"So the performance hit of the resolver walking the chain is not actually all that significant" Exactly and the resolver will cache it as well for the ttl of whatever is you looked up, so the guy next to you also using your resolve that wants to get to www.pfsense.org the resolver doesn't have to look it up again.  But if you have sites that have low ttls and shitty dns servers there can be a hit now and then when you first go to look it up your browser times out on it, etc. Where if its popular and lots of users hit it with the common forwarder your using - which is normally like 1000's and 1000's of ISP customers vs just the hand full of machines using your resolver. As stated out of the box pfsense blocks all unsolicited inbound traffic - so nobody can query your resolver from the outside unless you open up the firewall and even have your resolver listen on your wan.  You can pick what interfaces it listens on in the pfsense page for it.  Why should it even listen on your wan??? I would not use a forwarder unless you wanted to leverage filtering they provide, or you have a really shitty network connection and doing all the dns yourself ends up being slower then just asking your isp dns. [image: listeninterfaces.png] [image: listeninterfaces.png_thumb]

Our hardware is a LinITX ALIX 2D3 LX800 (3NIC+USB) pfSense Firewall Kit Pretty old but it is able to deliver around 80 MBit/s for normal. As told before the modem is having a dublex miss match perhaps and is connected only with 10 MBit/s! other services are narrowing down the throughput likes Snort, Squid &SquidGuard, ClamAV The pfSense should be activating MSS clamping perhaps. DNS entries are false miss configuration at some points ?

http://www.sigma.zone/2015/03/securing-ssl-cipher-suite-in-pfsense.html looks like working one qualys gives grade B it's for squid 3 Reverse Proxy

This is a phishing bump.  8)

@LouisFD: I am just wondering if anyone has ever experienced anything like this before or if there is any configuration settings we may be able to try. If you can find out what voip system they are using that might help you track down the problem. EG in freeswitch an opensource voip system which can do landlines as well, like Asterisk, you tend to have the name associated with the extension DID, eg: <variable name="effective_caller_id_name" value="Mike or Sales"><variable name="effective_caller_id_number" value="1001">https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Alphanumeric_to_numeric_user_mapping But you can have DID/extensions associated with call groups, hunt groups and so on. Until you can find out just how they are associating names to an extension, there could be any number of possibilities in play. For example, do you have your workstations plugged into the phones to minimise cabling and do you run vpn's for file sharing between offices? Have you switched on logging in various rules in pfsense to following the traffic in the fw logs? If you get nowhere with then, trying swapping out pfsense for a basic ISP supplied router (if you have any) and see how things work then for a short period of time once the problems show up. If it persists its easier to point the finger back to the VOIP host.</variable></variable>

comparing SAP and pfSense is a major category mistake. SAP Business One costs $2,975 per-user up front, and then 18% of total software cost on an annual, go forward basis. This is a pfSense board.  We are not here to discuss SAP, nor your education, nor your CISSP/CCNA/CCNP/CCIE/PhD/…, nor the "dismal science". Keep it on-topic.

His problem is that he is specifying a gateway for LAN.  I already answered him here.  I have no idea why he posted this again when he already had his solution.

Soulds like you should fix your COM port speed in PuTTY to get more useful screen output.

DNS is enabled now with TCP/UDP and it is working thanks guys!

The configuration of everything is in config.xml including package settings. The trickier part of really being "ready to go" with the backup system is that you need to get the actual package code/binaries onto it. If it happens to use DHCP on WAN then you can plug it in somewhere that is not the live office LAN (because that IP range will already be on the LAN side of the backup device) and let it get DHCP. Then you can do an upgrade of pfSense to the latest version and let it install all the packages… while it is running a copy of your real config.xml. If the production WAN settings are some static IP or PPPoE or... then it only works when connected to your production ISP link. You have to either: a) Modify the WAN settings to get it internet access from somewhere, do the upgrade, package installs, change the WAN settings back to (hopefully) the correct ones for production, or; b) Take the production system offline for a bit (downtime), put the backup system in place, upgrade the backup with package installs..., shutdown the backup spare and put the production back online. It is all a bit tricky to get a full operative cold spare installed and completely ready-to-go in a reliable way without interrupting production. Maybe someone else has a good method for this?

Resetting the LAN ip worked.  Thanks much.

@cmb: They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one. Yep - one of the above is true.  They are insisting on a static IP before they'll set the tunnel up. Thanks, Frank

Well, you made good point. Thank you very much for support.

@pfBug If the Modem/Router in your small drawing is a real router from the ISP and it is making also DHCP it could be that your pfSense will be getting even a new IP address as WAN IP! This is really not so good and luckily like it perhaps sounds to you. From my point of view you could go now tow different way, that will fitting your needs and solve the problem. If your switches are only plain unmanaged switches the pfSense as a firewall would not really making sense at this place you are setting it up for my understanding, sorry but there fore it should be one VLAN where only the router and the pfSense is in. If there are no other devices are connected to this switches and only behind the pfSense then it would be running smooth. Set up the ISP or border Router in the so called "bridge mode", so that he is acting only as a modem And then connect the pfSense WAN Port to the LAN Port 1 of this device, thats it. If this router is then acting only as a modem, there will be no DHCP and WLAN or other services in normal. Set up a router cascade or double NAT would be running straight without any problems. But we must know this first, that is this a modem or a router or a router acting as a modem! Disable DHCP there on the first router, setting up a static IP at the WAN interface at the pfSense. As an example: ISP Router: Net: 192.168.178.0/24 (255.255.255.0) IP: 192.168.178.1/24 DHCP: off pfSense WAN: WAN IP: 192.168.178.254/24 (255.255.255.0) DNS 1: 192.168.178.1/24 DNS 2: empty pfSense LAN: pfSense net: 172.16.1.0/24 pfSense Gateway IP: 172.16.1.1/24 DHCP range: 172.16.1.2 - 172.16.1.254/24 DHCP on:

Do you want laptops and smartphones connect to your rocket M5?