Thank you both for your comments and direction, I am facing a lot to consider in evaluating the benifits of using BSD vs. a linux pre configured linux firewall/router system or a dedicated Debian box. Although I've already downloaded, read the faqs and installed previous versions of PFsense, I'm still having a difficult time acessing the merits of PfSense (other than a higher history of security), in comparing it to a devoted Debian box or another linux pre configured firewall/router solution. Sens

Thanks, I appreciate all of the feedback.  I upped the value on all of them.  One of them went from 18K up to 32K pretty quickly.  I am checking with the developers to see if this eased the timeout problem. Thanks again.

I wonder if you've got a broken DNS server somewhere that responds to DNS lookups of the relevant hostname with an address, or if you've got one doing wildcard resolving of anything (like OpenDNS does for certain domains). What does "host 172.200.85.209.bl.spamcop.net" (on the Postfix server) show?

No.  The firewall does packet-level filtering, not application level filtering.

What you need is pretty much a basic setup. Your publicly available computers indeed should be setup in a DMZ. That is a third interface (originally called OPT1 unless you rename it) with a proper rule set. If one of your switches is manageable you could use VLANs but the logical layout will be the same. Only physical layout would be different. Avoid Realtek NICs if possible and go with Intels. If you need to troubleshoot something you know where not to look… Depending on your friend's router is the choice of VPN. It probably does not support OpenVPN, otherwise give it a try. IPsec is not an alternative as long as both ends use dynamic IPs. Since you have the hardware just go ahead and play around a bit. It's not that difficult.

http://letmegooglethatforyou.com/?q=+max+throughput+of+the+PFsense

Thanks for the info. Out of curiousity, why is the broadcast only occurring on the apps interface on both firewalls?  None of the machines in that subnet should be using multicast.

@chrish: What I’m thinking about starting out with is a perimeter firewall.  [CableModem]–>[pfSense FireWall]–>[DIR-655 in AP mode]. The HTPC and NAS would be plugged into the DIR-655 Gigibit Ethernet ports I have the following requirements. -HTPC and NAS must work at Gigabit speed. That's down to the DIR-655 @chrish: -Need to be able to VPN into work network using laptop with wireless. That's just down to firewall rules (though there's a limit of one PPTP tunnel). @chrish: -Ability to block outgoing access to specific websites by ip and/or url. Install Squid and SquidGuard @chrish: -Ability to block incoming requests by ip/url/ and port. -Bit torrent should work from my NAS. -Unreal Tournament should work from wireless connected computer. Basic firewall rules ;) @chrish: -Requests from WAN port 8080 should make it to the web server on my NAS on port 8080. Port forwarding - easy ;) @chrish: -Whatever hardware I purchase must pass girlfriend approval.  Her requirements are simple.  She doesn't want to see or hear it.   This means it needs to be as small as possible since it will be living under my TV in the living room. Take a look at the FX56xx series (see here - they're passively cooled, have multiple Gbit ports and can run off of 2.5" hard disk (low noise), Microdrives (very low noise) or CF (no noise).  If you wanted to you could drop in a WiFi card and replace the wireless router ;) You can also go down the built it yourself approach with the mini-ITX platform.  You can build a very low noise box to your own specification in a case that won't look out of place under the TV - but it'll probably cost you more than off the shelf kit of the same spec. @chrish: I guess i would be ok with hardware that has 2 10/100 Lan ports.  My concern is I may want to put the NAS on a separate Gigabit port… so I would need the cable modem plugged into a 10/100 then the DIR-655 and NAS in a gigabit port. Any suggestions on feasibility and hardware are greatly appreciated. Do search the forum - there are few dozens threads on the subject of hardware.

Hello, Just let your pfbox handle it all. cheers,

ohh lol i totaly misread that. Thanks.

@Perry: Don't know if it helps…. A quick google search gave me http://lserinol.blogspot.com/2009/01/freebsd-network-tuning.html http://marc.info/?l=freebsd-net&m=122936905304215&w=2 commands systat -mbuf vmstat -z | grep -i mbuf @http://forum.pfsense.org/index.php/topic: This might be helpful: http://www.google.com/url?sa=t&ct=res&cd=5&url=http%3A%2F%2Fwww.bsdcan.org%2F2004%2Fpapers%2FNetworkBufferAllocation.pdf&ei=95ttR6jfBJfIhgKWvOU1&usg=AFQjCNE0FZjhZBOghCEY3a8icvugBtNDnQ&sig2=Byab07C9geQ-1Qric8fAxw You might add more ram to the machine if you are really worried about it. Do you use intel nic's? This is output from systat systat -mbuf /0  /1  /2  /3  /4  /5  /6  /7  /8  /9  /10     Load Average /0  /5  /10  /15  /20  /25  /30  /35  /40  /45  /50  /55  /60 And this from vmstat vmstat -z | grep -i mbuf mbuf_packet:              256,        0,  117963,    5685, 795130678,        0 mbuf:                    256,        0,  117455,    1087, 451249037,        0 mbuf_cluster:            2048,        0,  123650,      508, 136946898,        0 mbuf_jumbo_pagesize:    4096,    12800,        0,      104,    4085,        0 mbuf_jumbo_9k:          9216,    6400,        0,        0,        0,        0 mbuf_jumbo_16k:        16384,    3200,        0,        0,        0,        0 mbuf_ext_refcnt:            4,        0,        0,        0,        0,        0 Yes I have Intel em0 cards which I have used before without any trouble. My firewall's are mostly on Intel 1U servers. There is only one different thing - this server have a bridge between WAN card and DMZ on VLAN. Normally for DMZ I have separate card. I don't think that RAM is problem - there is 2 GB inside. Sasa

my test upnp-enabled units are one PS3, one PSP, ne XBOX360.. If i connect the xbox or ps3 via ethernet on vr0 (LAN), upnp works as expected, the xbox and ps3 reports successfull config. I have added the rule you mentioned, both on WAN and WLAN. If i try to add upnp on WLAN i see a message in logs saying upnp was started on LAN but no WLAN, since WLAN has no ip address (remember it's bridged to LAN ..) If i unbridge WLAN, and set it to a static IP, upnp works fine. Conclusion, upnp listens to LAN but not bridge0 (?)' So basicaly, my rules are now : On Lan: allow all proto from any source,port to any source,port On Wlan (OPT1): allow all proto from any source,port to any source, port And as you advised: On Lan: allow all proto from any source, port to 239.255.255.250/32,anyport On Wlan: allow all proto from any source,port to 239.255.255.250/32,anyport … Note, i upddated my setup to 1.2.1-rel and 1.2.2-rel, but this issue is still not fixed.

So more than likely whatever hardware is acting as the WAN is more than likely having an issue is what your saying?  I removed the WAN NIC and replaced it, going to see what happens.