Thanks everyone. Appreciate the feedback.

No, because for security reasons it has to report every attempted connection. The alternative would be someone/something nefarious hitting the port and you'd never know.

is theire any configuration to add to the pfsense firewall or some NAT to do or Forwarding Rules? By default, only LAN gets a firewall rule to allow access.  OPT1 does not, so you will likely need to add at least one rule.  Look at your LAN rules and find the one labelled Default allow LAN to any.  Make a rule exactly like this one but on the OPT1 interface instead of LAN.

2FA is already what you have.. You have the cert and a username and password if you want it, that is 2FA..  How many factors do you need?  I think we should put in a dna test before you get on..

I don't need to do that.. But my mtu on my gif to HE is set to 1480 mtu gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1480</up,pointopoint,running,multicast>

just a wild thought this might be a nice add to pfblockerng or both ids/ips packages

Well, the WAN interfaces on each pfsense HA-node does not share a virtual IP, so there is no seamless failover of sessions between the HA nodes, if one node goes down, the backup node will take over, but all state/sessions are lost and needs to be re-initialized. like you said, in order for this to be done correctly one would have to have some control over the upstream hardware (which I don't).

"The other reason to have the bulk of the network L3 switched on the switch is for pfSense upgrades.  An upgrade shouldn't take down my ability to stream that webcam video internally, or my ability to stream music or video internally." While I agree with this for sure, what happens when you want to upgrade your switch firmware? ;) what is being used for internal dns?  While you might not have an issue while your streaming a movie or music and you reboot pfsense. When do you do your pfsense upgrades?  I do them after hours or before household hours because I am up early..  Or sometimes whenever.. Reboot of pfsense never takes more than a couple of minutes, etc.  If someone was watching a movie I wouldn't do the update then ;) "The reason I want to segment all this stuff is security." Completely and utterly agree with you 100%  I just do not see doing it at the switch, which clearly while it has some basic ACL functionality does not have the ease of creating the exact firewall rules and logging of hits on these rules like your switch is going to have. As to how large companies do it - sure they have core L3 switches, I have supported many a large company..  They rarely firewall between their segments, even though they should!!  Most often I see a large core switch, say a nexus 7k but there are no ACLs between segments.  Sure they will have their services that are open to the public internet behind a firewall and isolated from their core network.. I really don't see that as any sort of reason to do a downstream in your home setup.. If your pfsense box can not handle the wire speed you need between segments, prob better to get a faster pfsense box ;) heheeh  It will make your life much easier that is for sure.  I have toyed with putting my sg300 in L3 mode and doing a downtream setup.. This would for sure give me way faster speeds between my segments.  But the thing is I have my segments isolated for security.  The ports I do have open between segments like printing, access to my plex.  Pfsense can more than handle the speed needed. More than happy to help you work out the details of such a setup, I just don't see the actual value in doing it is all ;)

I connect into openvpn to my home network from work pretty much every single day, and it stays connected from the morning until I leave pretty much..  So rock solid for 8 hours at a time 5 days a week for years have been doing this..

If for home use sure outdated model for less $ is prob fine sure.  Yeah those are both managed switch, so should provide you prob pretty much all the features you might need for home use.  Vlan support being the big one.  As to all the other features they might support I would have to look.  Fully managed should include stuff like snmp for monitoring, sending of traps.  And many other bells and whistles that you may or may not need.  But would provide you with future proofing, for possible future use.

Hello?  Anyone home? Here's some screen shots: [image: 2016-09-09_9-20-22.jpg] [image: 2016-09-09_9-20-22.jpg_thumb] [image: 2016-09-09_9-21-05.jpg] [image: 2016-09-09_9-21-05.jpg_thumb]

When you are making your configuration changes on the router\gateway, are you connecting your computer directly to the router\gateway to make those changes?

Should this be posted in a different spot given the lack of even a 'your nuts'  (kidding of course).

@jimp: The Chrome regex parser has a bug in that it does not allow escaped characters inside a list, even though it is a valid – but not required -- regex expression. Not required unless a character class includes a character that needs to be escaped that is.  Such as, oh say a backslash.

@vamdolly: Hi witch cpu would be right for the job a duo core or quad core for pfsense using vpn, snort and antivirus if im not mistaken vpn is better with more but im not to sure. You're right, OpenVPN it's not scalable so is better to have a multi-core CPU.

They generally perform worse for two reasons, they offload all of the work to the CPU, and they have crap driver support. No matter how good your hardware is, no driver support will kill it. And depending on several thing, 2ms is really really bad. I get a 0.2ms ping average, and a min ping of 0.008ms. Even my 8 year old Dells with an Integrated Intel NIC that Intel claims costs about $0.01 to add to the chipset, averaged about 0.3ms. But lets not get sidetracked with hardware knocking before the issue gets narrowed down a bit. One thing you may want to do while trying to make the firewall shuffle packets around is to look at the System Activity and see if CPU usage is abnormally high an what is using it. When doing this kind of test, best to do a load test through the firewall and not to it, it makes a difference since firewall stuff is done in the kernel while iperf is done in userland.