Yes, I can always remove the team. However now I'm curious because I have a NAS that has an adaptive load balanced nic team with 2 nics. No log entries from that nic team - however that is running Linux. This machine has windows. Interesting…. Thanks for the help! :-)

@johnpoz: If you bridged 4 ports together you would have a "HUB".. Since all packets seen on 1 port would go out all the other ports.. This is how a bridge works.. Not true with our bridges, they learn MACs the same as a switch and send traffic accordingly just like a switch. The "use an actual switch" mentality is largely for performance reasons. People tend to show up wanting to use some Pentium III they pulled from a dumpster with a handful of crap Realtek NICs shoved in it then wonder why they can't push a gigabit of traffic between internal hosts. Firewalls aren't switches. In some limited circumstances, where you don't care about performance between internal hosts much, and require filtering between every internal host, it's a fine idea. People just tend to expect it to work the same way as the switch built into their consumer router, and it's not the same at all. Huge diff between multiple NICs in a firewall or router and a switch.

@kiyu: …as I mention I have no idea about it.. ... State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config. Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.

You can actually do both… In Unbound or dnsmasq, create a Domain override. Also use pfBlockerNG to download the most recent IPs automatically daily/weekly as required. Hurricane Electric is a great source to collect IPs for almost any site.

You must be on nano version judging by that, or else have /var/ enabled as a RAM disk. You can't run MySQL on nano or where /var is a RAM disk. Running MySQL on the firewall at all is probably a bad idea too, better to keep server roles on servers.

I don't think so. A roundabout way might be to set an alias to an FQDN and set the FQDN to a hostname dynamically updated by dyndns on WAN.  That probably won't reflect changes fast enough. Are you configuring Services > Load Balancer > Virtual Servers?  I can't think of an effective way to use a dynamic address there.  Depends on how quickly you need it to update. I looked in /tmp/rules.debug and everywhere that references WAN address has been replaced by the actual IP address, not an alias to it.

you could search for xenserver here - you will find lots of info about issues with xenserver example https://forum.pfsense.org/index.php?topic=85797.0 Like first hit searching xenserver pfsense on google.

What I've done on my network is configure DHCP to supply the pfSense system as the primary DNS (and my local servers as secondary and tertiary in case pfSense system is down).  Then on pfSense I set DNS Resolver (Unbound) to forward DNS requests for my local domain to my DNS servers.  Its not exactly what you asked but I think it accomplishes the same goals.  Plus it allows pfSense to act as a cache and it knows the upstream (ISP) DNS servers.

@jatgm1: im tired of hearing pathetic morons talk about a childerens game. Then stop hanging around with pathetic morons. If that is not a possibility then get some ear plugs. @jatgm1: if you want to play it whatever, but its installed on the computer and we have the xbox game theres no reason he should need to watch god damn videos that some sad saps made. Who is "we"? Who is "he"?

Since this thread is still the top result on searching for double wan bandwidth, I'm posting another pic from my 2.2.2 64bit system. It appears that this problem has been re-identified… but just for posterity and clarity, see the attached pic.  

This is all moot anyway.  No matter what you do with DNS if the client web browser is asking for an https connection and the captive portal gets in the middle, a certificate error must be displayed. We, as IP networking professionals, should never, ever, EVER implement anything that, by design, will present certificate errors to users.  Connections to https sites before captive portal is negotiated should simply hang.  Don't like it?  Don't use a captive portal.

Have you done an iperf to, from, and through PFSense? You want to make sure it works as expected in an ideal case before trying to hunt down issues in unideal cases. In all issues in life, when debugging problems, eliminate as many variables as possible.

Oh, thanks for clarifying everyone.  Appreciate the feedback.

I have modified Steve's solution as follows and it works on [2.2.2-RELEASE]: /etc/rc.linkup interface=opt1 action=start Matt

If you are using pfSense 2.2.2 the log format is very different from what is was when that blog was posted. Have you installed version 2.0.2 of the the TA-pfsense Splunk add-on?