Are you sure you reverted EVERYTHING back from jumbo frames? Also on the NAT side, nothing fancy, just static NAT mapping off the WAN for anything in rfc1918 private space. What do you mean by static NAT mapping? You might want to backup your config, go back to factory defaults, and see if your microcell comes up. You probably want to factory reset it too and let it like sit overnight. They are temperamental wenches. Look in the DHCP Leases, get it's IP address, and look at the states. They will probably look perfectly normal. Probably either UDP500 and UDP 4500 or UDP 500 and protocol ESP.

For home use I keep using old/refurb Dell slimline boxes.  They are very cheap, nearly silent, and tend to be power efficient.  For a long time I had a Dell P-III-600MHz box, that finally ran out of CPU when I moved to FiOS (usenet downloads maxed at maybe 70Mb/s).  Now I'm running a Core2Duo slimline Dell, picked it up on Amazon (free Prime shipping) for $80.  Something similar to this, they're all over Amazon and Ebay: https://smile.amazon.com/OptiPlex-Core2Duo-2-66GHz-160GB-DVD-RW/dp/B00J8K4KZ4/ Also found Realtek cards with full or low profile brackets that actually work well with FreeBSD: https://smile.amazon.com/gp/product/B008FAELF2/

Yeah, this is what I will do. Thanks again

so first thing would be to setup a dhcp reservation, ie static dhcp so that client always gets the same IP.  Then create a schedule for your rules so those IPs don't have access when you don't want them to have access. https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

Wow.. any luck reversing this for CLI restore?

The forum's Search function would have found this for you quickly. https://atxfiles.pfsense.org/mirror/downloads/old/

@kpa: @humaidq: @w0w: ral0? What is this? It should be some wireless ralink chipset? FreeBSD and pfSense would not be happy with most of wireless cards. It is the built in ethernet on the motherboard, there is no way to remove it other than unsoldering it, should I insert another ethernet card to use instead of the built in? It can't be the built-in ethernet because the ral driver is for a WLAN card and not for an ethernet NIC: https://www.freebsd.org/cgi/man.cgi?query=ral&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html Oh, I see. I did not know that. I setup the interfaces correctly, now everything seems to work fine!

sorry to revive the dead, I just did this and it worked great thank you.

I don't know what directory rules reside in (or if it even works that way, but I expect it does). But you might be able to find it by creating a rule with a unique string in it, then grep for that string?

@KOM: They both will work just fine.  Having your AP on your switch is the most common home setup as most people don't have extra ports on the router to play with.  That's the switch's job. The difference is whether or not you want to segment the wireless traffic from LAN.  If it's all the same to you, put AP on LAN by plugging it into your switch.  If you need to treat wireless clients differently from LAN clients for whatever reason, put them on their own interface.  If your switch is managed then you could accomplish the same separation with vlans. Thank you. thats exactly the answer i was looking for :) Now i got a plan for tomorrow! have a good day :)

Any ideas?    It will run at a solid 10 Mbps for anywhere from one to ten minutes, then sit idle for up to an hour.  During this time I can go to speedtest.net and get ~5 Mbps download no problem. Being a VPN tunnel, does pfSense or my ISP even know what's going through the pipe?  I would think encrypted traffic would all look the same, but it feels like I'm getting throttled. Should I suspect the VPN server itself? I'm open to ideas…. I really don't want to go back to my old router.

I can't vouch for the entire system but the hardrive and install is <3 days old.  Not that a constantly rebooting system couldn't accomplish the same result.  I'll have to find a similar system and do some part swapping. I will perform some fsck and re-install, time permitting.  I've attached a new crash log for your reading pleasure ;). Since the last crash report, I removed on the installed packages so it's now just the bare system and I'm seeing some different results. kindest appreciation for your response(s). crash_02.txt

Well, adding user defined default rules to each interface and removing the option for default rule logging has stopped the CARP packets from logging to syslog. [2.3.2-RELEASE][root@<redacted>]/tmp: grep carp rules.debug no nat proto carp no rdr proto carp block in  quick proto carp from (self) to any tracker 1000000201 pass  quick proto carp tracker 1000000202 no state pass  quick inet proto carp  from any to 224.0.0.0/8 tracker 1487608941 keep state  label "USER_RULE: pass, nolog carp from 224.0.0.0" [2.3.2-RELEASE][root@<redacted>]/tmp:</redacted></redacted>

No, there is no need to restart it, it will immediately restart itself on its own.

There are no limits placed on the number of rules. Eventually you might run out of memory or hit some other hardware limit but we don't set any arbitrary limits.

I got a new router from the ISP and had to change stuff because on that stupid thing you can't change the IP to another subnet. So i did read through this thread again and need to ask again even if you kill me :( I can't get bridge mode here so i have to set: Interfaces > WAN IPv4 Upstream gateway: GW_WAN - 192.168.0.1 Right? I had kejianshi's suggestion running now the last 2 years: @kejianshi: Go to system > General delete all your server IPs. uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN uncheck  Do not use the DNS Forwarder as a DNS server for the firewall save. Then go to DNS forwarder and make sure its off.  Save. Then go to DNS resolver and make sure its on. Turn on DNSSEC Save BUT still don't understand if for this setting and with no bridge mode his statement is true: @kejianshi: Now, you should have raw, un-tampered unmolested DNS from the root servers. Also still others here wrote you have to put a DNS server in System > General Setup So with kejianshi's suggestion and without bridge mode I'm using the ISP's DNS server - yes or no? I also saw on the Timeserves setting: Remember to set up at least one DNS server if a host name is entered here!

Well, it should be pretty straight forward to set up the main router / gateway. You can either use the 'wizards' within pfSense or do it all manually. If not certain on 'how to' there are some ok videos on YouTube, and some are not so ok. I've installed SNORT, and initially I added in squid and squidguard, but I have moved those to a separate machine due to a bit too much load with those packages, since my hardware ain't on the 'high end' of things. I have 5 NIC's, where I use 3 actively now (WAN, LAN, WLAN), but have reserved one NIC for future extra WAN and one for a GUEST network. The basis of pfSense setup should not be to complicated. The part it could be hardest to find documentation for is how to separate the traffic between the WAN interfaces if the amount of videosites involved are many. Routing on the Application layer might be the answer, but I've haven't tried this in practical terms since where I live the options for multiple WAN's is not there (yet). I've considered using a 4G router, but since the subscriptions are still bound to number of GB traffic it hasn't really been an alternative, especially not for video. Not sure if it was much help, but I found the base setup for pfSense to be pretty straight forward. I used the wizards to make the standard install, and modified the setup later. The load balancing / routing on the WAN is something I have not tried (yet), but I do hope to get there one day as well. All of this is at my home, and I do have some bandwidth / traffic 'hungry' users @ home… Knottolf

Taking a peek at my crystal ball (you don't give any information at all): Did you create any firewall rules which actually allow traffic?