Just a small note, when you get back in - 172.16.2.1/12 is a little on the large size for a home network LAN. You're allowing for some 4 million devices in your home LAN. Try setting that to something like 172.16.2.1/24 (allowing for a much more reasonable 255 devices) and you may find you're no longer running out of memory on your SG-2220 as well.

If you want to use full 10Gb/s link capacity,you must use clear freebsd and ipfw/netmap :)

Mikrotik acts like a switch now(they call it bridge). Bridging ports together will ain't more problems then it help and not only tended to MikroTik routers. any clue? The cheapest Switch I know that is supporting LAG (LACP) is the Netgear GS108Tv2 (GS108T-200GES) you could try out to get one and connect the pfSense box and the NAS over a LAG (LACP) to it. It is a real Switch and not bridged ports from a router, this will driving you not nuts and no port flapping, no packet loss and no connection loosing or break.

@cmb: What does the config diff look like between those revisions? when I enabled ntop the difference in the config was the addition of ntop the rule that was missing in the gui list (and not in effect)  was still in the config. In the past when the end user had the problem they tried rebooting and the rule still didn't appear I re added it manually when it happened to me, live site with un happy people

nothing to add sadly other than I share the sentiment, the whole IGMP discovery is a PITA if you have subnetted network. I just spent a couple of weeks learning/debugging the multicast stuff used by Apple's devices and Ciscos L3 switches/pfsense. I still think it primarily works by black magic rather than science!  :-\

Yes they are Macs. I installed that package and enabled it but something does not appear correct? I ran: avahi-browse --all and got back: Failed to create client object: Daemon not running EDIT: Never mind even though I enabled it and restarted pfSense, the service was not actually running. I started the service and it is now working. Thanks so much, I did not know this was a package on pfSense! This will most likely solve my other issue of not seeing a homebridge that was running on my wired LAN!!

Thanks for all your input. I am starting to understand the required configuration now. But, it appears there might have been some confusion with what I originally requested. So I decided to put them on a diagram. Attached is a simple diagram (I hate to call it a network diagram) that shows the exact setup I have in mind.  I will try to walk you through with what I am describing in that diagram. Before we get started: I plan to use https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx as the HA PFSense firewall. OR I might use https://store.pfsense.org/XG-1540/ My Data Center (DC as noted in the diagram) said they will provide one uplink connection with /29. I am hoping to get a second uplink (cross connect?) from them with another /29.  My DC said I can buy more IP addresses as necessary (more on this below). My idea is to connect these two uplink connections provided by the DC to the two managed switches (I like to call them the core switches).  The "core swiches" will be interconnected to provide redundancy between them. 2)  There will be some servers connected directly to the "core switches" with direct Internet access (software firewall). These servers will have public IPv4 assigned to them. I will buy additional /27 or /26 addresses and assign them to these servers as necessary. One connection from each core switch will go into the WAN link of the above PFSense HA device. There will be another two managed switches that will be connected to PFSense LAN link(?) and these switches will split the connections to each server with dual NIC on them. So, the idea is if one of the switch dies the server doesn't loose any network connectivity. Again, these servers will also have public IPv4 assigned to them. I will buy additional /27 or /26 addresses as necessary and assign it to these servers. These additional IP addresses are the ones that need to protected by PFSense. Having said that I am open to any other ideas or suggestions you might have for the network hardware redundancy that I am trying to achieve in order to keep the network downtime minimal. Thank you again. [image: Diagram.PNG] [image: Diagram.PNG_thumb]

why? because its easier.

You are correct derelict – how did miss that?? ;) So is problem is most likely just can not resolve because he is not pointing to his AD dns.. Good catch..

disclaimer: this is just speculation based on some googling is tso offloading enabled? if yes => try todisable it. ifconfig igb1-tso These commands may be placed into a shellcmd tag to execute at boot time to make the change persistent.  (install shellcmd package) this appears similar for em-driver (no clue if its related). https://reviews.freebsd.org/D3192

I was suffering high load on a 2.2.5 system that had DHCP6 enabled on a WAN interface.  It was working (ISP was TimeWarnerCable) but sometime in the middle of the night they decided to switch my modem from bridge mode to router/NAT mode and start handing out 192.168.0.2 to my WAN interface.  This broke DHCP6… Suddenly I saw high load on my pfSense (caused by dhcpd and unbound according to top) and clog -f /var/log/system showed this pattern over and over again every 1-2 seconds: Dec 14 11:52:42 php-fpm[30155]: /rc.newwanipv6: Removing static route for monitor 24.29.99.36 and adding a new route through 192.168.0.1 Dec 14 11:52:42 php-fpm[30155]: /rc.newwanipv6: Removing static route for monitor 2607:f8b0:4006:807::1000 and adding a new route through fe80::8e09:f4ff:fe10:217 Dec 14 11:52:42 php-fpm[30155]: /rc.newwanipv6: Removing static route for monitor 68.237.161.12 and adding a new route through 108.30.185.1 Dec 14 11:52:42 php-fpm[30155]: /rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::8e09:f4ff:fe10:217%igb2 Dec 14 11:52:41 check_reload_status: Syncing firewall Dec 14 11:52:37 php-fpm[30155]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2604:2000:f10b:300:208:a2ff:fe09:9bd3) (interface: opt2) (real interface: igb2). Dec 14 11:52:37 php-fpm[30155]: /rc.newwanipv6: rc.newwanipv6: Info: starting on igb2. Dec 14 11:52:36 check_reload_status: Reloading filter Dec 14 11:52:36 php-fpm[98434]: /rc.newwanipv6: Removing static route for monitor 24.29.99.36 and adding a new route through 192.168.0.1 Dec 14 11:52:36 php-fpm[98434]: /rc.newwanipv6: Removing static route for monitor 2607:f8b0:4006:807::1000 and adding a new route through fe80::8e09:f4ff:fe10:217 Dec 14 11:52:36 php-fpm[98434]: /rc.newwanipv6: Removing static route for monitor 68.237.161.12 and adding a new route through 108.30.185.1 Dec 14 11:52:36 php-fpm[98434]: /rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::8e09:f4ff:fe10:217%igb2 Dec 14 11:52:31 php-fpm[98434]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2604:2000:f10b:300:208:a2ff:fe09:9bd3) (interface: opt2) (real interface: igb2). Dec 14 11:52:31 php-fpm[98434]: /rc.newwanipv6: rc.newwanipv6: Info: starting on igb2. Dec 14 11:52:30 check_reload_status: Reloading filter Dec 14 11:52:30 php-fpm[67665]: /rc.newwanipv6: Removing static route for monitor 24.29.99.36 and adding a new route through 192.168.0.1 Dec 14 11:52:30 php-fpm[67665]: /rc.newwanipv6: Removing static route for monitor 2607:f8b0:4006:807::1000 and adding a new route through fe80::8e09:f4ff:fe10:217 Dec 14 11:52:30 php-fpm[67665]: /rc.newwanipv6: Removing static route for monitor 68.237.161.12 and adding a new route through 108.30.185.1 Dec 14 11:52:30 php-fpm[67665]: /rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::8e09:f4ff:fe10:217%igb2 For now I just disabled that WAN interface completely which has caused things to settle.  Not sure why the lack of valid DHCP6 would cause the router to go into a tailspin though.

If I use the ldap option, the User will be required to enter login / password to browse. NTLM takes the User section, requiring no login / password. Thank help everyone.

OK, thanks. That answered my question.