@SageIT: I forgot to mention…my previous gateway, the one I'd like to replace with the pfsense box, is just an asus AC-rt66u router running dd-wrt.  It has an ip address of 192.168.0.26, and all of my clients on the LAN are static IP's, pointing to that router (0.26) as the gateway, and to my primary DC for dns (0.2)  I have tried changing the gateway on my server to point to pfsense (0.41), as well as trying another PC set to dhcp...neither one will reach the internet.  The odd thing is...when i do an ipconfig /release/renew on a dhcp machine, it renews with the old gateway address (0.26), despite it being turned off and disconnected entirely from my network.  Am i missing something? Have you got the pfsense lan interface setup with the default ip address range ie 192.168.1.1 or have you changed the lan interface to 192.168.0.26 to be identical to your old router?

i'm a little bit further, after giving my laptop a static IP. in most cases all AP are acceceble but not pfsense. there is one thing when i ping them there is sometimes a timout and most of the time the ping time is at 250 ms

"So the performance hit of the resolver walking the chain is not actually all that significant" Exactly and the resolver will cache it as well for the ttl of whatever is you looked up, so the guy next to you also using your resolve that wants to get to www.pfsense.org the resolver doesn't have to look it up again.  But if you have sites that have low ttls and shitty dns servers there can be a hit now and then when you first go to look it up your browser times out on it, etc. Where if its popular and lots of users hit it with the common forwarder your using - which is normally like 1000's and 1000's of ISP customers vs just the hand full of machines using your resolver. As stated out of the box pfsense blocks all unsolicited inbound traffic - so nobody can query your resolver from the outside unless you open up the firewall and even have your resolver listen on your wan.  You can pick what interfaces it listens on in the pfsense page for it.  Why should it even listen on your wan??? I would not use a forwarder unless you wanted to leverage filtering they provide, or you have a really shitty network connection and doing all the dns yourself ends up being slower then just asking your isp dns. [image: listeninterfaces.png] [image: listeninterfaces.png_thumb]

Our hardware is a LinITX ALIX 2D3 LX800 (3NIC+USB) pfSense Firewall Kit Pretty old but it is able to deliver around 80 MBit/s for normal. As told before the modem is having a dublex miss match perhaps and is connected only with 10 MBit/s! other services are narrowing down the throughput likes Snort, Squid &SquidGuard, ClamAV The pfSense should be activating MSS clamping perhaps. DNS entries are false miss configuration at some points ?

http://www.sigma.zone/2015/03/securing-ssl-cipher-suite-in-pfsense.html looks like working one qualys gives grade B it's for squid 3 Reverse Proxy

This is a phishing bump.  8)

@LouisFD: I am just wondering if anyone has ever experienced anything like this before or if there is any configuration settings we may be able to try. If you can find out what voip system they are using that might help you track down the problem. EG in freeswitch an opensource voip system which can do landlines as well, like Asterisk, you tend to have the name associated with the extension DID, eg: <variable name="effective_caller_id_name" value="Mike or Sales"><variable name="effective_caller_id_number" value="1001">https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Alphanumeric_to_numeric_user_mapping But you can have DID/extensions associated with call groups, hunt groups and so on. Until you can find out just how they are associating names to an extension, there could be any number of possibilities in play. For example, do you have your workstations plugged into the phones to minimise cabling and do you run vpn's for file sharing between offices? Have you switched on logging in various rules in pfsense to following the traffic in the fw logs? If you get nowhere with then, trying swapping out pfsense for a basic ISP supplied router (if you have any) and see how things work then for a short period of time once the problems show up. If it persists its easier to point the finger back to the VOIP host.</variable></variable>

comparing SAP and pfSense is a major category mistake. SAP Business One costs $2,975 per-user up front, and then 18% of total software cost on an annual, go forward basis. This is a pfSense board.  We are not here to discuss SAP, nor your education, nor your CISSP/CCNA/CCNP/CCIE/PhD/…, nor the "dismal science". Keep it on-topic.

His problem is that he is specifying a gateway for LAN.  I already answered him here.  I have no idea why he posted this again when he already had his solution.

Soulds like you should fix your COM port speed in PuTTY to get more useful screen output.

DNS is enabled now with TCP/UDP and it is working thanks guys!

The configuration of everything is in config.xml including package settings. The trickier part of really being "ready to go" with the backup system is that you need to get the actual package code/binaries onto it. If it happens to use DHCP on WAN then you can plug it in somewhere that is not the live office LAN (because that IP range will already be on the LAN side of the backup device) and let it get DHCP. Then you can do an upgrade of pfSense to the latest version and let it install all the packages… while it is running a copy of your real config.xml. If the production WAN settings are some static IP or PPPoE or... then it only works when connected to your production ISP link. You have to either: a) Modify the WAN settings to get it internet access from somewhere, do the upgrade, package installs, change the WAN settings back to (hopefully) the correct ones for production, or; b) Take the production system offline for a bit (downtime), put the backup system in place, upgrade the backup with package installs..., shutdown the backup spare and put the production back online. It is all a bit tricky to get a full operative cold spare installed and completely ready-to-go in a reliable way without interrupting production. Maybe someone else has a good method for this?

Resetting the LAN ip worked.  Thanks much.

@cmb: They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one. Yep - one of the above is true.  They are insisting on a static IP before they'll set the tunnel up. Thanks, Frank

Well, you made good point. Thank you very much for support.