On WAN alone is adequate, we enable MSS clamping to prevent TCP from being bigger than that.

I've been noticing the same issues, due to the unconstrained growth of the tcpdump process.    I'm running the Feb 4th snapshot, so I do have the -S flag. I filed a bug report: https://redmine.pfsense.org/issues/2819

i asked for fish and you slapped me with a blue WHALE. Thanks

but i want to ask , how will a proxy server will hand  3000 users with the same ip??? i mean if one of the 3000 users did a spam , he will block with him the other users !!! doesn't dat  right ?? i mean that tproxy is very very important for the isps that has alot of users plz advice for dat . regards

@dotdash: The config is common between slices. You should be able to switch back to the previous slice if you have problems with 2.0.3. Thank you very much for your quick reply. The common configuration makes things even easier. Peter

Hi Stephen, Thanks for the reply. Yes, I'm aware of the different modem codes available, I was on 332201_A the recommended one for the UK. Unfortunately, the low throughput came back again with the 12v PSU, so I did try reflashing to 321311_A which is recommended normally for poor lines, mine is a good line but I thought it was worth a try anyway, but it made no difference. When I've tried different modem codes before on other lines, the difference has usually been fairly minor - worth doing (perhaps 10%), but not a massive difference, so I haven't tried any other codes as I don't expect that to be the problem. I've gone back to the 9v 500ma PSU to ensure I don't kill the Vigor 120 and have contacted Draytek asking them to replace the whole thing. I do think the bad PSU is quite likely the cause - I suspect the reason the problem has come back later with the 12v supply is that the modem seemed to be running hotter (as could be expected) on 12v, so I got the full potential of the line at first, then after a while I think a processor inside the Vigor 120 has throttled to prevent overheating, reducing throughput. A bit of a wild guess, but it's the best I can do. I'll update the thread once I've got a replacement to confirm if it's fixed the problem.

old pf: Asus P5B-E 4x2Gb ddr2 3Com 3C940 Gigabit Ethernet> Marvell 88E1011 Gigabit PHY sk0=WAN and age0=LAN and for fun. Adaptec ANA-62044 use a 120Gb sata disk as boot drive and i have a 120Gb ide for squid cache the new main board i'de like to have is Asus P8C WS that gas 2 Gbit on the board so i dont need to use a slot for that. but yea its 99% for home use but i like to play around with stuff logs,graphs and meaningless other stuff and if it will happen i'll try to get a SSD for pfSesne system and a 500Gb+ just cache or log storage. is there room for stuff its allways fun to test it out. without sacryfice security i'm going to need a better switch to. my netgear 5port isnt great in anyway, but any input prople do is nice then i can get a bit wiser "or not" :) thx again i'll get 8-16Gb ram for the new server do. that can help out with squid i've been told. squid=mem then cpu in that order

I guess steve is right. It does not hurt to test so i will try that. But many of my problems does not fit, ithink, since it seems that it was the lan interface that in that case went down. ill be back

Thank you for informing. Really don't know what went wrong. Because it's new to me and no experience with this kind of software on linux/bsd, it's not clear how these 3 packages interact with each other. On top of that, I had strange behavior of certain, normal, sites being blocked and others allowed so I tried a lot and the result was not 1:1. Now, I think I got the basics but need to work out some issue. EDIT: typo

If you plan on having virtual servers on the ESXI box each on different VLANs then it creates an interesting setup. You have to think about each direction of traffic separately from one another to make sure traffic gets tagged. You could even by hand write a quick flow chart. PFsense (tags data vlan10) > switch port 01 (keep tag) > switch port 02 (keep tag) > ESXI (set to Trunk) To trunk in ESXI, I think you set the VLAN-ID to number to 4098, I can check when I get home. This will allow you to have multiple machines on the vswitch to set their own VLANID. If you want to separate them…. create a new vswitch. The "keep tag" is going to be called so many different things depending on your switch. Usually you have three options, use default VLAN (1), Keep tag (whatever the device says it is), and drop tag (means no vlan).

@klarback: What do you think about disabling source port rewriting? I only have one IP phone behind my public IP. I did this to "fix" a lot of other services I have running behind pfSense. http://doc.pfsense.org/index.php/Static_Port I don't think SIP phones randomize or port hop, so it might not make a difference if you're already capable of getting a dialtone and making calls.  However, turn it off and see if it works.

Yes, with OpenVPN.

Your confused, or not explaining what your wanting to do correctly. You can not just use pfsense as your router/gateway/firewall and think magically all data that flows through it is encrypted and or compressed. You can can encrypt data between endpoints using your choice of encryption methods that both endpoints support.  Once you make this specific connection then sure if your encryption method or connection method supports compression that too cold be used. But just use of pfsense as your gateway/router/firewall does not in any way encrypt or compress anything. Now your client could connect to vpn on the outside of pfsense - and that tunnel could be encrypted from anyone between your client and the endpoint from viewing details of said traffic. What exactly are you trying to prevent from leakage, and to whom?