Well, adding user defined default rules to each interface and removing the option for default rule logging has stopped the CARP packets from logging to syslog. [2.3.2-RELEASE][root@<redacted>]/tmp: grep carp rules.debug no nat proto carp no rdr proto carp block in  quick proto carp from (self) to any tracker 1000000201 pass  quick proto carp tracker 1000000202 no state pass  quick inet proto carp  from any to 224.0.0.0/8 tracker 1487608941 keep state  label "USER_RULE: pass, nolog carp from 224.0.0.0" [2.3.2-RELEASE][root@<redacted>]/tmp:</redacted></redacted>

No, there is no need to restart it, it will immediately restart itself on its own.

There are no limits placed on the number of rules. Eventually you might run out of memory or hit some other hardware limit but we don't set any arbitrary limits.

I got a new router from the ISP and had to change stuff because on that stupid thing you can't change the IP to another subnet. So i did read through this thread again and need to ask again even if you kill me :( I can't get bridge mode here so i have to set: Interfaces > WAN IPv4 Upstream gateway: GW_WAN - 192.168.0.1 Right? I had kejianshi's suggestion running now the last 2 years: @kejianshi: Go to system > General delete all your server IPs. uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN uncheck  Do not use the DNS Forwarder as a DNS server for the firewall save. Then go to DNS forwarder and make sure its off.  Save. Then go to DNS resolver and make sure its on. Turn on DNSSEC Save BUT still don't understand if for this setting and with no bridge mode his statement is true: @kejianshi: Now, you should have raw, un-tampered unmolested DNS from the root servers. Also still others here wrote you have to put a DNS server in System > General Setup So with kejianshi's suggestion and without bridge mode I'm using the ISP's DNS server - yes or no? I also saw on the Timeserves setting: Remember to set up at least one DNS server if a host name is entered here!

Well, it should be pretty straight forward to set up the main router / gateway. You can either use the 'wizards' within pfSense or do it all manually. If not certain on 'how to' there are some ok videos on YouTube, and some are not so ok. I've installed SNORT, and initially I added in squid and squidguard, but I have moved those to a separate machine due to a bit too much load with those packages, since my hardware ain't on the 'high end' of things. I have 5 NIC's, where I use 3 actively now (WAN, LAN, WLAN), but have reserved one NIC for future extra WAN and one for a GUEST network. The basis of pfSense setup should not be to complicated. The part it could be hardest to find documentation for is how to separate the traffic between the WAN interfaces if the amount of videosites involved are many. Routing on the Application layer might be the answer, but I've haven't tried this in practical terms since where I live the options for multiple WAN's is not there (yet). I've considered using a 4G router, but since the subscriptions are still bound to number of GB traffic it hasn't really been an alternative, especially not for video. Not sure if it was much help, but I found the base setup for pfSense to be pretty straight forward. I used the wizards to make the standard install, and modified the setup later. The load balancing / routing on the WAN is something I have not tried (yet), but I do hope to get there one day as well. All of this is at my home, and I do have some bandwidth / traffic 'hungry' users @ home… Knottolf

Taking a peek at my crystal ball (you don't give any information at all): Did you create any firewall rules which actually allow traffic?

The situation is like this: Head office has pfsense and its public ip is 94.30.20.xx and internal ip range 10.10.0.x Branch office public is 78.112.85.xx, internal ip address is 192.168.1.x. In this situation, if I check both reserved networks on wan, will I be able to use openvpn or ipsec from branch office?

@Chrismallia: @w0w Thank you for all your responses. If I am not mistaken snort only blocks traffic it does not help shape it right? and any Idea  when FQ_CODEL is pland  to be in pfsense?  I will try out codel as I never did. Yes looks like that, snort is not intended to use with shaper and other shaping possibilities like SQUID rules are not widely tested in pfSense. As for Layer7 patterns for youtube, this is also like moving target. https://forum.pfsense.org/index.php?topic=62863.0 I am not sure that provided DD-WRT pattern is still working nowadays and not only for Layer7  missing in pfSense reason :) I am not so familiar with snort, squid and other packages but it looks like currently there is no simple solution to shape youtube videos, until you got all youtube available IPs but this is also moving target.

pfBlockerNG v2.1 w/TLD https://forum.pfsense.org/index.php?board=70.0

Well, probably fastest solution since you wanted a factory default anyway. (Otherwise, grabbing the /conf.default/config.xml and restoring that would probably work, sans the additional work that the script is supposed to do.)

@guardian: All my package manager became totally nonfunctional after a restore. I wanted to restore my configuration but uninstall pfBlocker temporarily but couldn't because the package manger wasn't working. Maybe this was your issue? https://redmine.pfsense.org/issues/6603

Works as expected  :)

I can't say too much, not sure how much is meant for public consumption, but it's safe to say the situation you describe is a common situation we have accounted for.

If the automatic values are sufficient, you don't need to tune it.