If you can ping the pfSense LAN interface (or bring up the pfSense gui when connecting to the LAN interface address) from the OpenVPN client then your tunnel is probably up and correctly configured. If you cannot connect to other devices on the pfSense LAN, that is almost always the local firewall on the TARGET host preventing access from foreign subnets.

When bridging is necessary, it generally works fine. If you have to ask "should I use a switch or a bridge" the best answer is pretty much always a switch. You really don't want layer 2 traffic between the two switches going through a bridge.

@heper: csrf error does not occur on interfaces. So if you assign an interface to your vpn, then it all works indeed. And IPSec will do it too: once sites are connected through IPSec tunnel, this is as simple as defining FW rules  8)

I also agree, but some packages, like HA Proxy, might exist so pfSense can function as a proxy OR a firewall. Not necessarily a proxy AND a firewall. That is just an example. HA proxy generally runs fine on the firewall though it could certainly be argued it is not the best place for it. Just because the packages exist doesn't mean they can all be run at the same time on the same node without issues.

What version did you upgrade from? You can generally run into trouble if you use something like AD and google as "Primary" and "Secondary" DNS servers (there really is no such thing as it is completely up to the client which DNS server is used first. Some query them all simultaneously and take the first answer, some query one, time out, then try the next, etc.) All of the DNS servers used in a particular context should return the same answers to every query from the same source. Your AD will have AD information, google will not. Problems such as these are best investigated using DNS tools such as dig/drill. Without seeing the actual queries and answers it's tough to tell what you were seeing. I can't see deselecting All interfaces to listen on having any effect. The forarder was either listening on the interface in question or it wasn't. All binds to all.

The crap software in most consumer grade routers makes them good as an access point, but not a lot more.  The C9 should be pretty decent - a lot better than the WRT54GL (running dd-wrt) that I'm using-but even that works… good enough to stream a bit of Youtube or browse.

ok  I try it ， thank u。  ;D

you can create a limiter on lan https://doc.pfsense.org/index.php/Limiters check dynamic queue creation

Thank you, I added that now. Where would you place the script to load it propery? In here? /usr/local/etc/rc.d/

That's basically idle. Any loss is likely attributable to a problem on your Internet connection. The processes you see coming and going are from updaterrd's stats gathering.

There was a problem earlier, fixed this morning.

@Harvy66: I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know. The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA): http://news.softpedia.com/news/nist-prepares-to-ban-sms-based-two-factor-authentication-506617.shtml

@virgiliomi: No, you would need a special interface card that Asterisk would communicate with for the purpose of making/receiving phone calls on that line. There are two different kinds of ports that can be found on analog cards… FXO (line) and FXS (station). You want a card with FXO ports to be able to use the analog phone line. If you had analog phones that you were using through your Asterisk system, those would use FXS ports. FXS ports need to provide a bit of electrical power for the analog phones attached to them, while FXO ports don't. By any chance are there any FXS port adaptors for USB that pfsense(or FreeBSD) recognizes properly OOB? @AndrewZ: @ultimateon: I have a modem it has a phone number ,etc… You need to figure out how this voice part of your modem is configured. Generally there are 2 common options - this internal VoIP GW may use either Internet VLAN or it's own 'voice' VLAN. In the 1st case you will just need SIP credentials extracted from your modem, in a second - you will also need to bring your voice VLAN to pfSense and route it further to your Asterisk. Forget about the jacks ;) Unfortunately the modem doesn't come with VoIP and it keeps it SIP gateway closed up although (The ISP doesn't actually provide VoIP directly but provides services using it, complicated stuff) So ill have to go ask Jack if he's willing to phone PFsense.

you should be fine at close to gigabit speeds, depending on the number of firewall rules, NAT, and packages (snort, pfBlockerNG, etc) I would check your system interrupts at high load/transfer speeds to see if you need to make any OS tweaks: systat -vmstat

@cmb: That's the TFTP proxy, not bittorrent. Thanks, that puts my mind at ease.  Given that I have no need for TFTP, and I occasionally will use bittorrent, can I easily turn TFTP off, and will doing so cause any problems other than not being able to network boot devices from pfSense? Thanks.