@elementalwindx: We have a hyper-v installed pfsense on the newest version. No packages other than ntopng, and iperf installed. Simple setup of single wan, and single lan, and 1 openvpn connection going. Every Monday morning when the ladies in the office come in, they say the network doesn't work. They power cycle the machine running the pfsense and everything starts working perfectly again through the week. (Of course they do this without me at all) Any idea where in the logs to look for in figuring this out? Any ideas what it could possibly be? Thanks. Also in openvpn logs I'm getting: Aug 29 11:23:25 openvpn 72080 write UDPv4: No buffer space available (code=55) and it happens sporadically. All my routing is done automatically via the firewall itself. It's a basic openvpn connection site to site. Any ideas why I'm getting this?

So how would source lan ever be an input into your wan interface? The complete lack of logic when people start clicking on shit just blows my mind ;) hahaha, yeh I'm pretty fresh with hardcore firewalling and networking in general. I understand the principles and I've run some pretty massive AV/automation networks in the past, but never had to actually build anything from scratch like this before and never more than what is needed for an AV/automate network. The most advanced things I did were: configure a few VLANS, tag/untagged some ports, turn on IGMP snooping for multicast traffic and setup some static routes, forwarded some ports, setup a basic snmp and a winbox terminal. that's just about it in terms of actual networking. Plus the routers we were using weren't exactly cisco so turning on icmp is simply nothing I have ever thought was necessary. Cool basic feature though, especially for a firewall. So the logic there was that I want source LAN to destination WAN, I hadn't started testing that so that doesn't really matter for this…. but of course; port forwarding. that would've fuckd me. silly brain. thanks. I've added an ICMP rule to my WAN port (will take it off when finished testing) and whatayaknow; it pings. like I said, I really didn't expect that to be something needing configuration. It seems I have drastically under-estimated the amount of control allowed in pfsense, now that I know that I have a much broader scope of what is possible and what needs consideration. So did you turn off nat? if your going to be using this internally.  If then you have to create port forward not just open up a firewall rule. oops… it's turned off now... yeh, so all good with the port forwarding. Thanks though, I will definitely have a re-think of how I approach this project now that I have completed the initial fresh-project-sanity-check phase. Thanks so much for the reply, really appreciate the input! MedicineMan25

thanks. how can i restrict access from one VLAN to the other, I need it such that clients connected to the guest vlan cannot even ping the corporate network

+1 for this being a feature in the GUI for selecting SSH and WebUI Ciphers and SSL/TLS versions. Did you end up requesting it in the bounty section couillard45682? If so, perhaps post the link in this thread so everyone can find it and give it a bump.

thanks for answering. esxi firewall off i use 1 vswitch in which i connect only 2 active phisicaly adaptors mgmt network connects directly to pfsense (172.20.10.1) vm's netwrok goes to a phisical switch (which connects to pfsense in anotehr port / different netwrok) ping form vmkernel to pfsense mgmt does'n work. will try to change something and update.

I know this post is old but did you find a fix for this? I am having the same issue now, when I run my pc just on the modem its all good but  when I hook up PF I get low speeds and packet loss.

Network Diagram attached. First line is IP second is GW, all is on /24 mask. Im trying to ping client pc1 and 2 from my laptop. at the moment, i can ping from both laptop and host pc, the pfsense vm, nothing further. I can also ping the laptop and the internet from the client pcs the router 192.168.0.1 has static routes set up to pfsense router, 192.168.0.2. When the wifi link between host pc and isp router is replaced for a cable, I can ping the client pcs from the laptop. when its on wifi, i cannot. Firewall settings on the isp router are turned off firewall settings on the PFsense is set to allow all on all interfaces [image: network.jpg] [image: network.jpg_thumb]

https://forum.pfsense.org/index.php?topic=109827.0

Squid is running but not enabled in the configuration. Do you suspect that causing the issue? I've stopped the service for now to test. -S

Thanks. Deployment went down without a glitch!

Provide more information. Hardware? Pfsense/ ISP modem configuration? I have 300/300 PPPoE over Ethernet working with near full speed including traffic limiters and shaping.

@Kahomono: I do need to be able to power these devices off and on.  When my devices power on, they default to 2015-01-01 00:00:00.  They are not synching successfully off the firewall.  I suspect the time adjustment they would need is too great so it's refusing to make it. Any way I can (A) confirm my suspicion and (B) make it happen anyway? Override of large time offsets has to be done on the client and cannot be done on the server. How this is done varies greatly by client. If you provide information on the client, someone here might have experience a similar device and be able to provide you with some guidance.

@divsys: I'm not a Minecraft/gamer aficianado by any means, but I would have thought you could simply provide a FQDN (eg. "thisisthegame.here.now") that would reference through DNS setup on pfSense to get you across the VLANS. So far, it seems to be working just fine with the bridge.  Typing FQDN for children on handheld devices might be a bit much for them.  Android complicates it more with their default hostnames that (sarcasm) seem to be deliberately constructed to test the buffer size limits of any DNS server. (I can control the DNS hostnames for the devices that "live" there, but not for the ones that are only guests.) I think (hope) they are moving away from the minecraft phase anyway, so once that's gone, I can drop the bridge. Another thought is to just write a quick daemon that listens for broadcasts on whatsoever port minecraft is using and retransmits the broadcasts on another interface.  (I'd have to do packet captures to figure out exactly what is being broadcast.)  A sort of broadcast forwarder.  (Actually, something like that might already exist… hmm..)  I'll freely admit that something like that would be COMPLETELY unsuitable for use on a larger LAN, but it might be a good learning experience for me even if it turns into a disaster.