@RussellA: Also, the Status Interfaces not showing DNS settings on OPT1 (or WAN2 depending how you've labelled it) is a red herring. Even with a working DNS service when the WAN is down, the status page only lists DNS settings on the WAN Interface section and not the OPT1/WAN2 section. A few things I found which weren't in the instructions which eventually allowed DNS service to work when WAN was down: 1. On System->General Setup page uncheck the option DNS Server Overrride. 2. Also On System->General Setup page check the option Disable DNS Forwarder (See Note 1 below). 3. On Services->DNS Resolver page check the option Enable (This should be checked already because of step 2). 4. Also on Services->DNS Resolver page check the option DNS Query Forwarding (See Note 2 below). I tried this, it works for the internet, but the NAT stopped working. I have a NAT that goes to OPT1, and I have set the firewall rules manually to set that gateway.

Why are you forwarding 1000 ports but only have the torrent client listening on 1? And that screenshot still shows the wrong port for the current forwarded range. I assume you have updated that? Steve

Sounds like file system corruption. You might consider installing a UPS…

One thing I learned a long time ago is, if you're prepared to watch for a failure, it won't happen.  ;)

Thanks, ok that does make sense. I need to use source hash so I guess I'll just use a portion of the subnet. Would be nice if we could use source hash with alias. Sticky round robin just doesnt do it for us. Thanks for clearing that up!

Ok, so 10.0.0.4 is not in the 192.168.3.0/24 subnet. Is the VPN server actually at 10.0.0.4? How is that subnet connected? If the client and server really are both in the 192.168.3.0 subnet that that's the wrong IP address the client is using. In that instance the traffic would go directly between them so pfSense would never see it. However running a VPN between two devices on the same subnet seems… unusual at best.  ;) Steve

Thank you, SammyWoo. I've had the traffic shaper run in different configurations since you suggested it, but the first couple of days the connection kept crashing every couple of hours despite the traffic shaper being up and running. Then I changed the port for torrents to use to one outside of the normal P2P range of ports that my ISP didn't seem to be messing with. That seems to have solved the problem.

I went with NAT source hash subnet 3.3.3.128/25 But it looks like(at least it seems this way) that my pfsense is also giving out the Broadcast address 3.3.3.255 to some of my clients, they then obviously lose internet access. If I check the states for their private address I see this "3.3.3.255:5205 (172.16.49.160:61396) -> 8.8.8.8:53 SINGLE:NO_TRAFFIC" Now I'm not sure if it's showing the broadcast address on the outgoing interface because this IP is failing to get out onto the internet? So as a test I changed the NAT outbound source hash rule from subnet 3.3.3.128/25 to 3.3.3.128/26 which should give out IP's up until 3.3.3.190, and ip 3.3.3.191 is the broadcast….but after making this change and searching the states I can see that pfsense is giving out the IP 3.3.3.191, this shouldn't happen as this is the ranges broadcast address.

Are you using PPTP?  If so change immediately!  Go with openvpn or IPSEC Mobile..  Personally I prefer Mobile ipsec as it supports windows 10 native built in client.

Maybe try enabling syslog and pushing to syslog server and you might get some info regarding the last seconds prior to hanging system.

@detox: Derelict ….. According to Suddenlink, all the static IP's I will be issued are class C  /24 Thanks So on the interface itself in a larger subnet than your allocation. There is no good way to put those addresses directly on servers. I would 1:1 NAT in that case. Or I would ask for a routed subnet to an address on that /24.

Lets look at it this way… Lets say your wan IP is 1.2.3.4 What is the default lan rules?  Any Any right!  So is 1.2.3.4 fall into ANY?  If so then yes the lan would be able to access it. Rules are evaluated as traffic enters that interface from the network its connected too, first rule to trigger wins no other rules are evaluated.  So when you have some client on 192.168.1.X for example on your lan wanting to go to 1.2.3.4:443 that falls in the rule any any - so yes it is allowed. If you do not want to be able to hit the wan IP from your lan - then put in a rule that blocks that on your lan... But seems kind of pointless since your allowing lan your web gui on the lan address via the anti lockout rule.

While pfsense has a wide range of uses..  I would think something like a cradlepoint or the http://www.netgear.com/landings/nighthawk-mr1100-mobile-router/ The netgear going to be more home/user budget friendly.. You could for sure build up a nice setup with pfsense at the core… But there are devices specifically designed for this exact sort of use case.  And sure you could use it as failover internet connected into your pfsense setup at home when your not travel in your RV..

Thanks all! I'll dive into this weekend.

In general you bind the dynamic DNS you want to update to the interface address/vip you want it to update from.

That is definitely not something you want running on the firewall. Setup another system. Install Kali in a VM and you can use it very easily. But don't try to make that run on the firewall.

stephenw10; Thank you. johnpoz: If a person goes to the parent domain and sees that I have a blog that makes the article I linked to SPAM? Get real. You're making assumptions again without facts in evidence. The default VLAN is not the same on all my switches. I purposely limited where 20 and 30 can go, that is by design and is why they are isolated. 30 is high continuous traffic 24/7, 20 can be at times for hours at a time. The traffic on each is confined on each. I do not want either to adversely affect one another or 10 which has its own purpose besides being the default for the majority of the switches Look, I came to this forum to ask how to configure pfSense to do exactly what I have done. Instead of getting help all I got was hostility and telling me how stupid this configuration is and how stupid I am and many other personal attacks. And I had to figure it out myself in the end. In case you haven't realized it Mr. Hero Member, you were of no help in this case. Put aside your I know the best way and it's the only way and help people do what they want whether you like it or not. And if you don't like it and can't do that then for God's sake leave the peole alone! I've told you more and showed you more then you need to know. Once again I came here for help configuring pfSense to do what I want that's all you needed to know. IF YOU ARE NOT GOING TO HELP PLEASE JUST LEAVE ME AND THIS TOPIC ALONE!!! This is what I want to do. This is what I did. This will work for my environment. It will have all the performance and flexibility I will ever need.

That has already been fixed. Upgrade. https://redmine.pfsense.org/issues/8360

plenty of google terms there.