May actually be in SMB3.0 http://blogs.technet.com/b/josebda/archive/2012/05/13/the-basics-of-smb-multichannel-a-feature-of-windows-server-2012-and-smb-3-0.aspx SAMBA 4.0 is currently working on SMB3.x, but doesn't support multi-channel yet https://wiki.samba.org/index.php/SMB3_kernel_status#SMB_3.0

Usually that's because either something else is using that IP address, or it's not really usable in that subnet (e.g. it's a null route or broadcast address) Can you show what IP addresses you are using and the subnet mask? You can block out the first three portions, the last IP part is what is significant here.

Thanks! This helps a ton!

Nested VMs on your side would do NOTHING to hide your connection point..  Hiding your traffic from your connection provider requires just one layer of encryption.  putting a tunnel inside a tunnel inside a tunnel is pretty pointless.. Create a tunnel to a trusted endpoint on the outside of your connections providers network.  If you then want to bounce a connection off of that through multiple proxies, turn tor through that connection even to hide your actual connection point from the tor network or proxies you use. But running nested vms to accomplish this goal is just wasted resources time and performance.

@doktornotor: No idea where do rules on OPTx come into play here. This line should have been 1st, then it would make more sense. Personally I'd not bridge the way you have as you can isolate traffic more with things like snort using custom rules & schedules along with various fw rules a little better and dhcp on each OPTx interface In answer to your question, its because of the bridge problem, which you mentioned to the OP. Of course this might help as others have reported things not working properly since freebsd 9, that might explain why bridges are a pain, bit like the states not working as expected. https://www.mail-archive.com/freebsd-pf@freebsd.org/msg05983.html Edfit. Might also be useful. http://home.nuug.no/~peter/pf/newest/bridge-freebsd.html

@SageIT: I forgot to mention…my previous gateway, the one I'd like to replace with the pfsense box, is just an asus AC-rt66u router running dd-wrt.  It has an ip address of 192.168.0.26, and all of my clients on the LAN are static IP's, pointing to that router (0.26) as the gateway, and to my primary DC for dns (0.2)  I have tried changing the gateway on my server to point to pfsense (0.41), as well as trying another PC set to dhcp...neither one will reach the internet.  The odd thing is...when i do an ipconfig /release/renew on a dhcp machine, it renews with the old gateway address (0.26), despite it being turned off and disconnected entirely from my network.  Am i missing something? Have you got the pfsense lan interface setup with the default ip address range ie 192.168.1.1 or have you changed the lan interface to 192.168.0.26 to be identical to your old router?

i'm a little bit further, after giving my laptop a static IP. in most cases all AP are acceceble but not pfsense. there is one thing when i ping them there is sometimes a timout and most of the time the ping time is at 250 ms

"So the performance hit of the resolver walking the chain is not actually all that significant" Exactly and the resolver will cache it as well for the ttl of whatever is you looked up, so the guy next to you also using your resolve that wants to get to www.pfsense.org the resolver doesn't have to look it up again.  But if you have sites that have low ttls and shitty dns servers there can be a hit now and then when you first go to look it up your browser times out on it, etc. Where if its popular and lots of users hit it with the common forwarder your using - which is normally like 1000's and 1000's of ISP customers vs just the hand full of machines using your resolver. As stated out of the box pfsense blocks all unsolicited inbound traffic - so nobody can query your resolver from the outside unless you open up the firewall and even have your resolver listen on your wan.  You can pick what interfaces it listens on in the pfsense page for it.  Why should it even listen on your wan??? I would not use a forwarder unless you wanted to leverage filtering they provide, or you have a really shitty network connection and doing all the dns yourself ends up being slower then just asking your isp dns. [image: listeninterfaces.png] [image: listeninterfaces.png_thumb]

Our hardware is a LinITX ALIX 2D3 LX800 (3NIC+USB) pfSense Firewall Kit Pretty old but it is able to deliver around 80 MBit/s for normal. As told before the modem is having a dublex miss match perhaps and is connected only with 10 MBit/s! other services are narrowing down the throughput likes Snort, Squid &SquidGuard, ClamAV The pfSense should be activating MSS clamping perhaps. DNS entries are false miss configuration at some points ?

http://www.sigma.zone/2015/03/securing-ssl-cipher-suite-in-pfsense.html looks like working one qualys gives grade B it's for squid 3 Reverse Proxy

This is a phishing bump.  8)

@LouisFD: I am just wondering if anyone has ever experienced anything like this before or if there is any configuration settings we may be able to try. If you can find out what voip system they are using that might help you track down the problem. EG in freeswitch an opensource voip system which can do landlines as well, like Asterisk, you tend to have the name associated with the extension DID, eg: <variable name="effective_caller_id_name" value="Mike or Sales"><variable name="effective_caller_id_number" value="1001">https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Alphanumeric_to_numeric_user_mapping But you can have DID/extensions associated with call groups, hunt groups and so on. Until you can find out just how they are associating names to an extension, there could be any number of possibilities in play. For example, do you have your workstations plugged into the phones to minimise cabling and do you run vpn's for file sharing between offices? Have you switched on logging in various rules in pfsense to following the traffic in the fw logs? If you get nowhere with then, trying swapping out pfsense for a basic ISP supplied router (if you have any) and see how things work then for a short period of time once the problems show up. If it persists its easier to point the finger back to the VOIP host.</variable></variable>

comparing SAP and pfSense is a major category mistake. SAP Business One costs $2,975 per-user up front, and then 18% of total software cost on an annual, go forward basis. This is a pfSense board.  We are not here to discuss SAP, nor your education, nor your CISSP/CCNA/CCNP/CCIE/PhD/…, nor the "dismal science". Keep it on-topic.

His problem is that he is specifying a gateway for LAN.  I already answered him here.  I have no idea why he posted this again when he already had his solution.

Soulds like you should fix your COM port speed in PuTTY to get more useful screen output.