@KOM: It will download your packages again unless you selected the Skip packages checkbox when doing your backup. Thanks KOM, will config backup and fresh custom install pfSense so that this time can manage SWAP size only 4GB for 16GB ECC RAM…

Success at last! After looking at the email configuration settings for earthlink and work, I began to try one option at a time regardless of what the instructions for outlook / thunderbird said. Finally, I stumbled on a combination that worked!  I sent 4 test messages.  All went through successfully. So now, I will watch tomorrow for the scheduled reports/notifications to see if it sticks. Hopefully I can mark this topic as done tomorrow.

That looks promising for IPsec traffic, from what you've said hypothetically if we wanted to get the best possible performance our bottleneck would most likely be I/O before processor traffic.

If you control the other (server) side, you can setup e.g. OpenVPN to listen on any udp or tcp port you like. So you can't be sure that no one could open a tunnel there. You surely could block some commercial providers, but if someone goes along and rents his own VPS and installs OpenVPN to it, the game is on.

@Harvy66: When I upgraded from 2.2 to 2.3, the RRD stuff broke for me and I had to reset all of my, now called, monitoring data. Then it suddenly worked again. If you need your historical data, export your data, then trying to reset the data to see if that "solves" it. I didn't realize there was an option to reset the data under the "Display Advanced" in the monitoring. That fixed it. Thanks!

+1 for this. I want to use the single serial port on my device using NanoBSD as a GPS-timed NTP server, and NTP keeps complaining that /dev/cuau0 is busy. How to free up the serial port?

I am now running on 2.3.2-RELEASE-p1. The drop-outs have been continuing - about every 2-3 days now, sometimes multiple times per day. I'll have further logs to upload later - can't do right now as I'm in work away from the router at home. What I have discovered, while trying to migrate the PPPoE connection from re0 to re1, is that physically removing and then reconnecting the ethernet cable on re0 will fairly reliably cause the crash - PPPoE starts failing to dial out and the pfctl process goes crazy on CPU usage. What's the best way of determining if this is a software/driver issue, or a hardware issue?

@balubeto: @KOM: I have no idea what nominal means in this context, but if you want to see a realtime view of your traffic, try Status - Traffic Graph.  If you need more detail, there are packages like ntopng that can help. Using pfSense, how do I display the maximum speed of download/upload on my Internet connection set by my provider? Thanks Bye There's nothing pfSense itself can do to detect the speed limits set by your ISP, for example your WAN connection might say a 100Mbit/sec connection on the pfSense dashboard because it's connected to a modem with a 100Mbit/sec port but the real speed can be anything between the practical maximum of a 100Mbit/sec connection to something like 256Kbit/sec if your ISP has set the limit that low. Your ISP can tell you the nominal speed limits and in some cases you can see them from the management page of your cable/dsl modem.

(No replies as yet, so I guess I will wait for the technical folks to see the OP, but in the meantime…) Following on from my "bigger question" in the last paragraph above, I can think of three ways around the problem:- 1. As above, turn off relayd on the firewall, spin up a small(ish) VM running Nginx as a load balancer and have that deal with all the certificates for all LBed sites. 2. Leave relayd running and temporarily make the pool 1 server deep when creating/renewing certs. 3. Make /.well-known an NFS share from a "master" within the pool, and mount it on all the pool members. I see 2. as being a stupid solution and I'm going to discount it immediately (it's an obvious answer, but manually managing a pool like that scares the bejesus outta me, and doing it automatically brings me out in a cold sweat). Technically, 3. intrigues me, but I really don't know NFS at all. Is this feasible from a "lag" standpoint - will it operate fast enough for letsencrypt to be happy? All the VMs are on the same host, the "network" between them is 4 x 1Gb. By the same token, it could be a gluster brick (but again, I have no direct knowledge of gluster - just repeating something I've just read in the Safari copy of the High Performance Drupal book)... EDIT I'm throwing a little glusterfs lab setup together and will have a play. Finally 1. is the first thing that came to mind, and would answer the problem by moving the target to the LB (which is the most sensible place for it to reside in this situation, from what I've read), but again, this feels "klunky" to me; it's reinventing the wheel (not that we all likely haven't done that before now). Any and all opinions welcomed at this juncture.

@KOM: This has been asked & answered a few times now.  It's a serial for the Netgate hardware to identify the unit for support purposes.  If you have genuine hardware, your serial number will be shown.  If you have a generic box, the system UUID will be shown.  That's it. Not just Netgate hardware. We have many customers running pfSense on their own hardware. Anyone can buy support.

If they are getting the lease from isp, they are not behind the firewall. I'm suspecting your setup to be wrong. Think (and do): isp <-> modem <-> pfSense <-> switch <-> clients Read this a couple of times: http://www.cisco.com/networkers/nw04/presos/docs/SEC-1N20.pdf for the first 20 slides or so, it's a bit dated but hopefully explains a bit where a Firewall should be positioned etc. and practice on your google-foo  ;) , lookup all things you don't fully understand….

LACP to each HA node (4 ports) 4 ports total two from each HA node, one each to each switch. You will chew up switch ports quickly. Then you need to decide how to configure the LAN side. You need at least two switches, stacked, or using some other technology that allows them to make LACP groups with ports on each switch (Multi-Chassis trunking, or whatever your vendor calls it. At this scale, stacking is likely your best bet). You can also use Spanning Tree and something like this without going to LACP: https://portal.pfsense.org/docs/book/highavailability/layer-2-redundancy.html

I completely agree and understand.  Will be posting a new question on that board Thanks again for your assistance.

reason being is it is possible at that edge - Using a PFSense with multiple GBit Ports Trunk Not necessary just was wondering if possible.. would have preferred for it to handle DHCP but see that isn't possible if it is not handling the Routing for the VLANs correct? Just have it on the transit Network - agreed - just need to make sure add the routes for the other vlans so it knows where to send the traffic…  or yes use /16 if networks are within the B ranges - just prefer the routed method sometimes.

@floydque: Can you help me do a CSV reporting that it lists latency loss. Example: Oct 13 16:29:57 dpinger WAN_DHCP 222...*: Alarm latency 82880us stddev 46313us loss 21% That's what you are getting in the CSV. The header you will see is: ,packet loss,delay average,delay std. dev., The first field (with the missing header description) is is a timestamp. The timestamp is a standard Unix timestamp with 3 digits of milliseconds appended. You will have to convert this field to the date/time format you want. The packet field is in percent, and the delay fields are in milliseconds. The timestamp is pretty easy to convert in Python or Perl. However, if your target is a spreadsheet, you can convert the timestamp with a formula: =((A1/1000)/86400)+25569 Hope this helps.

Thanks; we're not running Unify; we're using java for a very secure internal program. pfSense can't finish booting

Thanks for the suggestion, Harvy66. I have not enabled any proxy… However, I just found the problem. For whatever reason, the LAN NIC associated with the ESXi vSwitch was not auto negotiating to gigabit ethernet, but showing the speed as 100MB Full Duplex. I forced it to 1000MB Full Duplex, reran the speed test and am now getting in excess of 233 Mbps on the download, as it should be. All is once again good with the world.  :-) Thanks again.

Any lease requested from pfSense's dhcpd, will show in the corresponding status page I suggest you spend some time here: https://doc.pfsense.org/index.php/Main_Page Enjoy the reading!