Yes, the same mechanisms work on NanoBSD and a full install, the only difference is that if you edit files on the NanoBSD filesystem you have to flip it to Read/Write mode first.

If an External IP that is in the NAT 1:1 is disabled, why is it pingable? I assume you have IP aliases for these public IP addresses you're using?  I also assume you have a WAN rule that allows ICMP with a Destination of *?  I don't believe that removing the NAT affects whether you can ping the public address or not.

Yes my WAN is DHCP and I have absolutely no packages installed.  This is why I am a tad stumped as to what could be wrong here.

0.0 interface what interface is that .0 is normally not a valid host address unless for example you were using /23 vs /24  And it wouldn't be valid in your setup with 192.168.0.?  192.168.0.0 would be the network not a host address. Windows by defaults blocks pings from networks other than the local network..  So while if machine A was on 192.168.1.14/24 and other machine was at 192.168.1.15/24 they could ping each other, but when you move one to 192.168.2.14/24 then the local firewall would block it. How about answering my question.. Can the box on 192.168.2.x ping the pfsense IP at 192.168.2.110 ? Can the 2.x box talk to the internet?  Can you post the ipconfig /all from these 2 machines?

Yes, I can always remove the team. However now I'm curious because I have a NAS that has an adaptive load balanced nic team with 2 nics. No log entries from that nic team - however that is running Linux. This machine has windows. Interesting…. Thanks for the help! :-)

@johnpoz: If you bridged 4 ports together you would have a "HUB".. Since all packets seen on 1 port would go out all the other ports.. This is how a bridge works.. Not true with our bridges, they learn MACs the same as a switch and send traffic accordingly just like a switch. The "use an actual switch" mentality is largely for performance reasons. People tend to show up wanting to use some Pentium III they pulled from a dumpster with a handful of crap Realtek NICs shoved in it then wonder why they can't push a gigabit of traffic between internal hosts. Firewalls aren't switches. In some limited circumstances, where you don't care about performance between internal hosts much, and require filtering between every internal host, it's a fine idea. People just tend to expect it to work the same way as the switch built into their consumer router, and it's not the same at all. Huge diff between multiple NICs in a firewall or router and a switch.

@kiyu: …as I mention I have no idea about it.. ... State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config. Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.

You can actually do both… In Unbound or dnsmasq, create a Domain override. Also use pfBlockerNG to download the most recent IPs automatically daily/weekly as required. Hurricane Electric is a great source to collect IPs for almost any site.

You must be on nano version judging by that, or else have /var/ enabled as a RAM disk. You can't run MySQL on nano or where /var is a RAM disk. Running MySQL on the firewall at all is probably a bad idea too, better to keep server roles on servers.

I don't think so. A roundabout way might be to set an alias to an FQDN and set the FQDN to a hostname dynamically updated by dyndns on WAN.  That probably won't reflect changes fast enough. Are you configuring Services > Load Balancer > Virtual Servers?  I can't think of an effective way to use a dynamic address there.  Depends on how quickly you need it to update. I looked in /tmp/rules.debug and everywhere that references WAN address has been replaced by the actual IP address, not an alias to it.

you could search for xenserver here - you will find lots of info about issues with xenserver example https://forum.pfsense.org/index.php?topic=85797.0 Like first hit searching xenserver pfsense on google.

What I've done on my network is configure DHCP to supply the pfSense system as the primary DNS (and my local servers as secondary and tertiary in case pfSense system is down).  Then on pfSense I set DNS Resolver (Unbound) to forward DNS requests for my local domain to my DNS servers.  Its not exactly what you asked but I think it accomplishes the same goals.  Plus it allows pfSense to act as a cache and it knows the upstream (ISP) DNS servers.

@jatgm1: im tired of hearing pathetic morons talk about a childerens game. Then stop hanging around with pathetic morons. If that is not a possibility then get some ear plugs. @jatgm1: if you want to play it whatever, but its installed on the computer and we have the xbox game theres no reason he should need to watch god damn videos that some sad saps made. Who is "we"? Who is "he"?

Since this thread is still the top result on searching for double wan bandwidth, I'm posting another pic from my 2.2.2 64bit system. It appears that this problem has been re-identified… but just for posterity and clarity, see the attached pic.  

This is all moot anyway.  No matter what you do with DNS if the client web browser is asking for an https connection and the captive portal gets in the middle, a certificate error must be displayed. We, as IP networking professionals, should never, ever, EVER implement anything that, by design, will present certificate errors to users.  Connections to https sites before captive portal is negotiated should simply hang.  Don't like it?  Don't use a captive portal.