ok looks like I found out what was going on, seems it was a rule left over from captive portal that I was playing with, and then uncheck to enable, so setting were still there but not enabled. Seems this portion of filter.inc was creating the rules. /* if captive portal is enabled, ensure that access to this port         * is allowed on a locked down interface         */         if(is_array($config['captiveportal'])) {                 foreach ($config['captiveportal'] as $cpcfg) {                         $cpinterfaces = explode(",", $cpcfg['interface']);                         $cpiflist = array();                         $cpiplist = array();                         foreach ($cpinterfaces as $cpifgrp) {                                 if(!isset($FilterIflist[$cpifgrp]))                                         continue;                                 $tmpif = get_real_interface($cpifgrp);                                 if(!empty($tmpif)) {                                         $cpiflist[] = "{$tmpif}";                                         $cpipm = get_interface_ip($cpifgrp);                                         if(is_ipaddr($cpipm)) {                                                 $carpif = link_ip_to_carp_interface($cpipm);                                                 if (!empty($carpif)) {                                                         $cpiflist[] = $carpif;                                                         $carpsif = explode(" ", $carpif);                                                         foreach ($carpsif as $cpcarp) {                                                                 $carpip = find_interface_ip($cpcarp);                                                                 if (is_ipaddr($carpip))                                                                 $cpiplist[] = $carpip;                                                         }                                                 }                                                 $cpiplist[] = $cpipm;                                         }                                 }                         }                         if (count($cpiplist) > 0 && count($cpiflist) > 0) {                                 $cpinterface = implode(" ", $cpiflist);                                 $cpaddresses = implode(" ", $cpiplist);                                 $portalias = $cpcfg['zoneid'] + 1;                                 $portalias .= " {$cpcfg['zoneid']}";                                 $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } keep state(sloppy)\n";                                 $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n";                         }                 }         } this was the rule that was setup $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; But I did not have captive portal enabled – I had create it in the passed and then unchecked it from being enabled..  But seems the rules were not deleted? I removed it, and then rebooted and how that rule is no longer there and not logging that traffic ;) I can try and duplicate it to see if can regenerate the issue.

Nice tip for the split DNS feature. Darkk

Thanks for your answer. Finally after updating pfSense to the latest release, the failover gateway group seems to be stable. One odd remains: If I configure the gateways to use a monitor ip, both gateways are switched to offline again. If I try to ping from within my LAN, the ping goes through, but gets cut-off after a while (The gateway responds that the ping is blocked (never seen this ICMP error before)). With the monitor ip disabled, everything works out fine, except for the transparent proxy. But this might be the odd, that we're a onlinegaming company with ~150 active users and only those two PPPoE lines… ;-) We'll try to install a transparent squid on another box and re-route the webtraffic to this box. Regards, Tim

Thank you Ermal for taking the time to answer me questions :-)

Just wanted to note that there is built in support for running commands at boot time.  You have to download the config, then edit it, then reload the modified config.  http://doc.pfsense.org/index.php/Executing_commands_at_boot_time But it looks like from the following post, that it won't work for this function. http://forum.pfsense.org/index.php?topic=27359.0;prev_next=next Just thought I would post in case anyone else has the same thought. Josh

If this turns out to "solve" the problem, you probably want to fire your ISP.  There's no way apinger will saturate a 100mbit connection.

No one could help me? I must add rule to firewall for connect to pptp?

Te correct way to configure from initial install is to do what the documentation says. You need to complete the configuration through an interface named LAN because that gets default firewall rules that allow any traffic from LAN net to anywhere. Other interfaces get rules that block everything. You can get to the pfSense documentation by following the link on the pfSense home page: http://www.pfsense.org

@jimp: That should be fine. Aside from the additional layer of NAT going on, that should be roughly equivalent to having the public IP directly on pfSense, which is really what would be ideal. Thanks for the reply. It's good to have a second opinion!

@godinperson: Guys, I think I found something. I've went into System - Advanced, Firewall and set the firewall to Conservative and checked the Disable Firewall Scrub. I had done this before but didn't reboot the pfsense since it wasn't asking. Looks like after a reboot, everything is back to normal. What is weird is that I needed to click those only after upgrading from RC3 June 21st to September 11th. See ya! Hello, I found the same thing but back on 1.2.3 release forward. SIP intervals are longer than "Normal" state clean up. Unless you adjust SIP, you will have to use "Conservative". I have changed my SIP protocol and I can now use "Normal". I just hope my SIP provider doesn't mind. Hope that helps.

ok well i gone check the mobo when i get home and see if there is something wrong. USB is disabled and LAN is also disabled to be on the safe side.

The tutorial http://www.zomers.eu/knowledge/pfSense/Pages/Configure-pfSense-2.0-RC1-to-use-Watchdog-functionality.aspx worked very well! Even though I get trap 12s on my hardware with the latest snapshot, at least i can still connect to it after a reboot when i'm not a home. I hope to solve the trap fault soon though!

Thanks Cry Havok (Global Moderator) i'm clear now. actually i was thinking or passwing 1MB VPN data on 256Kb tunnel , which was impossible thanks kalu

OK, just checked… Very simple:- Set WAN to be PPP. Set phone number to *99# Set Modem Port to be /dev/cuaU0.0 (from the drop-down list of choices) Screen shot attached. [image: example.png] [image: example.png_thumb]

@torontob: Please bring back the copy and paste of keys and certs in the same page where I create the OpenVPN server. You can keep how it's working now but also allow the old method. Add a scroll down to copy and paste your own key or cert. Patches accepted. @torontob: I never use the same key or cert for another VPN session so the management of keys and certs is really not needed. Now, there maybe some who use it with multiple vpn server  ??? but I think the amount of work put into VPN wizard and now distributing it all over the GUI has not really made it any easier. To the novice user it's still very hard. To the experienced user you have to still go back and check your notes and play a few times until all works. It's not harder. It's harder for you, perhaps, but the system is a lot more powerful and easier for most (and pretty much everyone else agrees it's better). As the old saying goes, you can't please everyone. @root2020: What may be nice is an area on the website dedicated to 2.0 documentation and one dedicated to 1.2.3. You mean like the one we already have? :-) http://doc.pfsense.org/index.php/Category:2.0 @root2020: All this stuff seems to work great but documentation in usually difficult to find for new users of 2.0. You mean clicking the blue "?" help icon on every page in the GUI is difficult? :-)