Perfect - Thanks Jimp!

Sorry for the slow reply. Thanks for this, will try that tomorrow if I can get it working it will be really helpful.

Thank you all for your replies. Quite interesting to have different views on the situation. I use the vpn service so my pfsense is not only used as a fw. In the meantime I also activated egress filtering. For some of you maybe overkill, but it's also to learn how to use the pfsense (making aliasses and rules, check my fw logs etc..). @chris4916: Are you hosting internal services exposed to internet? NO Do you need remote access to your LAN? YES Do you need to segregate internal subnets? Isolate guest wifi from LAN… Not today, but could be in the near future. @chris4916: all-in-one UTM will do the job with less  flexibility but more efficiency… if you don't know how it works behind. Well apart from protecting my situation, I'd like to learn how it works behind. It's fascinating. @Harvy66: Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since. I absolutely agree on that point too. @pleriche: Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense. I'll have a look at that UTM stuff. @jahonix: Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff. With vlans, yes this could be an option too. But the "untrusted" part will need access to the "trusted" part. For example: ipad is using application to navigate in the gui of the Kodi Media Player. I'll have to check that. Again, thank you all for the interesting advises.

Hi John, I've finally created the tutorial! You can check it here: https://forum.pfsense.org/index.php?topic=116980.0

If you run the manual ruleset reload command at the CLI (or from Diag > Command Prompt) it will report the error that is causing that. Almost certainly an unpopulated alias that pfBlocker created in that case. pfctl -f /tmp/rules.debug https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Ruleset_Loading Steve

it works connecting it via a switch. will keep it that way, still i need to separate the dhcp pool from my LAN. I have created an aditional dhcp pool (in the same network) but i'm not able to make it use that one only. like force all requests comming from ESXi to be served from that pool. Any clue on this?

Are the hosts actually connected with 10Gb links? Several hypervisors including Hyper-V report 10Gb nics on the guest-os which doesn't necessarily mean they actually have a 10Gb link. Having said that, I am currently planning a datacenter move. Our main datacenter has a few HP DL360 G9 machines, each with 2 Xeon 2950V3 CPU's, some pretty neat and fast 10core machines, so a total of 20 cores (for what that matters). We are running pfSense (on Hyper-V) on those boxes, and it never passed 60MB/sec, about 500Mbps. In our new datacenter though I've mounted a spare Cisco 3750 switch and a Xeon L5520 based machine, so even one generation before your L56xx host. With the exact same pfSense setup on Hyper-V as well this much older machine reaches linespeed and I can do a 115MBps, so about 1Gbps down and up. Note that I am running pfSense on Hyper-V 2012R2, which isn't even the best hypervisor for it at all. Now this difference might be the line in our current datacenter, but it might as well be some other issue. In any case, the rather similar L5520 based machine can actually do 1Gbps routing with no issues at all in my setup. No specific tweaks done at all.

We still haven't done the domain rename. The parent domain we were planning on joining ended up being a mess… still has a server 2003 box for some ungodly reason... IMO we should make a new domain of a different name, but I've been unable to convince the powers at be. As far as the firewall goes though, I'm pretty sure all I have to do when the time comes is change the domain name within the settings. This will trickle down to the IPSec VPN settings as well, correct?

Your IPv6 gateway is a HE tunnel, yes? This means that IPv6 will show as functional if there is any connectivity for the tunnel. In other words, if IPv4 is functioning, so is IPv6.

@rudger_wolvram: If the any/any rule you posted makes it work, then that means at least NAT is working. Check the configuration settings of uTorrent itself, by default it will randomize the port it listens on. You may also look at enabling uPnP, uTorrent is pretty good about using uPnP. Also, as a side note, for troubleshooting pfSense uPnP, uTorrent is good for that as well because it plays nicely with pfSense's implementation. Also, NATing does not imply allowing access with a rule. For example, I have an old NAT rule for a TS3 server I hosted for a short while, however, after moving to a proper hosted service, the firewall rule itself that allows that access has been disabled, the NAT is still there, but the rule that allowed it is disabled. So if i spun that TS3 server up again, it would never work until I re-enabled the access rules. Exactly, I am sure the NAT is working for that reason. About uTorrent the option to randomize the port is disabled I've just double checked, and the 2 option "UPnP" and "NAT-PMP" are enabled. If I got what you mean, the rules say the last word, let's say so. Hence I need to create a rule that will not be so OPEN as it is the any/any rule that I am using.

I see. When does /tmp fill up anyway? I never saw it significantly used even at 40MB. Any disadvantages by not including swap during install? I just noticed that I'm already at 100% with 120MB of /var ramdisk (it fills usually after 24 hours). Take note though that I have two pfsense boxes of the same exact kind (APU2C4) and they're just used for my home. The first one servers around only 10-15 devices (including mobile phones) and the other serves like only 3-5 devices so they are in no way loaded heavily. I have squid and lightsquid installed but they're both disabled and not configured yet since they were installed so that's not what's causing it to fill up for sure. How do I query which directory inside /var is the culpriut? Would "ls -l" do?

Well, I went ahead and wrote an article on this problem at my website: pfSense not recovering after WAN outage And this is how I resolved it: Using a WAN VLAN with pfSense I created a WAN VLAN and plugged my Internet into that, and then pfSense into another port.  This keeps pfSense from losing link in the WAN port when we lose connection with the ISP. In my case I have FiOS, so put the ONT on Port 1 and pfSense on port 2.  Both untagged ports with the WAN PVID.  Works like a champ.  I sure wish I didn't have to waste two ports on my switch though.  ;)

hola, He activado el proxy transparente sólo http. Me puse las opciones de "Proxy Interface(s)" para salir de la mina a la red LAN posee, que se activa la opción "Allow Users on Interface" y "Allow Users on Interface" sólo para mi lan también. El problema es que estas máquinas de la red pueden navegar a través del proxy, incluso sin que se establezca en "ACLs->Allowed Subnets".

I understand I need the ARP entry because I use the IP address instead of the broadcast address. But using the broadcast address didn't work for some reason. To be honest I only use it once a month(ish) so this is OK for me. Thanks though for all the info, appreciated!

Thanks, it worked!

Yeah would not really be a good idea to go about messing with the compile of your firewall kernel on special use distro like pfsense.  If there is something specific you would like to see included or excluded from the kernel best to put in a feature request to the dev's. If you want to compile stuff in general for freebsd, prob best to fire up generic freebsd install for such play.  Not something that really should be done on system used for your firewall, etc.

It always surprises me the lack of understanding transit networks and downstream routers.  Even from people that supposedly work with routing all the time.  So don't feel all that bad ;) There is this article int he docs https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules This article seems to address work arounds and causes to it that might be set on pfsense itself.  But doesn't really address a common mistake not using transit networks and or placing hosts on what amounts to a transit network, etc.. Should prob take some time and round out the information provided in the above doc, this would prob be a good location for more information on the issue.  I currently just don't have the self motivation to do so ;)

Why not start your own thread. Performance issues are almost always customer per person. No point in ruining someone else's thread by muddying up the discussion.