2 years is long enough for me to but new hardware. Thanks for your replies.

On the gateway advanced settings you could try making the Probe Interval and Alert Interval longer. That should make it take more time to get a few responses and decide that the gateway is up. If it is flapping like that so often, then you really need to get it fixed (I'm sure you know that!). And while waiting for some repair action, you can just take the WAN gateway out of the gateway group. You should still be able to look at gateway status for it, and when you think it seems happier, try putting it back in the gateway group.

@gjaltemba: I would keep the default gateway on opt1 by disabling firewall rule. Just the NAT rule is not enough info by itself. Move it to the top. this seems to have worked. thank you

pfSense seems to have a 20min arp cache and most client systems are about 60 seconds. If you think the issue is the arp cache, just wait 20 minutes. If the problem doesn't resolve after 20min, then it's not the arp cache.

^yup!! The management has to be untagged - this has been a big complaint from many people..  So you can run a SSID with no tag if you want that on the same layer 2 as your management network.  Or all of your ssids can be on different vlans, either static or you can set them dynamic as well. So my controller and AP are on my wlan 20 vlan, so on the trunk port connected to my AP vlan 20 is the pvid and is untagged.  This is the same network as my eap-tls authed ssid.  Then the other 3 ssids are for iot devices, guests and stuff that can not do eap-tls..  these 3 vlans are tagged.

@gjaltemba: Glad you got it working. Firewall->Aliases is not hard to find. Thanks for the help!

First in AP mode there is not much seance for hw acceleration as all a dumb AP  does is  pass packets  that CPU is fast enough and also Eric (Rmerlin)  said the same thing in a    post on smallnetbuilder

just upgraded to 2.3.4 (probably my 5th or 6th time ever upgrading) and if feels like there is no way to update without losing or breaking something else…  I've spent the past 4 days practically without sleep fixing what shouldn't have been broken... Would you please so friendly and tell us from where your were upgrading to the version 2.3.4? And on top of this perhaps what is not running well after this upgrading procedure? Lost FTP Client proxy have to now depend on an addon…  Why not JUST FIX FTP CLIENT??? FTP proxy and pfSense 2.2 Why not pacing a FTP, S/FTP or FTP/S Server inside of a DMZ together with 1:1 NAT? A small Raspberry PI 3.0 (Linux based) or a small Mini TurBot (FreeBSD based) might be also solving this problem well. Pretty sad that a $20 walmart router can work and yet this thing can't And here you may able to see where the competence is given on networking together with security! Traffic Graph now looks cool, but is more useless than ever unless you are looking ONLY inside the 2 minute window.  No way of seeing a NUMBER that tells you your in/out speeds, and the graph is useless to see in speed if it's only a few kbps when out is mbp PRTG, Incinga2 and Nagios are also really nice to manage that work, or a smaller Raspberry PI 3.0 with CATI and MRTG will do that jo also well for your network. I SOOOO want/need a geo blocker, but it's never worked right in the past, and I am afraid that I will go another week trying to fix things if I install it. pfBlockerNG & DNSBL is one of the longest and actual keeping forum thread here, and why you don´t ask there for help? pfSense is still one of the best things out there for now, but WOW is it frustrating! What hardware are you using? What knowledge skills you can offer? Are you a beginner or mid ranged level or a professional? I don´t want to come to near to you, but could it be that you need only a little bit more help and knowledge about the entire pfSense and this might be fine working for you too? There are several columns here in that forum and the one or other right pointed question about this or that problem could help you more then that thread here, I personally think.

1.Is pfsense platform that can be used for miniISP and its total free to use? Without license? It is free of charge but to let it grow and save the future of this firewall distribution or make it done that the development cost is able to be pay you might be free to spend each year, sometimes or often likes you want it or you are able to do it. It on your free mind to do this and not any pressure! To solve this you might be also able to buy hardware appliances from the pfSense shop directly matching your criteria and workload or fits your needs and you will be also sure to get 100% compatible hardware in one act. This might be perhaps better then fiddling your own appliance and prevent you from all problems that are pointed to this. 2.Its installed on PC like os? Yes it is based on FreeBSD and so the best thing is to get a platform that is supported by FreeBSD for sure. (its not windows platform) Not no a Windows based OS or distribution, its based on FreeBSD! and its accepted on all pc? Not really all, but the most of them, as told above, the best is to get a platform that is supported by FreeBSD (x86_64Bit) 3.Does this platform show to users login website when they connect to wifi? (something like mikrotik) Able to realize over the captive portal, you may also be able to set up MikroTik WiFi APs or UBNT APs as well for your usage. 4.Does it have billing? And can i connect users between 2 3 pfsense machines? You may able to use the Captive portal together with a voucher system and set up different groups for the Internet access. Together with UBNT (Ubiquiti) WiFi Access Points UCRM-Complete WISP management platform Together with MikroTik WiFi Access Points Handlink-ISS 7000 v2 [Handlink-HotSpot printer[] 5.And can i make vouchers? Yes you can, together with the Captive Portal. At moment im on Kerio Control but pfsense look very very better solution. pfSense is a software based firewall distribution, that can be turned over a packet management into a fully featured UTM device, acting as a load balancer, BGP router, HA solution or a pure firewall, likes you want and the hardware is able to do. IDS/IPS - Snort & Suricata geoIP blocking, (Spam and Malware) - pfBlockerNG AV Scanning - ClamAV Proxy Server - Squid, SquidGuard & SARG RadiusServer - FreeRadius 2.0 and many others.](https://www.handlink.com/products_WG-500P-P.php)

I am trying to implement BT (British Telecom) IPTV utilising IGMP / Multicast. I would suggest you at first to find out what type of IGMP version you will really need. We have two versions here in Germany and they are both different each from another. Perhaps you will ask your ISP at first about that! The old entertain (version 1) needs IGMP v2 (version 2) proxy or snooping This can be solved with pfSense alone The actual entertain (version 2) needs IGMP v3 (version 3) proxy or snooping and PIM (routing)! This can be not solved by pfSense alone, you will need PIM (routing) able to get by Raspberry PI 3.0 and Linux or a small MikroTik router For PIM routing you will need a small Raspberry PI 3.0 or a small MikroTik router that will be able to solve your problem.

Basically looking for the following:  1 WAN and two separate physical LAN's.  1 on using the LAN port and the other using the OPT1 or OPT2 port. WAN as it is served to you by your ISP LAN1 with 192.xxx and DHCP range from 192.xxx.20 to192.xxx.50 OPT1 as LAN2 with 172.xxx and DHCP range from 172.xxx.20 to 172.xxx.50 What exactly was now the problem? You can realize either that with managed or unmanaged switches likes you want! Technically after this point my router has two LAN IP's right? Right, and both must now configured likes you want to allow or deny the traffic between them. one for each subnet? Yes, you got now two totally different subnets (CIDR) with private IP address ranges or pools and its own DHCP server for each. Now you should overthink what to allow or to deny for them and their clients.

@kesawi: I have this same issue as well since upgrading from 2.2.6 to 2.3.1 (and now 2.3.2). Gateways are up Happens whether monitoring is disabled or enabled. Happens whether state killing on gateway failure is disabled or enabled I have the same issue as above although i use the most recently stable version. I'm a newcomer of pfsense. I have to say the help docs are not good. For example, I cant even find a sample or demo to help  set up flow control of my network which is so easy in other cheap routers.  Pfsense is professional but not user friend. Who can show me how to set a rule to block MACs or bind MACs to a fixed IP?

Here are a couple of ways. Hire a network engineer and provide necessary budget for accomplishing the task. Between the hours of 8am - 12pm and 1pm - 4pm; unplug the network. But seriously, oh wait, that was serious.  Which social media sites?

After testin in an other environment we were able to confirm that pfSense is just working als a relais. NTP for Clients against pfSense is only working if pfSense itself has valid connections to at least on other/ real NTP server.