I guess I'd make that call based on how reliable the hardware is, but generally I try to go for just one box no matter the size. Just because it's an easier setup, easier planning, documentation etc. And usually less money. But there's really nothing wrong with doing your setup. If your main concern is uptime, I'd put one box as central router with multi-WAN and put the other one as HA to automatically take over if the first one fails. I would make a LAN network (VLAN1) for devices such as switches, AP's etc, then two or more VLAN's for users. In the past when I've built large networks I have sometimes created a 22-network (255.255.252.0 subnet mask) just to get a few extra IP's, and sometimes I've limited them to about 50 devices per network, depending on the type of traffic. Smartphones and such is good to keep down in numbers as they broadcast a lot of traffic, but if there's *nix devices it doesn't matter as much. The main thing I go for is to try and keep as much as possible with software, since it's easier to replace one box and restore config than to troubleshoot and replace several boxes. Correctly done, you can even replace a router on remote with a novice customer moving a cable or two.

No problem.

Yup change it there and re-export the config. Or edit the config on the client directly to use the real public IP. Steve

Good point! Any interface with a static IPv4 address in a subnet large enough to have IPs available to lease.

little over a year later i find myself here. then i think ok let me scroll down, there are MANY 'zio_free_issue_' i assume this means free/available threads for write capability (zfs - input/output - free - issue - then the rest i assume is threads and then counts or something..) trails off compared to most in the forums i know jack nothin about specifics like this (excluding majority networking) but the labeling makes sense thanks either way to everyone

I don't have FiOS TV, which apparently can be a major issue if you do, since some of their newer TV hardware REQUIRES the use of a FiOS router to retain full functionality of the boxes. But without the TV piece, I just have my pfSense box connected to the Ethernet connection on my ONT. I didn't have to do anything fancy for it to work (WAN is set to DHCP), and have no issues getting nearly full speed out of my Gigabit connection. IPv6 is not yet available unless you're in one of the four (possibly five) areas that seem to be in their testing for it. DSLReports is great for provider-specific setup questions.

Thanks, this really worked. Disappointed I can't use my CLI Shell to copy across, but at least it's working.

@kiokoman , nice. Thanks! I donated $100 directly to the BSD Foundation instead.

Use different NIC types. AltQ is not supported by whatever devices you have. You should avoid USB NICs in general. See: https://docs.netgate.com/pfsense/en/latest/hardware/network-interface-drivers-with-altq-traffic-shaping-support.html In addition to the list linked there we add VLAN interfaces so one option would be to add vlans and apply the shaping on that. Steve

The NAT reflection mode will make no difference to clients connecting externally or to the server itself connecting out. Do you see traffic blocked in the firewall log? Do you see oncoming states opened to the server? Steve

With two virtual drives you can still recover one from the other if the filesystem is somehow damaged beyond repair. I don't think I've ever seen it done though. Generally if you're running on a hypervisor you probably have a UPS. Steve

@nback said in ntp only connecting to some time servers: Fixed it! Set a default gateway for ipv6. You shouldn't have to. That should happen automagically, through router advertisements.

@stephenw10 Thanks for the link - I will definitely watch.

how about Diagnostics / Backup & Restore / Config History ?

Thanks for your reply. It worked.

OK - have removed all the other interfaces from system/routing/gateways, and have left the 1 remaining interface (WAN) as the selected default. No problems connecting to any of the VPN server instances. And DNS resolution remains functional. I will continue to monitor, but it really does appear that this problem has now been solved. Thanks again to @johnpoz and @stephenw10 .

@stephenw10 Thank you for your concern in my case. When the configuration from the second provider is directly done to the PBX Box while the first is through pfsense, I can use both Providers at the same time. My situation is, I do not want to hook providers into into the PBX hoping in the future I may have other Voice Connection from other providers as well. Connecting the PBX through the switch I think in my case is the optimal one just as I described in the diagram. -Lusekelo

Yes, for most that is not required but if the keep alive packet spacing is too high you may need to set conservative mode. Or use custom timeouts as you did. Steve

Setup Limiters to whatever bandwidth you need. Put default internet traffic in to those Limiters with firewall rules on LAN. Pass local traffic with rules above those that are unlimited. https://docs.netgate.com/pfsense/en/latest/book/trafficshaper/limiters.html Steve

Keep in mind that 1.1.1.1's primary goal is harvesting your DNS requests. Not replying on your ICMP requests, so if they (1.1.1.1) decide to stop doing that, for example for bandwidth reasons, your WAN could get marked as offline.