I can help you with a few answers, but I can't answer all. The box you found is probably a good one. It and a similar one on Amazon appear to be very popular. I built a J1900 oriented router with 8GB ram and a 120GB ssd. It was over-provisioned but I wanted a device that could be used for something else if it ever stopped being a router. Ram and a SSD were cheap extras. The router has a lot of processing capacity. I have three OpenVPN servers built and active. One is specifically for safe remote browsing where I need my home IP address visible. Two have remote lan access. I keep the lan access servers off when I don't expect to need them. (use different ports and different internal network addresses to keep them from locking each other up.) They work great. pfSense allows you to create multiple users and certificates and give each a different password. These users can be linked to OpenVPN on an as needed basis. The download wizard makes makes it easy to download certs and config files for user devices. OpenVPN is pretty flexible about the network range you can connect to. I wired my lan port to a switch and the switch goes to a wireless access point in another room via normal cat6 wiring. Pretty ordinary. Works great. Re port forwarding: I don't know your system and port forwarding is an absolute necessity for a lot of purposes. I use one of my OpenVPN servers for remote lan access. Then access is just as if I were at home. OpenVPN protects the open ports. No ports are forwarded. Obviously, this would not work if you needed public access to a server behind the router.

Right. Status > Interfaces is probably the easiest way to see all the naming, including the optX asssignments.

Update: I'am now running a pfSense Firewall on a Dell PowerEdge R220 using this fiber card: https://www.startech.com/ch/Netzwerk-IO/Adapter-Karten/PCIe-Gigabit-Ethernet-LWL-Karte-Offen-SFP~PEX1000SFP2 I now got almost Gigabit througoutput. (about 940 MBits) The hardware works very good with pfSense.

I know that Ruckus APs are picky about this unless you tame them. Connecting a Win7 VM on my MBP through the same WiFi connection (MBP MAC bridge) was originally refused. I assume your Cisco AP might have the same behavior. This is Ruckus specific: We might have an option to work thru the bridge, if you can test it. When attempting to connect non-Ruckus wireless bridge devices, we can test by disabling directed-DHCP, our proprietary conversion of broadcast to unicast of DHCP offer and ack messages, and evaluate how this affects the WDS with wireless bridge clients. rkscli: set qos directedDHCP usage: set qos directedDHCP {enable|disable} From ZD CLI: remote_ap_cli –A “set qos directedDHCP disable” The “-A” switch before the double-quoted AP command, means apply to all currently connected APs.

the host was not setup to use anything.. which is a problem, but also I have no clue where it's getting the a1.pcloud.com.  Does pfsense use it's own NTP settings? [EDIT] actually, in this situation i have to laugh at myself cause it was obviously getting the time for the VM from the host machine… well, that is when it was configured to sync it.

It's hard to say, since we don't know what's your goal. The first rule blocks any traffic to LAN from anywhere, but WiFiACL. The second rule allows any to anywhere. So all in all everything from any to any is allowed, but nothing from WiFiACL to LAN subnet. If that is what you want it's your solution.

Have you tried setting interface to "default" rather than "auto-detect"?  I've seen strange behavior when set to auto-detect with some adapters.

Is there a way to make a lagg from the shell ? Looking for any suggestions ?

"Just so I'm clear, is the port from pfSense to SG300 (LAN) also trunked? " why would it need to be if your not passing other vlans that pfsense would make use of?

pass  in  quick  on $WAN reply-to ( igb0 WAN_GATEWAY ) inet proto tcp  from any to OFFICE_STATIC_IP port 443 tracker 1474672711 flags S/SA keep state  label "USER_RULE" Looks fine - are you sure it's even listening on 443? Are the connection attempts arriving on WAN? (Do another packet capture there probably filtering on the source IP).

He was doing a UDP test and attempting to send 2Gb/s over his 2Gb/s connection was causing almost 50% packetloss on average. His connection cannot support anywhere near his provisioned speed. He also had several performance tests showing he can get 1.95Gb/s over TCP, but the same test may only give him 300Mb/s only minutes later. I do agree TCP tuning becomes an issue these rates and typical WAN latencies, but that is not the current bottleneck. And TCP tuning PFSense won't gain you almost anything in for most settings. The firewall is not the sender or receiver, it's just a middleman that makes sure the state is valid.

No I don't have a tutorial but it is pretty simple. :o  IMO traffic shaping is one of the hardest concepts to understand, especially if your use case is outside what the wizard supports.

This problem went away with 2.3.3

Jimp, Thanks for taking the time to reply to each point. Let me say however, that while I agree that you are spot-on with your account of what was done and why, that doesn't address the concerns I bring up. Perhaps I am being too wordy or just plain vague, something I do from time to time. PFSense has and continues to be a good firewall, however it is losing its standing as the leading Open Source solution in its category. This is mainly because the category itself is changing. Firewalls are now a thing that is largely considered a basic service. Managing access at the edge of the Internet is a simple and expected function today. PFSense can not continue to simply be a "great firewall" and stay in focus to the user base. The UTM or NGFW (Next Gen Firewall) is nearly the defacto standard for managing traffic. Firewall functions like the ones PFsense provides are just a component part of these new platforms. the good news is that you are imminently qualified to keep up with this trend and stay in the forefront of the Open Source firewall category. In my opinion, the PFSense team needs to seriously consider the role that your device plays in the daily life of a network administrator. Ease of use, combined with monitoring and at-a-glance visual reporting and accurate alerting. To be more specific… Application Awareness, Stateful Inspection, Integrated Intrusion Protection System (IPS), Identity Awareness (User and Group Control), Bridged and Routed Modes, The ability to utilize external intelligence sources Nearly ALL of these things were available in the previous generation with the correct plugins applied. Let me end by saying that overall, the PFSense team has done a remarkable job of keeping the base code healthy and secure. However, the REAL value came from the features that were achievable using plugins. Feel free to go back and read the reviews 1+ years ago and beyond. you will see that the authors highlighted the plugin community as the series of "killer apps" that set PFsense above the rest of the pack. My advice is to realize that the firewall aspects of protection are now expected and no longer a significant accomplishment. Focus on the customer facing role of the platform and what it can do to EASE the daily life of the administrators and those that are protected by the platform. Design backwards from there and you will once again prove PFSense is THE standard in Open Source firewall (and moving forward NGFW) solutions. You have ALL the parts you need, and many experienced developers and community members to leverage for this effort. That includes myself - someone who designs platforms and customer facing infrastructure software solutions daily. Once you do this, your team can offer more than simple Gold Support options. The number of managed services that you could provide (like cloud / managed threat protection) are nearly limitless. All this without having to invent much in the way of "new" technology - remember PFSense has had most of this before at various times.

See here too: https://forum.pfsense.org/index.php?topic=117557.msg651859#msg651859

So you're getting flag using FTP over HTTP through a web browser?

Hi 2 reasons for trust in one ip-block-list: Reputation and common sense, and this list does not satisfy the second condition (block all net and subnets for dreamhost, forum.pfsense.org , etc, crazy :) ) Regards.