I have been looking into using pfsense and i have a few questions. This is strictly from a home user point of view  :) This is the hardest group of customers in my eyes! They often don`t know what they want and really need, play with all given features, options and functions and all not going fast enough as they expect it. You have to use a modem. You'd want to use a good one. Fore sure with any lazy home plastic crappy home router you hav to do so too, or? But it is integrated. If you had a good modem/router why would you need a pc for dhcp and routing ? Who is telling you that a PC is needed? A small embedded board will do the job mostly better then the best atomic home routers. So please don`t compares apples and pears!!! The pfSense is like a real UTM device, and a home router is really thin and dump to configure from everybody without a pain! pfSense would be able to pimp up and tune for so many things that it is really dump to compare it to a home router. They have different fields of work where they will be placed inside. If you wanted to use it as a firewall there are plenty of hardware firewalls that are cheaper than or as cheap as pc's. For sure they are cheaper and offering each only a smaller or greater bunch of options, features or functions. But once more again pfSense & SquidGuard & Squid & HAVP & openDPI & Snort & FreeSwitch can be a; TrafficShaper, UTM device and HTTP proxy with AV Scan and AntiSpam, and this is not offered by a firewall from the rod. You could also install pfsense on a vm on your own computer. This is in my eyes one option more then another firewall will be able to serve you. I know i'm missing something here. Can somebody explain ? When the school holidays are ending? Mostly and urgent it is likes this; The router must fitting your needs and must matching reaching your goals! This is the most important thing in my eyes. If you need a plain router with only SPI & NAT and some action above you go often with RouterOS, OpenWRT or DD-WRT. FreeWRT is EoL. If you need more you could search for an easy to use firewall likes the following, IPCop, IPFire, ZeroShell, fli4l or pfSense. mOnOwall is EoL If you need a real UTM device related to AVScan, AntiSpam and HTTP Proxy you will perhaps trying out, Untangle, IPFire, ZeroShell, or pfSense. If you need a really big router and BGP is in the game you often go by using OpenBSD & OpenBGPD, Quagga or Vyatta. Zebra is EoL. If you need redundancy and really balancing the whole load over more then one WAN interface on more then one Box you will be perhaps happy by using OpenBSD and ARP balance over CARP and if only thin redundancy is needed try pfSense. So as you can see from the lowest bottom to the highest top, pfSense is able to run for you, it is only depending on the Hardware you are able to buy and run. You are able to grab the oldest hardware from the electric dump court or the latest Xeon D-1540 platform from Supermicro and pfSense runs on it.

https://forum.pfsense.org/index.php?topic=94761.msg527361#msg527361 @Nullity: You can use tcpdump on pflog and see what rule matches each packet, assuming logging is enabled. something like "tcpdump -lnettti pflog0". I usually use pftop via terminal/SSH. Check out OpenBSD's pf documentation. The lesser known features can usually be found there.

Could be pretty much any number of things. Have you checked that your DNS settings are correct? Try running a 'dig' or 'nslookup' from a command shell on the pfSense to see if the MX for your target address is showing up. If that works, try running a telnet to the MX host for your target address on port 25 and see if you can send a test message from there. The process is, by example: 'telnet target-host-ip 25' 'helo me' 'mail from:test@email.com' 'rcpt to:target@address.com' 'data' 'Hello - just a test message' '.' Include the full stop after the 'Hello' line to initiate the send. If this doesn't work then you may get a clue as to why your emails aren't arriving, such as the encryption issue KOM mentioned, or possibly that the receiving host is rejecting the message due to an anti-spoofing error.

@KOM: upon reading some other forums on TCP:FA connections in pfsense I have found out that the problem was the firewall was set to block these connections. TCP:FA (FIN ACK) is an acknowledgment of a TCP teardown request.  pfSense does not block TCP:FA by default.  It was an out-of-state packet that got rejected by the firewall because the state it belonged to was already considered closed due to the teardown.  The TCP:FA was seen as a new connection attempt, and blocked by WAN rules. Thank you for explaining this further. Yes this was my particular problem and it is now resolved. Thanks to all of you for you reccomendations and support @tim.mcmanus: I do have my firewall set to conservative, so that's probably why my monitoring system didn't go aggressive on me. And Tim yes that's probably why you have no problems! Lol thanks for your support

Thank you very much for your detailed reply. Unfortunately, I had already shutdown, re-imaged and restored.  Thankfully, I had a very recent backup. I'll get the 2.2.4-DEVELOPMENT snapshot installed tomorrow am.  Can't have any more down time today if it can be helped. Do you happen to know if 2.2.4 has any more fixes for Multi Tunnel IPSEC, I still have the same rekey issues since 2.2.1, which is why I tried 2.2.3. Thanks again. Tony

Thank to everyone taking the time to read and respond to my overly long posts. As of now everything is working great! But I always have new questions…. "The Dude" is all of a sudden picking up a node with gigabits of traffic on a node ending with *.255 (see attachment). Is this something internal to pfSense? DNS (ubound)? My actual pfSense box is 192.168.3.1. Any and all suggestions appreciated :) Simon  

ok i ll check it, thanks.  :)

@tux_dude Did you solve it out now? Did you brought up the LAGs and the VLANs straight working smooth?

Status - System Logs - Firewall.  Or install the Firewall Logs widget on the dashboard.

Hmmm.  I had to manually create the SSH keys for this host yesterday.  Today, after a reboot, the SSH keys are gone again.  It's almost like this thinks it is running a live CD, but it isn't?  Also, the thing hangs fro aobut 12 minutes during boot at "synchronizing user settings…" no idea what is going on there.

@Sensi: My pfSense 2.0.1 (multi-user) is acting strangely!! Anybody got any ideas? There's an idea. Any change you can try this on the current version?

iorx, if you're using intel e1000 physical nic's, try the solution I implemented (thanks to cmb) last friday: https://forum.pfsense.org/index.php?topic=96325.0 Until now (5 days and counting) it's going good, so I'm hopeful.

@phil.davis: You have to follow the instructions and complete the legal stuff. A few weeks ago the repo became a private one on GitHub rather than where it was before on some other machine hosted at some other pfSense name. I know the existing people signed up to the previous tools repo address all got access to the repo in the new place. I am not sure how that all links together automaticaly now for new sign-ups. After signing up, I would look first in GitHub pfSense section and see if the pfSense-tools repo appears for you. Thanks phil.davis, I can access pfsense-tools now. But It's very straight for me. I think I must install FreeBSD 10.1 (for Pfsense 2.x) and download pfsense-tools from git repo. After that, I patch all fille in pfsense-tools to FreeBSD. Is it correct? Do you have any instruction to build pfsense development enviroment?

also imagine someone is using the wifi network for some evil torrenting;  oO On your pfsense machine your traffic graph will show the WAP_ip instead of the offenders_ip as the source/destination of lots of traffic  (since you NAT everything on the WAP)

so you have a any any rule on wan?  Yeah that is not good… "Wan => (Wan Rule: Pass Any Any) PFsense => Server" If this is what you want "I want to record who ping my server" Why don't you just setup a wan block ping with logging?  Why wold you want to send it all they way to the server, just to block the servers reply?

The state table lists the states the firewall has allowed.. Its a stateful firewall!! If your having issues controlling traffic - then post up your rules and explain what your wanting to accomplish.

All 3 are Layer 2. I knew that, what i didnt know is the Lx meaning. I am learning on the go, i dont want to be rude but in any case my boss should be the one asking that.

Dunno, but "scrub rule then PF will re-package the data using an MTU of 1460 by default, thus overriding this mssdflt setting" would strongly suggest that messing with that sysctl is a total waste of time.