Sorry for hijacking this thread. I just didn't get any reply yet and was finally happy to see something similar in the forums. If you want, you can delete my posts here and we continues this discussion in my original thread.

@johnpoz: I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them? Some times the problems are not technical but political. I will request a larger address space.

Good tutorial with the diagrams: https://nguvu.org/pfsense/pfsense-2.3-setup/ and https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/ From my own experience - pfSense is not guilty for sure, check your switch configuration, capture/analyze traffic coming over the trunk from the switch, use tcpdump from shell with '-e' to see VLAN tags.

Sure. In fact it's preferred. Just turn off the DHCP Servers in Services > DHCP Server on the interfaces served by other servers and have those servers give your domain controllers as DNS servers. What do you mean by "manage my wireless?"

That is exactly what I had done.  Thanks for confirming!

Thanks for the reply

No am just using wow personal with aes

thank you Sir i corrected myself now I'm able to block internet for specific IP.

Growl has a software program that needs to be installed on the computer, in addition to the settings on your pfSense box (search Google for Growl for Windows). Once you download and install the program, then enable the settings in pfSense to point to your host running the Growl software. You may want to make sure that the host has a static IP address or DHCP reservation so that the IP address doesn't change and you stop receiving the notifications as a result.

@KOM: It will download your packages again unless you selected the Skip packages checkbox when doing your backup. Thanks KOM, will config backup and fresh custom install pfSense so that this time can manage SWAP size only 4GB for 16GB ECC RAM…

Success at last! After looking at the email configuration settings for earthlink and work, I began to try one option at a time regardless of what the instructions for outlook / thunderbird said. Finally, I stumbled on a combination that worked!  I sent 4 test messages.  All went through successfully. So now, I will watch tomorrow for the scheduled reports/notifications to see if it sticks. Hopefully I can mark this topic as done tomorrow.

That looks promising for IPsec traffic, from what you've said hypothetically if we wanted to get the best possible performance our bottleneck would most likely be I/O before processor traffic.

If you control the other (server) side, you can setup e.g. OpenVPN to listen on any udp or tcp port you like. So you can't be sure that no one could open a tunnel there. You surely could block some commercial providers, but if someone goes along and rents his own VPS and installs OpenVPN to it, the game is on.

@Harvy66: When I upgraded from 2.2 to 2.3, the RRD stuff broke for me and I had to reset all of my, now called, monitoring data. Then it suddenly worked again. If you need your historical data, export your data, then trying to reset the data to see if that "solves" it. I didn't realize there was an option to reset the data under the "Display Advanced" in the monitoring. That fixed it. Thanks!

+1 for this. I want to use the single serial port on my device using NanoBSD as a GPS-timed NTP server, and NTP keeps complaining that /dev/cuau0 is busy. How to free up the serial port?

I am now running on 2.3.2-RELEASE-p1. The drop-outs have been continuing - about every 2-3 days now, sometimes multiple times per day. I'll have further logs to upload later - can't do right now as I'm in work away from the router at home. What I have discovered, while trying to migrate the PPPoE connection from re0 to re1, is that physically removing and then reconnecting the ethernet cable on re0 will fairly reliably cause the crash - PPPoE starts failing to dial out and the pfctl process goes crazy on CPU usage. What's the best way of determining if this is a software/driver issue, or a hardware issue?

@balubeto: @KOM: I have no idea what nominal means in this context, but if you want to see a realtime view of your traffic, try Status - Traffic Graph.  If you need more detail, there are packages like ntopng that can help. Using pfSense, how do I display the maximum speed of download/upload on my Internet connection set by my provider? Thanks Bye There's nothing pfSense itself can do to detect the speed limits set by your ISP, for example your WAN connection might say a 100Mbit/sec connection on the pfSense dashboard because it's connected to a modem with a 100Mbit/sec port but the real speed can be anything between the practical maximum of a 100Mbit/sec connection to something like 256Kbit/sec if your ISP has set the limit that low. Your ISP can tell you the nominal speed limits and in some cases you can see them from the management page of your cable/dsl modem.

(No replies as yet, so I guess I will wait for the technical folks to see the OP, but in the meantime…) Following on from my "bigger question" in the last paragraph above, I can think of three ways around the problem:- 1. As above, turn off relayd on the firewall, spin up a small(ish) VM running Nginx as a load balancer and have that deal with all the certificates for all LBed sites. 2. Leave relayd running and temporarily make the pool 1 server deep when creating/renewing certs. 3. Make /.well-known an NFS share from a "master" within the pool, and mount it on all the pool members. I see 2. as being a stupid solution and I'm going to discount it immediately (it's an obvious answer, but manually managing a pool like that scares the bejesus outta me, and doing it automatically brings me out in a cold sweat). Technically, 3. intrigues me, but I really don't know NFS at all. Is this feasible from a "lag" standpoint - will it operate fast enough for letsencrypt to be happy? All the VMs are on the same host, the "network" between them is 4 x 1Gb. By the same token, it could be a gluster brick (but again, I have no direct knowledge of gluster - just repeating something I've just read in the Safari copy of the High Performance Drupal book)... EDIT I'm throwing a little glusterfs lab setup together and will have a play. Finally 1. is the first thing that came to mind, and would answer the problem by moving the target to the LB (which is the most sensible place for it to reside in this situation, from what I've read), but again, this feels "klunky" to me; it's reinventing the wheel (not that we all likely haven't done that before now). Any and all opinions welcomed at this juncture.