Currently pfSense can only match DSCP, not set. Setting is up to the endpoints.

Cpu utilization is at 6%, I also just noticed I do not have a PCI express nic card in there. I just ordered one so will see if that makes a difference. David

Heres what I do. Firstly I prevent anything from getting out onto the internet, next I monitor the fw logs to see whats talking, I then identify whats talking and if I want to allow it, I create a rule to allow it. Now creating a rule could mean creating an alias which has one or more domain names/sub domains in, which makes it easy to add to once the alias is set up in one or more rules. Its a good way to troubleshoot problems as well as see what devices on a network are talking to each other. I've never used whatsapp, but do you know if it initiates the communication in anyway or is a separate service giving away your location to the whatsapp servers and then they try to connect to you through a port they expect to be open?

I don't think it's a bad idea as long as there's a proper firewall. In my setup, the bridge had a firewall so no traffic was reaching the public IPs unless I allowed it. Of course, I will not go with the bridge from other reasons but the servers were not wide open. If I get the chance to route our own IP addresses pfSense will still play the role of a firewall in front of them which is exactly what I'd like. With VIPs I need to assign a public IP, a private IP and set firewall rules. With directly attached public IPs I don't need to manage another private subnet. Our servers are mainly Unix, we have enough public IP addresses to assign one to each server and changing IP addresses would be quite easily done with Ansible. While I would like to have our subnet routed using our HW, I think it will take more time than I have. So VIPs are now my main option, but I will bring this up with our ISP.

@BlueKobold: Where the ISP-provided cheap modem in that case is faster, can reach near the gigabit speeds.. In normal a modem is not doing SPI, NAT and passing firewall rules! So for sure the ordanary modem must be even faster, this is a must be! Not true, the modem is doing NAT in that case. And it has some basic SPI functionality as well. Keep in mind we're talking about single-stream throughput, the easiest case. I don't know how well those would stand up across much larger numbers of simultaneous connections. @BlueKobold: ….where a 4860 tops out at 700ish Mbps on PPPoE in that circumstance because it's stuck to one core. With SPI and NAT you will loose even something around 3% - 5% of the whole throughput, depending on your hardware for sure. But often with other hardware I really think this would be not the end of the line, with a Xeon E3-1286v3, muchECC RAM and an intel server network adapter it would be also able to archive more throughput, but also holding the level of security! Sure, in that case all you need is a CPU that has faster cores, so a single core can handle a higher traffic rate. I have no doubt a new Xeon would easily max out a 1 Gbps link in the PPPoE scenario (at least with large-ish packets, not at purely 64 byte frames). But that's also an unreasonably expensive firewall/router box for home and SMB uses. It's not true in general that you'll lose any throughput from SPI or NAT, as long as your system's adequately fast for your connection speed. We're talking microseconds of processing time from arrival of a packet on the LAN NIC to it exiting the WAN NIC, as long as there is CPU capacity to spare. That's such a tiny portion of your latency to any Internet destination it has no measurable impact. It's far less than just the jitter to close Internet destinations on high quality connectivity.

We don't include the FreeBSD auditing system bits, but that's probably not what you're looking for anyway. Just looking for review of changes? The config history that muswellhillbilly mentioned is a built-in way. Ideally you'd want something outside of that as well, like storing your configs in a central revision control system where you have indefinite length history.

You can use gdb to analyze it. Could you get that file to me? Upload it somewhere and send me the URL privately, or if zipped it's less than 25 MB, email to cmb at pfsense dot org.

Sounds like a Gateway or DNS problem. If you connect to another router all is running fine as you described is this right? Then I really thing you should search in the DNS direction at first.

Press Enter. In case you did protect the console with password, then log in.  :P

@nacam: Once the PC comes back from reboot after restore I get the "F1 Pfsense" prompt, then I get a spin or two and then freezes at "|".  PFSense boots fine and seems to be okay until I restore…. https://doc.pfsense.org/index.php/Boot_Troubleshooting

No - haven't tried that.  But it should be working!!

Please don't recommend people to bridge interfaces in a ROUTER.. Who was doing so? In normal there is a very clear outspeak over this or so called golden rule: "Router if you can and bridge if you must" But at this days where many boards where out with a so called bypass option or function likes the most C2x58 boards are delivering, it will be only in some rare cases with urgent need a solution. A VLAN capable Switch with 5 GB LAN Port is at the cost of 25 € and so the need of bridging is far away in this situation. Take a look around the board at all the bridging nonsense I really consider with this! They get a router with couple of ports in and they think its a home router with switch ports… Not really in my eyes, it attends more on the wish of many users to have transparent firewall and in earlier days this would be done by setting up a LAN NIC in a so called "promiscuous mode", but as described above alone Supermicro is selling 5 Boards with a so called "bypass function" with 5 and 7 GB LAN ports and switches becomes more common also for the home usage. And at least we will see 90% of all this bridgers back in a forum and starting threads like; My ports are flaping My NIC is lacking My Throughputs descries Router/Firewall is becoming more unstable And what ever, so yes you really right not to be speaking about "bridges"!

You can install Dansguardian, which can be used in conjunction with Squid Proxy to transparently authenticate via Windows Active Directory. You can then set Dansguardian to assign different proxy policies dependent on which Windows AD groups the user belongs to. I've done this using Dansguardian/Squid on a separate proxy system, although I believe this is also possible using the same Dans/Squid combination on pfSense itself. If your teachers and students are all using Windows logins, then this might be the more elegant way forward. I've found this link pointing back to this forum about two years ago. It might help point you in the right direction: https://forum.pfsense.org/index.php?topic=58700.0

I have been looking into using pfsense and i have a few questions. This is strictly from a home user point of view  :) This is the hardest group of customers in my eyes! They often don`t know what they want and really need, play with all given features, options and functions and all not going fast enough as they expect it. You have to use a modem. You'd want to use a good one. Fore sure with any lazy home plastic crappy home router you hav to do so too, or? But it is integrated. If you had a good modem/router why would you need a pc for dhcp and routing ? Who is telling you that a PC is needed? A small embedded board will do the job mostly better then the best atomic home routers. So please don`t compares apples and pears!!! The pfSense is like a real UTM device, and a home router is really thin and dump to configure from everybody without a pain! pfSense would be able to pimp up and tune for so many things that it is really dump to compare it to a home router. They have different fields of work where they will be placed inside. If you wanted to use it as a firewall there are plenty of hardware firewalls that are cheaper than or as cheap as pc's. For sure they are cheaper and offering each only a smaller or greater bunch of options, features or functions. But once more again pfSense & SquidGuard & Squid & HAVP & openDPI & Snort & FreeSwitch can be a; TrafficShaper, UTM device and HTTP proxy with AV Scan and AntiSpam, and this is not offered by a firewall from the rod. You could also install pfsense on a vm on your own computer. This is in my eyes one option more then another firewall will be able to serve you. I know i'm missing something here. Can somebody explain ? When the school holidays are ending? Mostly and urgent it is likes this; The router must fitting your needs and must matching reaching your goals! This is the most important thing in my eyes. If you need a plain router with only SPI & NAT and some action above you go often with RouterOS, OpenWRT or DD-WRT. FreeWRT is EoL. If you need more you could search for an easy to use firewall likes the following, IPCop, IPFire, ZeroShell, fli4l or pfSense. mOnOwall is EoL If you need a real UTM device related to AVScan, AntiSpam and HTTP Proxy you will perhaps trying out, Untangle, IPFire, ZeroShell, or pfSense. If you need a really big router and BGP is in the game you often go by using OpenBSD & OpenBGPD, Quagga or Vyatta. Zebra is EoL. If you need redundancy and really balancing the whole load over more then one WAN interface on more then one Box you will be perhaps happy by using OpenBSD and ARP balance over CARP and if only thin redundancy is needed try pfSense. So as you can see from the lowest bottom to the highest top, pfSense is able to run for you, it is only depending on the Hardware you are able to buy and run. You are able to grab the oldest hardware from the electric dump court or the latest Xeon D-1540 platform from Supermicro and pfSense runs on it.

https://forum.pfsense.org/index.php?topic=94761.msg527361#msg527361 @Nullity: You can use tcpdump on pflog and see what rule matches each packet, assuming logging is enabled. something like "tcpdump -lnettti pflog0". I usually use pftop via terminal/SSH. Check out OpenBSD's pf documentation. The lesser known features can usually be found there.

Could be pretty much any number of things. Have you checked that your DNS settings are correct? Try running a 'dig' or 'nslookup' from a command shell on the pfSense to see if the MX for your target address is showing up. If that works, try running a telnet to the MX host for your target address on port 25 and see if you can send a test message from there. The process is, by example: 'telnet target-host-ip 25' 'helo me' 'mail from:test@email.com' 'rcpt to:target@address.com' 'data' 'Hello - just a test message' '.' Include the full stop after the 'Hello' line to initiate the send. If this doesn't work then you may get a clue as to why your emails aren't arriving, such as the encryption issue KOM mentioned, or possibly that the receiving host is rejecting the message due to an anti-spoofing error.

@KOM: upon reading some other forums on TCP:FA connections in pfsense I have found out that the problem was the firewall was set to block these connections. TCP:FA (FIN ACK) is an acknowledgment of a TCP teardown request.  pfSense does not block TCP:FA by default.  It was an out-of-state packet that got rejected by the firewall because the state it belonged to was already considered closed due to the teardown.  The TCP:FA was seen as a new connection attempt, and blocked by WAN rules. Thank you for explaining this further. Yes this was my particular problem and it is now resolved. Thanks to all of you for you reccomendations and support @tim.mcmanus: I do have my firewall set to conservative, so that's probably why my monitoring system didn't go aggressive on me. And Tim yes that's probably why you have no problems! Lol thanks for your support

Thank you very much for your detailed reply. Unfortunately, I had already shutdown, re-imaged and restored.  Thankfully, I had a very recent backup. I'll get the 2.2.4-DEVELOPMENT snapshot installed tomorrow am.  Can't have any more down time today if it can be helped. Do you happen to know if 2.2.4 has any more fixes for Multi Tunnel IPSEC, I still have the same rekey issues since 2.2.1, which is why I tried 2.2.3. Thanks again. Tony

Thank to everyone taking the time to read and respond to my overly long posts. As of now everything is working great! But I always have new questions…. "The Dude" is all of a sudden picking up a node with gigabits of traffic on a node ending with *.255 (see attachment). Is this something internal to pfSense? DNS (ubound)? My actual pfSense box is 192.168.3.1. Any and all suggestions appreciated :) Simon