@doktornotor: Omit the tunnel interface from the setup. IPv6 is not supported with "dig holes into your network" feature. If I'm following you (and the pull request you linked) correctly, the version of miniupnpd in 2.2.4 does not support UPnP or NAT-PMP for IPv6, and at the very least you would like the pfSense GUI to reflect this; is that accurate? @doktornotor: And - if your v4 WAN is RFC1918, this feature is totally useless for you. The WAN traffic would need to be allowed and forwarded on whatever is in front of your pfSense box, and LAN -> LAN never goes through the firewall. I fail to see how this feature is useless for me. The pfSense firewall is indeed running between HETUN6 and LANV6; if I have no rules, all packets to IPv6 LAN hosts are filtered, while manually adding rules for e.g. ICMP or TCP port 80 passes those packets as expected. My IPv4 edge router/firewall/NAT does not get in the way because pfSense is already tunnelled to the HE endpoint, and all IPv6 WAN traffic goes over that tunnel. Current state of affairs: I can manually create IPv4 firewall rules on my existing IPv4 edge router I can manually create IPv6 firewall rules on my pfSense instance Applications using UPnP can only create IPv4 rules on my edge router Desired state (although sounds like not possible without mucking around with different miniupnpd binaries): Manual rules same as above Applications using UPnP can create IPv4 rules on my edge router and IPv6 rules on my pfSense instance

Finally solved this problem - seems like the onboard NICs (Intel) had some fault or pathology. Disabled the onboard NICs, installed a four port Intel server card, and it's working fine now.

@Vampir1c: Hey everyone, this is been driving me nuts. I recently had to set up a new pfSense box when the other one died, I got the network up and running and all of the phones that were configured continue to work, unless you factory reset them. They become unprovisioned after that. I manually put the tftp server in the phones and it connects but then doesn't make a call. My guess is that they aren't pulling the configurations from the Freepbx/asterisk box we have. We have the freepbx box offsite. I've created SIP and RTP rules for the box as well as best as I could. I have the tftp server entered in the DHCP server too. For the life of me these phones aren't working. Anyone have any insight please. Thank you! I'm an idiot, spent hours doing a bunch of complex crap to find TFTP not enabled for LAN in System: Advanced: Firewall and NAT

Your PHP and modules don't match. Such as: PHP Warning:  PHP Startup: session: Unable to initialize module Module compiled with module API=20121212 PHP    compiled with module API=20100525 and you're on 2.2.0 (kernel at least, some world modifications were done), not 2.2.5, so moving thread. Upgrade to 2.2.4, and don't do any manual modifications to PHP or its files, and that problem will go away. If it's preventing you from being able to upgrade, reinstall 2.2.4 clean, and restore your config backup.

@cmb: Support for upgrades is something we'll get added for a future release. No specific target version in mind at this instant, but hopefully something we can have done for 2.3. Do you know if this is coming with the 2.3 release? Is there a existing bug number or shall I file a bug for tracking?

There are other tools that can do that.  Check the Traffic Monitoring forum for more information.

You'll need to eliminate the HW at either end before you can look at the ISP infrastructure. Do you spot any patterns like excessive number of states in the state table, whats the ram usage like, is the swap being used and anything else thats seems unusual when you experience the slow down. Might even be worth checking the workload on each core to see if there is a problem with the FreeBSD OS scheduler, as its quite easy to make various programs run on a particular core which then slows that core up as it gets overloaded leading to slowdown of the rest of the cores on cpu. If you cant find anything wrong with your hw, then looking at the internet infrastructure seems like the only option left, and yes ISP's can do bandwidth throttle-ling quite easily even if you have an unlimited data package at either end, its also why the market forces didnt win out in the rigged game as theres little technical difference between adsl and sdsl modems, other than upload speed. I believe its harder to bruteforce crack large amounts of ssl data compared to short bursts, but with the fact the ISP/Govt will have a complete oversight of the entire communication from TLS handshake to goodbye, getting your certs should make it easier to bruteforce crack the transmission to then see what you were transmitting which is why having so much functionality on your firewall increases the risk. One way to eliminate the FW hardware being at fault is to shift the openvpn functionality onto separate machines at either end and then just use pfsense to do the routing and fw. Theres also nothing stopping you using pfsense again to manage openvpn on your seperate vpn boxes. Where you create and manage the certs for your vpn is up to you, personally I am of the view to isolate various functionality onto individual machines as a zero day could give complete access to a machine and with so many eggs in one basket, makes it easy picking for hackers. When looking for HW changes, also keep an eye on other devices in your network, just this morning I caught my TalkTalk isp supplied set top tv box exploring the network looking for other network service facilities as it couldnt get online, despite all its network settings being correct. Its interesting to watch how devices react when different aspects of net functionality become no longer available. I'd like to suggest its harmless but as most of it is encrypted or uses an algorithm which makes it hard to decipher the meaning of the plaintext context, one cant help but be increasingly suspicious especially as its quickest to hack from a rogue device inside your network.

Fixed. The server was faulty. Installed a different server and works.

Or to Reset the webConfigurator password ;)

OK, I have found the problem. There was many updaterrd script running. I disabled RRD graphs, clean graphs, kill old rrd related process. Everything is normal now.

Sorry, one more question. Can we set the time interval for CARP? I mean pfsense send the CARP  message to another pfsense. Please advise.

I have went back to the old machine that was working like it should, but apperantly the same thing happen to it as well. The only thing I did was remove tftp package. I bring it back afterwards but that did not change a thing. So I found post that brings a clue  - http://serverfault.com/questions/506592/pfense-needs-to-be-rebooted-to-effect-a-change-in-existing-nat So what I did was I run - /etc/rc.filter_configure_sync And then I check the system logs and I found the updates performed : Oct 22 13:11:42 php: rc.filter_configure_sync: Adding TFTP nat rules Oct 22 13:11:42 php: rc.filter_configure_sync: Adding TFTP nat rules So regardless of how much I run this, it always do that. I do have now problem with the TFTP, I have add another TFTP server and change the address to that TFTP server and the configuration its not working until I reboot the system. I have factory reset a machine with pfsense and try to change something on the DHCP , map an IP and no result till reboot. How I can fix this problem ?

@cmb: Leave everything there at their defaults. Make sure you've bumped nmbclusters (though that'd result in a diff error log generally). https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards The second crash was everything at default.  The third crash was with the nmbclusters bumped to the recommended number for the Intel card.  I've tried turning off all hardware offloading for now and will see how it goes.  Been up for 1.5 days but it had done that before.  I'll report back. Off topic:  I've noticed that the chip runs hotter with PowerD turned on with "hiadaptive" than off (at least the first core).  Seems, from reading around, that PowerD allows 'turbo' speed to kick in whereas it will not kick in if PowerD is turned off (or another system setting is added).  I've turned PowerD off for now (default) for testing until the lockups quit.  Just found that interesting.