Wow - thank you for the quick response. I've increased the CRON Settings from "Every hour" to "Every 4 hours" and will continue to monitor.  I've attached the pfBlockerNG widget screenshot, as well as attaching my pfblockerng.log ( if it helps ). I've reviewed the pfblockerng.log (as well as the other log files under /var/log/pfblockerng/ ), but nothing really jumps out at my untrained eyes; the times in the logs are in CDT.  My most recent outage [captured by monitoring] would have lined up with log entries from 05/06/16 23:00:00 CDT to 05/06/16 23:15:00 CDT.  I may have played with some settings shortly after connectivity resumed. I just saw that I could upgrade pfBlockerNP … so that's done now too. [1/1] Upgrading pfSense-pkg-pfBlockerNG from 2.0.12 to 2.0.14… [image: pfBlockerNG-widget.png] [image: pfBlockerNG-widget.png_thumb] pfblockerng.log.gz

Thanks! Yea - there was something totally erroneous set as default. Changed that - we'll see how it goes. Gads, that wasn't even a BSD vs Linux thing - just simply oblivious….

Thanks guys.  I thought I had tried that at the time I posted, and that it hadn't worked, but I probably misspelled the domain or something because of course it works fine.

I have tested 3 versions of compiled sources of igmpproxy, no one works like expected. Member -flo- in the german forum had also a look at this. The sources available for igmpproxy for Linux/BSD aren´t capable of igmpv3 (specialy ssm) on the downstream interface yet. The Linux alternativ igmpproxy mcproxy lokks like it could do it.

Starting a new post since this is now a different problem. https://forum.pfsense.org/index.php?topic=111449.0 Thanks for the help.

I always use the webgui to shutdown or reboot.    Sometimes on a shutdown it isn't detected either.  When this happens, always just pull the power plug and then it works perfectly.  I do have another card that I can retry.  Didn't notice that behavior before 2.3, i could reboot whenever I wanted and it worked.. Card is about a year old, computer is a brand new i5.

I use PFSense's DNS resolver to give me 0ms cached DNS response times. I also set the cache to be huge and auto-refresh entries prior to expiration. Nothing like a good cache hit rate.

Those recommendations are ancient. You definitely don't need server-class hardware. Any modern Atom will push 1Gbps as long as that is all it is doing - i.e. you're not asking it to perform Snort IDS or OpenVPN at 1Gbps also. Try to find something with Intel QuickAssist, like the Atom C23xx series. pfSense sells a official router that uses a C2358 Dual Core 1.7GHz Atom (we have one and can push 1Gbps with it) - but as you can see, in the reviews, others say they can also. It's fanless too. https://store.pfsense.org/SG-2440/

@divsys: If your DMZ is intended to be wide open to the internet, then no point in VLANs. No it will still be blocked unless port forwarded, so isolated vlans could still be used to lock it down. I have read up on private vlans and like the idea of community sub vlan so that a group (say apple tv's) can access both the nas streaming and the internet, or am I barking up the wrong tree?

I have not until you mentioned it. Another Phase2 tunnel worked out very well and OpenVPN and LAN2 can talk to each other now. Thank you!  ;)

It's also on the doc wiki: https://doc.pfsense.org/index.php/What_are_TCP_Flags

I'm really struggling with this, I've got IP NAT POOLING but for one of my fiber optic connections I have no choice but to NAT to interface address. I have a rule that send all traffic destined for a group of external IP's (created an Alias for this) to this fiber optic, it works perfectly until I change the NAT to use an IP POOL with "sticky" option selected, I tried setting the firewall setting to "conservative" for the connection states, but this doesn't help. All the traffic destined for this group of external IP's all have to originate from the same source IP address, it's a TV system and even though the states and IP pooling are sticky it fails miserably until I change the NAT to use only one interface IP. Is there any way I can set a rule for an Alias to use only one interface IP address and still keep the IP pooling working for all other traffic? I'm really loving my pfsense box, unfortunately if I can't get this working I'm going to have to revert back to a Mikrotik where I can use PCC and packet marking, I really loath the Mikrotik…please help!

Do you have the vpn connected ? You will also have to create rules in the firewall for IPsec. In the firewall you will find floating, wan, lan and ipsec rules.

I just use the DNS resolver and get 0ms DNS queries and answers come from the root servers instead of manipulated ISP DNS servers.

The catch 22 there with NTP and DNSSEC is known, though outside of the system clock being way off on first boot of a new install, you shouldn't be so far off as to cause issues there. The config backup stores all the changes you make via the GUI configuration screens. If you make conf changes outside of that, they have to be restored separately.

If it were me, I would just keep it and leave it disabled. It would just be a good reminder that that's the physical port. I would also probably name my VLAN interfaces LAN-V101, LAN-V102, etc… so you include the name of the physical interface with the VLAN number. This might not be a big deal if you only have two physical interfaces (WAN and LAN), but if you had three or four physical interfaces and multiple VLANs on each, that might help to keep things straight.