If your using 2 factor with gmail you will need to setup a APP password in gmail that does not require the 2 factor.

Yes. IPSec is standard. You just have to use a standard identifier and not the Sonic ID.

So I thought perhaps it was a CPU issue with OpenVPN, I disabled encryption and I'm still having dropped packets. The machine is pretty low-end (Atom D525) but processors are pretty free? last pid: 54088;  load averages:  0.76,  0.59,  0.61                                          up 10+19:46:55  13:28:42 482 processes: 5 running, 450 sleeping, 27 waiting CPU 0:  7.4% user,  0.0% nice,  3.5% system,  3.1% interrupt, 85.9% idle CPU 1: 11.3% user,  0.0% nice,  3.5% system,  2.0% interrupt, 83.2% idle CPU 2: 12.9% user,  0.0% nice,  2.7% system,  5.1% interrupt, 79.3% idle CPU 3:  4.7% user,  0.0% nice,  4.7% system,  6.3% interrupt, 84.4% idle Mem: 29M Active, 148M Inact, 427M Wired, 531M Buf, 7317M Free Swap: 16G Total, 16G Free   PID USERNAME      PRI NICE  SIZE    RES STATE  C  TIME    WCPU COMMAND   11 root          155 ki31    0K    64K CPU0    0 245.8H  86.47% idle{idle: cpu0}   11 root          155 ki31    0K    64K CPU3    3 253.4H  84.96% idle{idle: cpu3}   11 root          155 ki31    0K    64K RUN    2 246.6H  76.37% idle{idle: cpu2}   11 root          155 ki31    0K    64K CPU1    1 251.4H  75.20% idle{idle: cpu1} 23044 root          30    0 21624K  5684K select  2  8:53  18.36% openvpn 21063 root          52    0  262M 36096K accept  1  0:02  10.16% php-fpm 54088 root          40    0  262M 36124K accept  2  0:01  7.57% php-fpm   12 root          -92    -    0K  432K WAIT    0 596:01  4.88% intr{irq258: em2:rx0}   12 root          -72    -    0K  432K WAIT    3  22:44  4.79% intr{swi1: netisr 3}   12 root          -92    -    0K  432K WAIT    2 534:21  2.88% intr{irq261: em3:rx0} 72603 root          20    0 21856K  3928K CPU1    1  0:00  0.39% top   12 root          -92    -    0K  432K WAIT    1  60:03  0.20% intr{irq259: em2:tx0} 2475 nobody        20    0 16836K  4100K select  2  0:24  0.20% darkstat     0 root          -92    -    0K  304K -      0  75:03  0.00% kernel{dummynet}   12 root          -92    -    0K  432K WAIT    3  71:32  0.00% intr{irq262: em3:tx0}   12 root          -60    -    0K  432K WAIT    2  16:23  0.00% intr{swi4: clock}     0 root          -92    -    0K  304K -      3  14:40  0.00% kernel{em3 rxq (cpuid 2}     5 root          -16    -    0K    16K pftm    0  7:41  0.00% pf purge 31241 root          20    0 16676K  2560K bpf    1  6:58  0.00% filterlog   15 root          -16    -    0K    16K -      0  4:58  0.00% rand_harvestq     0 root          -92    -    0K  304K -      2  4:32  0.00% kernel{em1 que}

"Want to provide 2 DNS servers for the guest wifi: pfsense is primary, google dns is 2ndary." Why??  If your guest wifi need to resolve stuff on pfsense then if they happen to ask google that will fail.  Normally in a guest setup that you do not have any need for the guest to resolve anything local you would just point them to something outside like google.  So if your worried about google dns failing just point them to opendns as your secondary.  Both of these ns can resolve the same stuff. In a scenario where your pointing to pfsense and some public your talking to ns that can not resolve the same stuff which cold cause problems if that different stuff is needed.

I don't know what to tell you.  If you have disabled all middlemen packages like squid, snort, etc… if you aren't using your VPN... if you have cleared the caches on all browsers and you STILL get weird css/image glitches then perhaps you're just cursed?  What happens when you take the router out of the mix altogether and just connect directly?  Do you still have these issues?

Sorry for hijacking this thread. I just didn't get any reply yet and was finally happy to see something similar in the forums. If you want, you can delete my posts here and we continues this discussion in my original thread.

@johnpoz: I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them? Some times the problems are not technical but political. I will request a larger address space.

Good tutorial with the diagrams: https://nguvu.org/pfsense/pfsense-2.3-setup/ and https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/ From my own experience - pfSense is not guilty for sure, check your switch configuration, capture/analyze traffic coming over the trunk from the switch, use tcpdump from shell with '-e' to see VLAN tags.

Sure. In fact it's preferred. Just turn off the DHCP Servers in Services > DHCP Server on the interfaces served by other servers and have those servers give your domain controllers as DNS servers. What do you mean by "manage my wireless?"

That is exactly what I had done.  Thanks for confirming!

Thanks for the reply

No am just using wow personal with aes

thank you Sir i corrected myself now I'm able to block internet for specific IP.

Growl has a software program that needs to be installed on the computer, in addition to the settings on your pfSense box (search Google for Growl for Windows). Once you download and install the program, then enable the settings in pfSense to point to your host running the Growl software. You may want to make sure that the host has a static IP address or DHCP reservation so that the IP address doesn't change and you stop receiving the notifications as a result.

@KOM: It will download your packages again unless you selected the Skip packages checkbox when doing your backup. Thanks KOM, will config backup and fresh custom install pfSense so that this time can manage SWAP size only 4GB for 16GB ECC RAM…

Success at last! After looking at the email configuration settings for earthlink and work, I began to try one option at a time regardless of what the instructions for outlook / thunderbird said. Finally, I stumbled on a combination that worked!  I sent 4 test messages.  All went through successfully. So now, I will watch tomorrow for the scheduled reports/notifications to see if it sticks. Hopefully I can mark this topic as done tomorrow.

That looks promising for IPsec traffic, from what you've said hypothetically if we wanted to get the best possible performance our bottleneck would most likely be I/O before processor traffic.

If you control the other (server) side, you can setup e.g. OpenVPN to listen on any udp or tcp port you like. So you can't be sure that no one could open a tunnel there. You surely could block some commercial providers, but if someone goes along and rents his own VPS and installs OpenVPN to it, the game is on.