Upgrade to 2.2.4. Looks like you're losing power and ending up with corrupt group and/or passwd files, which is fixed in 2.2.3 and better in 2.2.4.

@cmb: Is the WAN actually link flapping in that case? See re0 link down/up messages in the system log, see the modem and/or WAN NIC losing its link light? Apologies for being unclear. No, by those tests it was not flapping. I usually have a small switch between re1 and the CM to prevent exactly this and dhcpv6 annoyances. I tested both with and without the switch in the middle and the result was the same. (re1 - WAN on the APU2 - and the CM Ethernet port are the only things on that switch.)

In the docs you find some points that should be checked in that case: https://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites If the Router is connected to the ISP there's often an adjustment of the interfaces MTU required.

Well tested it so far with 2.2.3 and its killing off the internal interfaces states in effect working as I'd expected it to work doing the same youtube test as before, but as I write its still not killed off the WAN interface established states some 20mins later with Firewall Optimization Options set to normal. If you have a fixed IP, I wonder if these wan side states will ever get killed off? I know those on a variable ip will get killed when the ISP forces a new IP address, but how will the fixed IP established:established states work if they have scheduled vpn connection between sites? Will we see a build up of established:established states or will they eventually disappear? Edit. The wan side established state to youtube got killed off after 25mins, so google/youtube keep their states open for 25mins, but the vpn situ will be an interesting test.

Shrug; will probably sit there for ages… I essentially gave up on any remote syslogging - unless you have all servers running pretty much the same OS, you always end up with messy crap. Plus, the syslog daemon on pfSense is not exactly a masterpiece when it comes to remote logging (#1940 and others.

The default is checked (disabled), where you had it unchecked it was enabled. That's not the most clear config setting, need to make that description more clear. Glad that took care of it.

@doktornotor: Have you seen this checkbox? As a matter of fact : I saw it. Unchecked it  :) I'm syslogging to a 'huge' NAS, so it never bothered me, this httpd flood. They were just there so they remind me that 'something has to be done'. Now, my logs dropped 75 % in size  :)

No, the WAN in this case is just another private network that my laptop that I'm using for testing resides on. The private IP space from the WAN is valid in this case. I'm simply trying to use PFSense as a router to route the traffic coming from my 172.16.6.0/23 network(The Wan) to my isolated MGT1 10.222.200.0/24 network. I don't want to disable natting and SPF except for a last resort.

OK, I'm sorry guys… I did everything again and I found this option: "Allow remote access - Remote access allows you to manage the AP from the Internet or from a different LAN. To enable remote access, the gateway device needs to be properly configured, such as opening a port for the corresponding IP address of the AP." I didn't check that option the first time. Now It's running well ;) Thanks! At least, I checked my design with you. I hope this will be useful for other users. Now I have to focus on rules ;)

@kejianshi: Is your POS pfsense rig working ok? Runs good. Ordered another!

Genius!  THANK YOU!!!

@phil.davis: 1. The unit is supplied with instructions about where to find the "tuned" image if you need to reinstall completely. And it will look in the special place for updates also. The "community" one works also. I am running that, as it happens, because I often follow the bleeding edge with development snapshots. I believe the "tuning" is things like the content of loader.conf.local but nobody is saying officially. 2. There is no "tuning" in the config.xml AFAIK. You can certainly import a config from elsewhere, reassign interfaces as needed and run. I did that on the 2 SG-2440 that I have in production. Awesome, thank you Phil for the information. I am excited to get it delivered. Hopefully should be here by the end of the week Cheers! Jon

Nested aliases work fine in general. You wouldn't be able to reach this website if they didn't. Check your table contents under Diag>Tables for that alias to verify.

Found out it was just a server that was behaving abnormally. Rebooted the server and all is good  :-X Noticed it by looking though pfTop after logging into the console. Thanks for the help!

@musicwizard: but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one. You might want to disable that shitty "feature". https://forum.pfsense.org/index.php?topic=93188.0

I have a PPPoA ISP, my Draytek 120 is connected to pfSense in bridge mode, no issues, no lag, no problem. That modem, once you choose PPPoE<->PPPoA passthrough disables NAT and Firewall, also DHCP is disabled….a dumb modem. My pfSense unit takes care of what it can do better than a 25 euro combo modem/router. In the past I had a half-bridge configuration, using a Netgear WNDR3700 router (running openWRT, arokh builds) coupled to a Digicom Modem (it supported half bridge), pfSense seems not to support half-bridge scenarios. Just my experience, ADSL 20/1.

Depends on your personal needs. I have been an avid consumer router buyer, always chasing the last product….and after a couple of year I have been soon disappointed. I don't trust proprietary firmware on consumer router/firewall, I cannot afford and I don't need an enterprise router/firewall, I love open source and build something. pfSense gave me a lot of solutions: open source, very active and professional community, solid software, easy configuration for a home LAN...I put pfSense in a pretty good hardware (see my signature), I will not look at consumer router/firewall anymore. My Netgear R7000 and WNDR3700 have been downgraded to AP.

Yeah this sounds like a mess "router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network)." So you have multiple interfaces/vlan on pfsense.. ping the router I get 192.168.3.1 is your router?  Are you talking about pfsense interface on your wireless vlan or are you natting your wireless with a wifi router that is not in AP mode? Why don't you access pfsense with name?  You can setup your rules to be able to hit the lan interface lets call it 192.168.1.1 of pfsenes for its web gui from any of your segments.  You could setup different names for your different segments and hit that interface via that name with cert for that name, etc.  for example pfsense.local.lan is 192.168.9.253 on my setup, and pfsense.wlan.local.lan is 192.168.2.253 this is the pfsense interface in my wireless segment, then a few more dmz, ps3, etc. Personally I never access pfsense gui from anything other than the wired network.. Wifi shouldn't really be open to your firewall admin gui if you ask me ;)