Hey, you can look at this thread, it does support DMVPN. https://forum.pfsense.org/index.php?topic=103242.0

Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering? Internet –- pfSense --- Switch --- Merlin router in WALN AP mode That would be my set up to learn about VLANs and with two SSIDs (WLAN private and guests) you might be needing tagged VLANs and if you set up only one SSID (private WLAN) you may only need a untagged VLAN. Would be nearly comming to real situations also at home. Forget the dump Switch please, for ~$25 you may get a small Netgear GS105E that will be non configured working or acting as a dump Switch and it supports VLANs if you configure it over the webgui.

Upon further testing I have ascertained that the MTU for the network as a whole, is set within the VPN. I tested with these settings: host: 1500 openvpn: 1500 router: 1492 Pings at 1473 were fragmented and pings at 1472 passed. When I set the openvpn client back to 1492, pings at 1465 fragmented and pings at 1464 passed. So it appears that the router MTU setting, has no effect on an encrypted tunnel. As per the description "maximum transmission unit", I can only assume that if I set my host to limit at 1492 it will formulate packets of 1464 bytes and append a 28 bit header to make up the 1492. Someone please correct me if I'm wrong. For now this is solved.

Some quick comments. You've got a fixed IP which is really not needed - many DNS providers today do dynamic updates - but is handy to have. You will naturally have a DMZ since you will have port 25 world wide open, you really cannot run a MX without it. You mention you have an external VPS, I assume it's Linux. I would install postfix on that VPS and use it as backup MX, you probably want to queue your own mail when you have maintenance windows and miss receiving or if you're on a weekation and the power drops and the server don't come back up. SMTP servers usually have retry algos and keep trying sending for up to some 96 hrs before returning errors but I think it's nice to have backup MX anyway - it makes sure the sender don't get any kind of warning or dealy info sent back (this may or may not be good that's up to you I guess). I would also use that VPS for outbound SMTP (to the world), since it's most likely non-residential and non-dynamic IP that will probably work fine. If you want you could set up VPN site-site to that VPS and tunnel outbound mail plain from your local mail systems in that tunnel and also receive rsyslogs from the server over the tunnel to a central syslog server. The mail system that the users use can be many things and it all depends on how many servers you want to have in the mail design - myself I have 3 locally in my personal network handling different aspects of the mail feed. I would strongly suggest you look into Zimbra as your main mail engine, webmail and collaboration system alike. Quite possibly the best I've ever seen and I have used a number of mal servers/system during the years. Other options may be Zarafa and possibly Axigen. Remote access to mail can be over OpenVPN (demand everyone including phone to first setup tunnel before accessing services) or a mix, perhaps you'd like to have https, pop and imap open to give users flexibility. I'd recommend using Snort to increase the likelyhood that you notice if there's a lot of malicious activity going on. I'd also recommend using some blocklists (you can do that in FW-rules instead of Snort) like ET IP lists, CINSscore and Talos. Be wary of DNS block lists (real time block lists) in the SMTP system, many give you issues of false positives, the only I use on and off today are Spamhaus and sometimes Spamcop. Rejecting SPF failures may also give you some issues but is a nice thought I think, unfortunately there's a lot of admin that do not keep accurate SPF records. Just a few various thoughts on the subjects. Regards,

The General Setup DNS servers are for the firewall to resolve names. If you do not have any DNS servers defined in the DHCP server it will serve the interface address if DNS resolver or DNS forwarder are configured. If neither are configured it will serve the DNS servers defined in General Setup. This is not a guessing game. You should be able to look at the DNS servers that were given to the clients and whether they can or cannot resolve names. If they cannot you would investigate why they cannot. Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.

Tried working on this issue some more, but haven't yet found a way to improve recovery time after the ISP connection comes back up. I'm not sure now that this has to do with having two gateways set up. Right now I have gateway monitoring disabled on the IP that points to the SG300 switch. I also had set the WAN interface (igb0) to reject leases from the modem's IP address of 192.168.100.1. Neither adjustment seemed to change the time to recover after the last two ISP outages. I still have to wait for an hour or more after the modem indicated link recovery until pfSense was able to pass traffic to it again. During the outage prior to that using the same pfSense config, after the modem indicates link recovery, removing/reconnecting the WAN network cable restored connectivity immediately. No unplug cycle on the switch-facing links was necessary. I'm guessing the extended delay time if I don't intervene after an ISP outage is the DHCP lease renewal interval counting down to a certain percentage, where pfSense then recovers connectivity on its own. What I get from logs during these outages is: Apr 20 07:13:17 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:18 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:18 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:19 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:19 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:20 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:20 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:21 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:21 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:22 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:22 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:23 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:23 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:24 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:24 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:25 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:25 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:26 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:26 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:27 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:27 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:28 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:28 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:29 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:29 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:30 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:30 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:31 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:31 dpinger WAN_DHCP 184.88.32.1: sendto error: 64 Apr 20 07:13:32 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:32 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:33 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:33 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:34 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:34 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:35 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:35 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:36 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:36 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:37 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:37 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:38 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:38 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:39 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:39 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:40 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:40 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:41 dpinger WAN_DHCP 184.88.32.1: sendto error: 65 Apr 20 07:13:43 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 184.88.32.1 bind_addr 184.88.44.86 identifier "WAN_DHCP " Assuming dpinger should be the agent triggering recovery actions, if it doesn't know how to handle this kind of outage on its own, I might end up just implementing a less-than-ideal cron script to check a few IPs periodically and cycle the interface if none reply. Not a good solution, but its all I can think to do at the moment.

@stephenw10: It's logging and blocking that traffic because it's matching the antispoof rule. Looks like it's coming into the VLAN interface from a IP that is in the LAN subnet. I assume the LAN in 172.16.0.4? That's the expected behaviour. https://www.openbsd.org/faq/pf/filter.html#antispoof Steve Thanks for the reply…  I didn't realize I had the IP address reconfigured.

What is the upload bandwidth at the server end though? That is the limiting figure here. What speed are clients seeing when connected? Steve

It is too much  for my mind… Yes, now I know you are both right. But now, when I'm using peek and splice all mode with MITM and I can see every certificate verificated by.. i.e. Verisign, Symante, Oracle.. now my network settings are right - am I right or am I wrong? EDIT: I found that thread https://forum.pfsense.org/index.php?topic=123461.0, there is more explanation about my doubts. Thank you once more.

Many modems can be made to present themselves differently in various modes. It might be possible to switch that device to appear as USB serial. More Googling required.  ;) Steve

Shortened the dhcp lease per suggestion and made the changes. Everything went smoothly. Many thanks for all the help.

I have 2 separate NICs. One dedicated for WAN. The other NIC has three ports, one for management, one primary network and one guest network. WAN port is a direct DHCP internet connection. Here's some config screenshots http://www.openscreenshot.com/B1MLNwDAg http://www.openscreenshot.com/ByCPEDPAe http://www.openscreenshot.com/HkIFNPDAl http://www.openscreenshot.com/SkC_HDD0g http://www.openscreenshot.com/B13prDDAl http://www.openscreenshot.com/S1vCBvv0e http://www.openscreenshot.com/HJGJ8PvCx I definitely scanned the right IP. They're now appearing closed though.

@doktornotor: Remove and reinstall the package. I should have mentioned that I've done this 5 or 6 times.  After the uninstall the dashboard was fine, but I got the same error as soon as I reinstalled it. It looks like I ended up resolving my own issue.  I moved the file, ".widget-snort.inc.uIzi3Hvkv9Po" out of the widgets/include folder, and everything went back to normal.  It looks like it was probably a temp file created during my system upgrade, and for some reason it wasn't deleted after the upgrade finished.  It was causing the PHP function, "widget_snort_uninstall()" to be declared twice, which caused the dashboard code to fail to compile.  Uninstalling and reinstalling the package didn't help, as the uninstall still left the widget temp file behind in the folder and caused the issue to reemerge after re-installation.  I held on to the file just in case, but its contents are identical to those of "widget-snort.inc," so I'm sure I don't need it. Anyway, if you ever get a "previously declared…" error on the dashboard page with regard to a widget, check your /usr/local/www/widgets/include/ folder for stray temp files.  ;D

I've order a new NIC today which will arrive on Saturday. However, if it was the USB NIC at fault then the fault would switch from LAN to WAN and not disconnect all LAN machines all the time; they would stay connected but I just wouldn't be able to get to the outside world. I NEVER have an issue from my pfSense server to to the outside world just internally on all machines when it happens and thus can't get to the outside world when it does happen. Why would it start happening all of a sudden and so intermittently? Let's see after my new NIC arrives and see if that solves the issue!

[image: all-your-base-ws2445.jpg]