First off thank you very much for all the extremely detailed technical knowhow. I know it is more directed at the other person but I will respond anyways. In my case, i am sitting at MBUF Usage: 2026/26584. Is it worth increasing? i think not as that is like 10%…. The machine has 2gb of ram and its using 9% of that currently. Having said that, i have switched to 64 bit install and my install is stable for the last 2 days. fingers crossed. I dont have any vpn tunnels. Well i have an insecure pptp vpn tunnel sometimes but not really correlated to the times my connection fails. I am just a static IP connecting to another device with a static IP, (metrotik router).

Agreed IoT can be concern for security.. Which is why they are on their own SSID with their own psk and isolated to their own network segment. As to creation of vlan.. If you only have 1 physical lan interface on pfsense that is connected to your switch.. Yes you would create a new vlan, and add it to your physical interface. So for example here is my wlan_psk, this is where I put my nest and harmony for example. You can see its on em2.. This is a trunk port my switch that carries all the vlans that are on that physical nic. What specific switch do you have and can go over how you would setup the port that connects to a nic with vlans on it.. And then how you would setup your other ports on the switch to be in a specific vlan. So you can see the ports on my sg300 switch, The ports that are trunk, ge3 is connected to pfsense em2 that sits on my esxi host, ge4 is uplink to another smart switch in my living room av cab.  While ge9 is uplink to a AP.  Depending on your switch it might use the trunk term differently than cisco does.  But in general your going to have ports that have tagged traffic that need to carry more than 1 vlan, and then your going to have ports that only have 1 vlan on them.. Trunks that carry more than 1 vlan are connected to nics that have vlans on them like pfsense, switches that will have more than 1 vlan on that switch, and then to other devices that will also carry traffic this is on different vlans like access points that have different vlans assign to different ssids edit:  And before anyone mentions it, yes my default vlan is 1.. And while that is normally frowned upon - this is HOME network.. I think I am quite capable of knowing what I plug in and what it will have access to and what vlan the port is on, etc.  vlan 1 is no different than any other vlan..  Its just not common practice in the enterprise to use leave anything in the default vlan is all. [image: sg300switch.png] [image: vlans.png_thumb] [image: vlans.png] [image: sg300switch.png_thumb]

@Derelict: OK, then you need to Packet Capture to make sure the OpenVPN connections are hitting your WAN port then make sure there's a WAN rule passing the traffic. Well I found out the phone guy reconfigured my pfsense to use dhcp instead of static on the wan, so it wasn't the dmz port. I emailed him and he gave me what is supposedly the dmz port ip. So I assigned that static, and did a packet capture on port 1195 and it captured nothing at all. I guess the ball is in his court now -_-

@BlueKobold: Does "LAN net" only include the ipv4 subnet? Lies you was configuring it and it is using only ipv4 ip addresses. It looks like it's not including any if the ipv6 stuff. If the ipv6 stuff will be not needed, because it is not in use there will be no need for it to show up. I'm not sure what you're talking about?  My question arose after seeing local ipv6 traffic being actively blocked by the firewall even though there was the default accept rule for "LAN net."  It was later explained to me that the link-local ip6 stuff was not included in "LAN net."

@Derelict: But you can't use the whole /27 because 9 addresses are for the PPPoE. Regarding who can contact what, it sounds like it's functioning pretty much as expected. Now I'm not sure what "I cheated and said it was a /26 on the "servers" interface" means. It's either a /27 or it isn't. There really is no way to cheat. 76.10.190.224 /27 I was meaning by using my whole /27 subnet, everytime you split the subnet, you lose 4 hosts do you not? two ips for each subnet?

@cmb: No real danger, but no point in doing so either. You're not going to help anything by passing the traffic, so why do it. But that's exactly what "LAN net" is already doing.  It allows all kind of traffic in that pfsense doesn't need to see. Broadcast traffic is hitting the system right now. Is it unreasonable to see "Lan net" as synonymous with "local traffic?" LAN = Local Area Network.  Why is link-local traffic not "local" enough? (lol, I just realized that every time we say "Lan Net", we're like those people who say "ATM Machine") If that argument isn't compelling enough, one reason to add link local addresses to "Lan net", would be to stop the unnecessary flooding of the firewall logs. Everyone who uses ip6 has to create additional rules to filter out this harmless broadcast traffic. Until we do, the Firewall Logs widget under the Status -> Dashboard is worthless. @cmb: @Tantamount: Is there a way to specify "all traffic on interface" instead when creating firewall rules? @cmb: That's what source "any" is for. I think what I'm looking for is "all traffic on an interface where the interface is configured to listen for."  I think "any" goes beyond this.

@cmb: Odd looking. Is it just that one iPad? Other wireless devices fine? I think it's just the one device, but I'm not positive.  In this case my Windows 10 laptop had issues at the same time, but it recovered very quickly (~30s).  I was connected to another machine on my LAN via RDP and saw a lot of latency.  Ex: Each key press would take 500-1000ms to show up on the other end. I should have been clear, I don't necessarily think it's an issue with pfSense.  It's most likely an edge case where something doesn't recover correctly from a wireless error.  Since it happens so infrequently I might not ever track it down. I'll definitely try capturing on the wlan interface the next time it happens.  I wish I would have thought of that yesterday.  Thanks for the suggestion.

Have you ever figured this out? I'm having the same issue.

@Derelict: I just saw the printer is connected to wireless too so another possibility is wireless client isolation being enabled on the WLAN. Yeah where they're both wireless that's a pretty good possibility.

OK. Thanks FYI… the unit was not really dead. We were told that the capacitors in this model takes a while to discharge. When we had a blip on our power, the ups where the unit was plug into somehow did not hold the unit up. All we had to do was unplug the power cable from the unit for a few minutes to let the capacitors discharge. It came back up after plugging the power cable back in. Thank you

I have a pair of pfSense boxes that I use for our guest networks. Up until 2.2.4 RADIUS authentication for the Web GUI was working fine. It appears 2.2.5 broke it and even trying several variations of the "Class" attribute doesn't seem to help. The RADIUS servers are Windows 2012 R2 NPS servers. Is there a patch on the way? Can the pfSense team revert to the pre- 2.2.5 code? I never had to worry about group info before….the setup was using the users I entered and local groups to determine permissions. The only thing RADIUS was doing was making sure the user account existed in the directory and verify the password that was entered is correct. Thomas

Are you sure the entire line is going down? After such a 'crash' have you tried attaching a separate device (laptop?) to your switch and pinging an outside address before restarting everything?

Thanks guys this weekend when the internet at work is not in use I will try OPENVPN

I can reproduce this at will on embedded alix2d13 running 2.2.6-RELEASE (i386): lagg0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether <removed>inet6 <removed>prefixlen 64 scopeid 0x8         inet <removed>netmask 0xffffff00 broadcast 192.168.17.255         nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect         status: active         laggproto lacp lagghash l2,l3,l4         laggport: vr2 flags=1c <active,collecting,distributing>laggport: vr1 flags=1c <active,collecting,distributing>lagg0_vlan9: flags=8803 <up,broadcast,simplex,multicast>metric 0 mtu 1500         ether 00:00:00:00:00:00         inet6 <removed>prefixlen 64 scopeid 0xa         inet <removed>netmask 0xffffff00 broadcast 192.168.18.255         nd6 options=21 <performnud,auto_linklocal>vlan: 0 vlanpcp: 0 parent interface: <none>lagg0_vlan10: flags=8803 <up,broadcast,simplex,multicast>metric 0 mtu 1500         ether 00:00:00:00:00:00         inet6 <removed>prefixlen 64 scopeid 0x9         inet <removed>netmask 0xffffff00 broadcast 192.168.19.255         nd6 options=21 <performnud,auto_linklocal>vlan: 0 vlanpcp: 0 parent interface:</performnud,auto_linklocal></removed></removed></up,broadcast,simplex,multicast></none></performnud,auto_linklocal></removed></removed></up,broadcast,simplex,multicast></active,collecting,distributing></active,collecting,distributing></performnud,auto_linklocal></removed></removed></removed></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast> the vlanid is 0 and interface is none in such cases. Sadly this happens on every reboot or alteration to the LAGG. This is the first time I'm using such a setup on pfsense, thus I don't know if this ever worked before on this platform. I left a comment in the related issue: https://redmine.pfsense.org/issues/3976 but I don't think I have permission to reopen the ticket.

I often encounter this problem arp,Finally I use forced dhcp resolved. client must re get new ip and obtain IP via DHCP,Secretly setting is can't use Internet.packets will not be sent to pfsense cisco switch–>Try cisco DAI+DHCP Snooping ruckus controller-->enable option:"Enable Force DHCP,disconnect client if client does not obtain valid IP in XX seconds"

plink, ssh , wireshark and tcpdump remote auto start. https://forum.pfsense.org/index.php?topic=89917.msg497700

I am having some difficulty creating a site to site VPN using IPSec. pfSense to Draytek IPSec VPN IPsec tunnel established but no traffic - SOLVED! IPSec VPN between pfSense 2.x and DrayTek Vigor 2910 Often made failures: On both sides must be different IP ranges or networks 192.168.1.0/24 - 192.168.2.0/24 (255.255.255.0) pfSense aggressive mode instead of main mode Less secure but mostly good working using MD5 and DES on both sides SHA1 was over long time failing on the DrayTek side

You could try out Squid & SquidGuard & SARG plus setting up user authentication which would be able to add one device per user and then you will get a detailed report over that Internet access. The other thing is to install PRTG for monitoring for the entire network, to get this detailed informations about all PCs and or each single one.

I have a third site that I was planning on pushing the AES-NI to, and I think I will try that over the weekend - I will have to wait and see if it crashes that. The greater brother of yours SG-4860 will be able to push 500+ MBit/s over IPSec VPN tunnel and this stable as a rock, so perhaps it will be more pending then on the lower power or a miss configuration perhaps. If it doesn't, it's more than likely hardware related. Do you really think that the hardware is malformed or buggy because your IPSec VPN is failing? Hm, I am not really sure but you got two support calls for that actions like explained here in that case. Did you ever thought about that, to take one of this to solve that issues by professional support?