Thanks for the tip.  I just checked the pfSense book and it doesn't go into much detail at all about URL aliases and URL tables aliases. I did misspeak earlier.  You should be using an URL alias, not URL Table.  URL Table is for when the list needs to be updated on a schedule.

1. Update. 2.1 is ancient and that rate bug was fixed a long time ago. 2. Limiters do not use Rate. 3. It is safe to kill rate, it is only used to provide per-host bandwidth stats on Status > Traffic Graphs

@whorfin: @whorfin: ngrep and socat, please Just grabbing these did seem to work: http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/ngrep-1.45_3.txz http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/socat-1.7.3.1.txz Please add tcpflow; this is particularly relevant as the version on freebsd.org requires cairo, which is a dealbreaker in embedded context. There is no option on the port to compile it without cairo. If we added it, it would also use cairo. The FreeBSD port maintainer should add an option to the port to disable cairo ("–enable-cairo=false" when running configure) and then we could set it to build without cairo in our repo. I liked tcpflow before it gained the cairo bloat. I haven't used it in years though. @s0rcier: can u please add murmur package… small mumble voice server... thanks I don't see us adding anything like that. That sort of service does not belong on a firewall.

Clients will typically request the address they had before when connecting to a network. It doesn't mean there is a problem, since they will get rejected and then send a new request to get a new address. It's a common behavior for DHCP clients to want to keep the same address if possible. Now if they actually obtained an address for the wrong network, then you might have some cause to worry since it means you have an L2 connection between the segments so they're actually on the same switch segment which isn't what you want. That doesn't appear to be the case from what little you've shown in the log at least.

Traffic from the firewall itself won't use the IPsec tunnel unless it matches the IPsec P2. Since IPsec is not routed, the firewall does not know well enough on its own that it needs to source the traffic in a special way in order to use the tunnel. https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

I would guess it's only because this is IPv6 encapsulated into IPv4 and some of the details just aren't immediately available until the traffic gets unwrapped by the gif tunnel driver.

@Gertjan: Everything is set default - except the "pay load" (in the advanced section)  set to "64", which was an advise in the past (it must be bigger as 1). You only need to set a payload size if dpinger shows 100% loss with payload size 0. This is to work around defective icmp implementations in some routers. The other thing to check for is icmp rate limiting. Either change the target or change the probe interval.

simple sniff on your lan interface would tell you if being sent..

Thanks for the replies! I understand the position on Exodus, completely…. But.... it does contain content (legal / OTC orginally) that other streaming services don't have. Most recently we binge watched all seasons of Chicago PD on Exodus because Hulu and Netflix had a limited number of episodes / seasons. I think there is an oppurtunity for an online DVR to be built and populated with OTA content. Sorry, off topic a little. I will watch the firewall logs and see if I can tweak the rules. Again, thanks for the replies.

what does the switches route have to do with anything? So are these /24 routed to you via transit??  I this public IP 74.221.222.58 so these other /24's are routed to that IP..  Not attached? If that is case then just put the /?? whatever you want to subnet them to on your opt - you sure wouldn't be setting a gateway on that interface.  And yeah it will go out your.. Just make sure you disable natting of that interface since you have not use for it.

I'd frankly start with the allow rule scheduling, results with scheduling block rules are not exactly convincing for some people due to dangling states.