Thanks for the reply. The most weird thing to happen with this issue is that suddenly a few days ago - the behaviour just stopped! There was no switch reconfiguration done and nothing changed on the firewall. The only single 'incident' that linked dot around the same time was a J2EE application restart on the server in question, around about the time when this weirdness stopped. I will keep monitoring and have enabled sys log on the device to see if I can catch any events if/when the issue returns…. Cheeers, JD

@Supermule: The billing issue is the ISP downside to PF….. Nah, you have Netflow, which is what most ISPs use for that purpose (regardless of network gear).

It takes thousands of simultaneous connections to get to that point, if you're seeing that, you have that many connections through reflection. We generally advise against using reflection at all, but it's a fine solution in most circumstances, just not when you get to higher numbers of connections that need to be reflected. High throughput environments do it "right", i.e. split DNS. Efonne does have a branch in git that does reflection in pf, which gets rid of the nc scalability issues. That's for 2.0 only, and may have other drawbacks as it hasn't been nearly as widely tested.

If you need to save the log, you must redirect the logs to an external syslog server. Even if you increase the log sizes, there is no guarantee you will save an entire day's worth of entries, especially if you endure a lot of port scans or other random traffic on the WAN.

It works fine on a WRAP if you flip the bits as described here: http://doc.pfsense.org/index.php/NanoBSD_on_WRAP 2.0 might be a little heavy on CPU/RAM for a WRAP but it might work. I haven't tried it on my WRAP yet.

Snort has a p2p policy category, would this help?

just a follow up.. I tried this http://forum.pfsense.org/index.php/topic,10409.0.html then http://forum.pfsense.org/index.php/topic,6998.msg49266.html#msg49266 seemed to load the config.xml file, upon reboot webconfigurator failed again? (NFI) probably missed a step resolve, just did a re-install from CD…. which fixed the web configurator problem, then restored from the same back up.... seems to be working again... one strange thing was during re-install of packages.. snort was reinstalled, then removed then reinstalled? (is it possible to have installed twice by mistake?) I only say that as it went through the 5% 10%...100% routine twice as I went a made a coffee and came back to find the message "removing snort" then installING snort 5%..%100.... no biggie!

True enough :)

If the additional IPs are routed to your main shared CARP IP, you can use the "other" type VIP. You'll just need to set them up on the backup unit by hand the same way.

Having the same issue, but I believe that practically it's not happening. 1.2.3-RELEASE P4 2.4 2GiB ram iwill based motherboard (SGS 5420) Upload 1.0 Mbit/sec, Download 5.0 Mbit/sec Uplink 1000 ms, Downlink 110 ms nut - running ntop - not running apache_mod_security - running snort - not running ntpd - running dhcpd - running miniupnpd - running Test run from LAN interface, have two VIPs and nothing important expect a port mirroring where WinPcap is always running but even without port mirroring I get the same exact results. Bridged modem -> pfSense >-LAN-> HP ProCurve switch -> clients

@jimp: @sofakng: So the WWW network would be blocking it's own network? That's not how it really works. The only address in the WWW subnet that will have a WWW subnet IP as a destination, is traffic hitting the router IP itself. All other traffic goes over the switch and not the router. Ahhh, that makes sense. I guess if I wanted multiple web servers to communicate on the WWW subnet I would need to adjust that rule but I think I understand what you're saying. Thanks!

Ouw…. thank you for suggesting 80 GB that I use it only for the squid cache. if Mr. jimp suggest like it, I just follow the advice Mr.jimp.  ;D Thanks.