your doing a downstream router.. Yeah there are a few things that have to happen.  And this downstream router is on a lan side port right. your not using it as your wan on pfsense? While I like your /30 transit.. Your other segments - why are you using /16?? There are quite a few threads that go over downstream routing with pfsense.  I should prob put something up on the wiki, seems to come up quite often as of late. Your going to need to create a gateway on pfsense pointing to this /30 IP of the downstream router.  And then a route for the network behind the downstream router.  Your then going to have to adjust the rules on your transit network to allow the downstream.  And your also going to need to alter your pfsense outbound nat rules if these downstream networks are going to use pfsense for internet access, etc.

Is there anywhere else to specify a "default gateway" for the internals of pfSense?

Last come back here but yeah it sounds like you can just hand external DNS servers to DMZ clients if they only need to resolve unfiltered external hosts. No need to bother with dual DNS on the firewall etc. Steve

If your WAN is not multi-100-megabit and the realtek is reliable, it's a good choice to use the realtek on WAN. If it gives you problems, move it to intel.

OK.  So, since I haven't ever renamed the "copy" when I'm in there, it just doesn't do anything with it?  I would have expected the "copy" button to generate a copy with "copy" or something appended, and then I'd have to edit that copy.  Thanks. EDIT:  Confirmed it.  The behavior is as you described.  Thanks, again.

That worked! I also had some issues with adding it back but i think i know how the link agg options work now! Thank you for your time and for saving mine!

Uh. There is no such "feature". WTH.

There's no other practical way because redirecting locally originating traffic isn't possible with PF, only static routes work. There is the setfib(1) system that can be used to assign an alternate routing table to a process but it's not exposed trough the pfSense GUI in any way. The gateway selection for the DNS forwarders (at the General Setup page) are using static routes, that just isn't spelled out for you. The reason static routes are a working solution for the DNS forwarders is that you'll never enter anything else but raw IP addresses as the DNS forwarders, each of the entered forwarders can be redirected individually by static routes. With NTP peers it's more complicated because the NTP service in a default setup will contact multiple peer candidates that you don't know in advance and can't be caught with static routes, you'll need a manual setup with raw IP addresses as the peers if you want to use static routes to redirect the traffic to a different gateway.

Ok, so please fix this in the next release.

Ha, I hear ya.  :) I confess I've done that in the past where a real switch would be much more appropriate. Good to know it can be done if needed even though mostly it shouldn't. Steve

@jimp: Packages and updates for Factory and CE use different sets of backend builders and repositories. Builds happen at different times and depending on how things happen, an update may not be synchronized from one side to the other until a later build run. It's usually very temporary when things are out of sync in that way. As always, Thanks Jim! It was just an anomaly that neither BBCan177 nor I could account for other than the Factory build.  I knew from history they eventually show up… BUT, we were trying to test something invoked by the PR and I needed the _8 release to test.  I tried to keep it out of gen pop but someone had other ideas.  I know better now. Rick

^ true if the client was running the vpn through the router to the pfsense as a road warrior sort of connection then no you wouldn't have the asymmetrical issues.  That is not how I understood what he was suggesting on doing. But then every client wanting to use the application would have to run vpn client.

I understand. It's pretty secure out the box, everything is denied on WAN, but you can add block rules or remove the default allow rule on LAN to tighten up outgoing traffic. Keep asking questions if you have them.  ;) Steve

Sorry guys, I have solved my problem Opening the file rc.update_urltables on PfSense I have seen the forceupdate parameter I have modified the cron schedule such this: /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate Now It works perfectly Best regards, Jack Reference: https://github.com/goldchang/pfsense/blob/master/etc/rc.update_urltables https://github.com/goldchang/pfsense/blob/e0c1bfd7421c5a805b27a80247c4095c8efeab99/etc/inc/pfsense-utils.inc

@johnpoz: "The services I'm running are darkstat, dhcpd, dasbl, dpinger, iperf, named, ntpd, radvd, snort" "hen I replace the pfsense firewall with a Linksys E1200, I can use the internet again." Your little linksys E1200 sure and the hell does not run snort ;) Are you just on the lan interface, or have you created multiple network interfaces?  What rules did you put on them, etc. What exactly is dasbl – do you mean dnsbl from pfblockerng?  That could be causing you issues with internet access.  Which your linksys sure wouldn't be doing either. There is way more you can mess up with pfsense vs some really black box soho nat router with only 1 network.  And really almost zero control of the outbound firewall rules, etc. I know the Linksys can't run snort, just was pointing out I knew it wasn't my internet connection. I reinstalled pfsense, reinstalled all my packages and ran into the same issue again.  It has something to do with pfblockerng.  I just haven't had the time to dig into it.  I also don't have the know how either to look into it.  Maybe one of these weekends when I'm a little less busy, I'll reenable pfblockerng and see what the error message is and report back…In the mean time, I have it disabled.