filter_configure_sync contains the following….. | #!/usr/local/bin/php -f /* $Id$ / /     rc.filter_configure_sync     part of pfSense (http://www.pfSense.com)     Copyright (C) 2004 Scott Ullrich     All rights reserved. Redistribution and use in source and binary forms, with or without     modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice,       this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright       notice, this list of conditions and the following disclaimer in the       documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,     INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY     AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE     AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,     OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF     SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS     INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN     CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE     POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); filter_configure_sync(); ?> |

Thank you. :)

@johnpoz: If your saying it stops when you remove client X from the network, that really points to it being client X.  Sure its not just downloading the gazillion updates a new install of windows 7 would call for? ^^This. Windows 7 downloads in the background, so next time you shut down it can say "…Please don't shut off the power.  Applying Update 12 of 135329"  :)

Default gateway switching allows pfSense-originated traffic to find its way out if WAN1 is down. Mostly this is just the dashboard firmware update check, and installing packages. (when you already have gateway groups and policy-routing rules for your client traffic) If you have multiple DNS servers defined in System:General and pick a WAN gateway for each then you will still get DNS when 1 WAN is down, without needing default gateway switching. In a 2-WAN system where you just want everything to fail over from the main WAN1 to a (usually much slower) backup WAN2, then you could just use default gateway switching and not bother with gateway groups and rules.

Thank you Phil! This is good information.  I appreciate your time and perspective.  We've tried to keep anything out of DropBox and Google that was the least bit security sensitive.  But it's helpful to know some of the good reasons for that practice.  :-) I also hadn't thought about the certificates being stored in the XML file.  That's a very good point. Does anyone know if there is a limit to the size (length) of the AutoConfigBackup key? Thanks again!

Thanks for your reply. We don't have asymetric routing. There is just one LAN. pfSense acts as the NAT, firewall with less than a dozen rules, and DHCP server. I still have the packet capture file; I'd be happy to upload it to a place which is convenient for you.

Virtual machine equals Win server 2012 ye, sorry for not pointing that out. I did some configurations yesterday and managed to make static WAN work out! I sat WAN to 192.168.10.103 (static) and gateway as pfSense LAN adress. I also sat my homerouters IP-adress as DNS-server and I can ping everything included Windows Server from pfSense :) But I'm still not able to browse the web… So I guess it has to be something blocking port 80? I tried to check both Windows Firewall and pfSense firewall but couldn't find any settings that would block port 80. So there's still some troubleshooting left for me.

Steve, you were right: it was hardware related!  ;)

I currently have the same issue :( EDIT: Okay I have managed to get it working, it turned out for some really odd reason the network port the PPPoE was on wasnt the correct one, in fact it wasnt anything… As shown there is now the interface (alc0) for PPPoE but before hand there was nothing shown here also... [image: sdsdsd.png] So using the webconfigurator all I did was assign the WAN to alc0 (MY direct incoming connection (ISP infinity cable coming from the VDSL modem) using the assign interfaces, then I went into the settings specifically for WAN and configured it like so… [image: sesersdfd.png] Then as if by magic it suddenly started working, and the right interface was assigned to WAN [image: Capture.PNG]

This is really basic stuff here - not sure how it could be worded better? you have this client –- lan (pfsense) wan --- internet If your pfsense stuff going to clients would be out the lan, stuff from clients would be in on lan.  On wan stuff going to internet would be out, and stuff coming from internet to pfsense would be in.  Look at the traffic flow from pfsense perspective

The simplest thing is plug your modem into 1 Ethernet and your LAN into another one and enable snort. You could use LAN's but you will need a managed switch which isn't over easy unless you know what your doing.

During 2.1 development, there was a time when the "rate" utility returned stats for all IP addresses and I added the "Filter" option to the Traffic Graph GUI - Filter "All", "Local" or "Remote". Some time later, the "rate" utility was put back to just displaying what it was asked to (a subnet specified with the "-c" parameter to "rate"). Reading this got me thinking that actually the Filter option can be fixed up using the current "rate" binary but driving it creatively from bandwidth_by_ip.php This pull request fixes up the Filter option so it works as intended: https://github.com/pfsense/pfsense/pull/906 Hopefully this will be fixed in 2.1.1. From there, it should be relatively easy to add more filter options to display wider sets of IP addresses - people could suggest what groupings of subnets would be useful. [image: TrafficGraphAllFQDN.png] [image: TrafficGraphAllFQDN.png_thumb]

I might have been getting something similar to the crossed out stuff in this post, although I never had the same options checked.