Thanks cmb and doktornotor appreciate the help something new I learned.

Anyone with information on Forum

A L2 cache collision in the CPU I dont think will show in the CPU utilisation, nor will any caching done by any nics with onboard processing capabilities like intel nics. Have you tried packet capturing using a separate bridged device between pfsense and your workstation to see whats actually going on with the packets across the network, you can get a better idea of what the packets are really doing then? Might also be useful. http://blog.serverfault.com/2011/03/23/performance-tuning-intel-nics/

@jahonix: I don't want to open Pandora's box as far as wireless speeds etc. is concerned … Understood. My statements of performance are based on real world site surveys of my property, using NetSport Pro.  So my numbers are actually tests - not manufacturers spec.  I can share heat maps and documents if you're interested…  ;)

Snort is useful, but I'd also make sure as you dont/cant use vpn's of sorts, is put the devices that need open ports on their own isolated vlan or network interface (optX). This way firmware like for some webcams cant be updated and then be used to start probing and attacking your network from within as the brute force approaches becomes easier if the next hop from the compromised device is just to your firewall and another of your network segments. Also make sure those devices have explicit rules to prevent them from logging into pfsense if on your lan interface, at the very least. If you know that access to these devices is only going to be taking place with ip addresses from a certain provider, like say the ip address blocks assigned to your smart phone provider when you access your webcam, you can also put blocks in places to stop any ip address not assigned to your smart phone provider from accessing your webcam. At the very least pfblockerNG which blocks ip addresses at the country level could be useful if noone overseas is expected to have access. However I will say, as it invariably occurs, if access from abroad is going to take place like for a business trip or holiday, more common in Europe than say the US by virtue of land mass, you can still use pfblockerNG to allow access to those countries. I've done this for customers going on business trips abroad, but always make sure you know if they are taking any connecting flights in a foreign country as they will invariably check email, office cams whilst waiting for the connecting flight so making sure you know the IP address of the airport(s) is useful. This can also be automated with your own apps thats control the pfsense or a simple cron job in some cases depending on how you approach it. Food for thought….

Check the following logs when the problem happens again: System log Gateway log RRD Graphs - Quality

@Alixy: Are crash dumps saved anywhere on nano?   If yes, how would I access them? No they are not. Saving crash dumps requires swap space and NanoBSD doesn't have swap space (to keep disk writes low). @Alixy: If not, is saving the serial output the only way to see any crash info on nano? Yes that's the only way.

The gateway on an interface configuration page does a couple things: 1. Tells pfSense to treat that interface as a WAN 2. Defines were traffic exiting that interface should go (usually a WAN/ISP gateway address) If the interface is a WAN/Remote connection, it would be your next hop, typically an ISP address, CPE, upstream router, etc. For local/LAN type connections there would be no gateway specified on the interface.

It all depends on hardware, NICs, etc. There isn't any one rate to tell. The only way to know the rate for a given installation is to test it on that hardware with your ruleset.

yes you are right… i didn't test that command thoroughly enough.. thanks again

You're right, I did it again and it worked this time. weird. I think it might have been because I left off the #!/bin/sh, don't know.

@walbog: From the description of the original poster mike_of: i'm almost certain, it's a nessus-message…. thats why...  ;) Well, that too. ;) Yeah it is Nessus. Not that any other vulnerability scanner is better in that regard, they all seem to report their fair share of absurdity.

MBUF was high because of the Intel Quad NIC. I added kern.ipc.nmbclusters="1000000" to the loader.conf.local file and now the MBUF is down to 2% Thanks for that catch.