@Derelict: You might need to https://portal.pfsense.org/support-subscription.php  They'll know. I still think you should consider spanning tree.  Once the topology is established, in my experience RSTP converges in fractions of seconds and is a viable HA solution at layer 2, given multiple L2 paths to the same destination. I am admittedly out of my lane and am going to merge right. You may be right. What I'm trying to do is a little out of the norm. I'll give spanning tree a look and see how it impacts fail over speed. Maybe it'll be acceptable. I don't feel like it's the most elegant solution, but it may do the job. In the meantime, if I can figure out how to down the bridge on boot up, that would be the ideal solution. Maybe someone else might chime in with a solution. I appreciate you spending so much time trying to help. It's very appreciated! Thank you.

Why not use the package DANSGUARDIAN, if you can figure it out.  To me the package is over complicated at best.

If you don't want to look at the sniff of when you get an IP, look at the lease in pfsense. in /var/db you should see a dhclient.interface file so example lease {   interface "em0";   fixed-address 24.13.xx.xx;   option subnet-mask 255.255.248.0;   option routers 24.13.xx.xx;   option domain-name-servers 75.75.75.75,75.75.76.76;   option host-name "pfSense";   option domain-name "hsd1.il.comcast.net.";   option broadcast-address 255.255.255.255;   option dhcp-lease-time 345600;   option dhcp-message-type 5;   option dhcp-server-identifier 69.252.202.7;   renew 4 2015/5/28 16:46:18;   rebind 6 2015/5/30 04:46:18;   expire 6 2015/5/30 16:46:18; from there you can see the dhcp server, see how mine is 69.252.202.7 But sniff show you the whole picture.

Yeah, it is generally important that traffic on ports 137/138 and 445 never leave the WAN interface to your ISP, as this also opens some holes in the firewall….. I just had here the case, that in my test environment my WAN interface was in productive LAN. In my test LAN behind the pfsense I was able to browse the shares outside of my WAN interface  ;D Incoming traffic was blocked at all, except 443 to pfsense. So if your computers talk to the computers outside in internet .... they answer. You may not like all these answers ;-D And the firewall will let the answer through .... as your LAN computer opened the session.

Hummm… yeah, you're right.  The dtrace kernel modules might not be there for dtrace to access.  I got the following error: dtrace -l | grep 'syscall.*read' dtrace: failed to initialize dtrace: DTrace device not available on system Kind of makes it a bit more challenging to gather data....

@heper: @Harvy66: Just picking one of the high end ASA boxes, ASA 5555-X, it has pretty bad specs. 4Gb/s under ideal conditions 1.5Gb/s of stateful multi-protocol traffic 700Mb/s of VPN 1.1m PPS 1mil sessions $10k for something that amounts to an Intel i3/i5 is willful highway robbery. You're probably paying for a mix of brandname and support. Having someone to point the blame-finger at is a form of job security, even if you pay 10x for it. depending on the type of vpn … no simple i3 of i5 will push 700mbit over openvpn easily. also depending on cpu 4GB/s of throughput isn't all that easy if all that has to be NATTED aswell. (NAT on pf is still singletheaded afaik) so while it shouldnt be all that difficult to build a system for half (or a quarter) the price of you cisco  ... i don't see it happening on a cheapo i3 I actually have an i3-2100 box that does incredibly well under those loads (with the exception of the OpenVPN metric, I will test that this week just to see).  The CPU barely blips.  My specs are in my sig.  $400 box. I know that I can put 4.8M states on the box and set the upper limit to 8M states just for kicks.  NAT was enabled. As Supermule noted, there is an underlying bug somewhere that we are aggressively trying to find.  I have my theories and am collecting more data to validate them. Also, pfSense is based on FreeBSD, which is not Linux.

no clue but …. pleaseuse your switches to create mirror ports. using a PC to be a switch is a bad idea every time. PC hardware has serious issues duplicating/switching a massive ammount of packets, ASICs in switches do it without breaking a sweat.

all open issues with word "limiter' in title: http://tinyurl.com/pcrgqb9 (had to use a url-shortener services, because the forum didn't like a zillion character url between it's brackets )

I am an Optimum customer (business and home), and you can do what you're trying to do.  However, there are some challenges. If the camera is behind a firewall, you can create a persistent VPN tunnel from one to the other (assuming both FW can create tunnels). Your cameras would probably be able to get onto Optimum, but you're screwed with the authentication unless you register the devices with Optimum.  This can be done via the web interface on your account or when the device joins the network.  I am not aware of any camera that supports web-based authentication like what Optimum requires, so that might be a deal breaker.  You'd need to be able to get the devices onto the network and manage that re-authentication somehow.  Optimum designed the WiFi public network to prevent people from hopping onto it and consuming a ton of bandwidth, so assume you'll probably get throttled and disconnected after a certain amount of time.  That's by design. I'd also suggest going to http://www.dslreports.com/forum/ool and asking the question there.  You'll get some answers to your question, and of course you'll attract some trolls.  But for the most part, you'll get the best Optimum-specific answers to your questions regarding their service.  OOL resources regularly read the forums, and sometimes there's a chance you'll get a PM from one.

Have you tried changing the firewall optimization options from normal to conservative?  It's located on the System–Advanced--Firewall/NAT tab.  This is recommended by another SIP PBX vendor for use with their system.

Other than DHCP leases, etc, you are looking for functionality typically found in a wireless controller.

https://doc.pfsense.org/

When I said port in "port based limit", I meant switch interface.  I specifically did not mean anything like TCP port 80, or 443 or UDP 5060. Using a switch upstream of the two edge devices and limiting your ingress and egress to the two interfaces is so simple, and it does everything you want. I'm a big believer in: A) Use the right tool for the job. B) Keep it Simple, Stupid. My test, was speedtest.net.  Simple, effective, TCP 80 HTTP test.  The ISP that provides 20Mb bandwidth to my office uses the same kind of limiter, on a Catalyst switch.  I pump all kinds of TCP, UDP and who knows what else through that pipe.

This is how I setup OVH with pfsense 2.2 OVH networking setup Add a failover IP in OVH console (y.y.y.y) Create a virtual mac in OVH console for failover IP VMWare setup 3. Edit the vm guest nic settings.  On the network adapter in vmware, change it to manual and give it the virtual mac assigned from step 2 PFsense setup 4. The failover ip from step 1 is the nic ip (y.y.y.y).  The gateway is the primary OVH server IP with 254 for last Octet (x.x.x.254).  Subnet mask is 32. Pfsense will complain in command line setup of networking.  Just set this up in GUI. 5. The following lines can be added from the shell (option 8 from command prompt in Pfsense) - the first time you setup pfsense.  They are needed to make the default gateway work because it is not on the same subnet. 6. route add -host x.x.x254 -iface vmx0 (or whatever interface you have) route add default x.x.x.254 7. To add them to pfsense so it works after reboot, Install the shellcmd package for pfsense.  Add them in the same order as above.  The type is shellcmd