Well, I reset the state table (tried this before, didn't seem to work) and cleared all firewall logs, then re-cleared the state table and we seem to be fine. I really need to learn more about pfsense….. I am such a noob which infuriates me :/

Zimbra uses Postfix, so your first step is to use DNSRBLs. Your biggest bang would be to add Spamhaus Zen. You can run the following command to see what restrictions have been configured: zmprov gacf | grep zimbraMtaRestriction Recommend the following settings: zimbraMtaRestriction: reject_invalid_hostname zimbraMtaRestriction: reject_non_fqdn_hostname zimbraMtaRestriction: reject_non_fqdn_sender zimbraMtaRestriction: reject_unknown_client zimbraMtaRestriction: reject_unknown_hostname zimbraMtaRestriction: reject_unknown_sender_domain zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org zimbraMtaRestriction: reject_rbl_client bl.spamcop.net zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org For pfBlockerNG, I wrote a script to import over 50 Blocklists here: https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973 It has a MAIL section which will also help reduce SPAM.

They are indeed in /conf/config.xml, they are not stored on the filesystem individually unless a program needs access to them. For example, if a certificate is active in IPsec or in use as an OpenVPN server certificate, it can be found in the configuration directories for those services.

Please submit your suggestion as a pull request here: https://github.com/pfsense/pfsense/ and the development team will review it for inclusion. At first glance it does look like a worthwhile improvement in cases with  very large number of rules.

So if this user can change their dns, what stops them as mentioned from just using a proxy or for that matter if you want let them do dns other than your limited restricted version, what stops them from using host names? Seems these so called "restricted" users are using their own hardware or have too many rights on them already if they can alter what dns they point to. Not sure how such a user would be considered restricted?  Use of dns like opendns or such that can be used to filter what a user looks up is fine.  But not really a way of actually restricting users access.  Can help them not hit malware sites and such for their own good.  But not really a good way of preventing them from going to sites "you" do not want them to go to for some reason? If you need such control then you should use a proxy, and only allow the proxy out.  Not individual machines.

I have an idea My DHCP scope included the IP address of the pfsense server and therefore someones mobile was picking up the same address as the pfsense IP address which I assigned as static. It was all my fault. Good stuff.

Last time it came up there was nothing special to do at all.

The warning about mixing tagged and untagged traffic on pfSense was something we said many years ago because it would cause problems with Captive Portal, among other things. There haven't been any pfSense issues with it in years. That said, there could possibly be something about the switch that makes it impractical or undesirable. That's completely up to the switch, however. Given the choice I'd still avoid it, but that isn't always practical.

No easy way from the GUI, but from the shell (or Diag > Command): pfctl -vvsr | grep xxxxxxx Where xxxxxxx is the ID or any description text

Unfortunately, the panics point to bad hardware, most likely memory: db:0:kdb.enter.default>  bt Tracing pid 3499 tid 100150 td 0xfffff8006a6834b0 kdb_enter() at kdb_enter+0x3e/frame 0xfffffe012113f730 vpanic() at vpanic+0x146/frame 0xfffffe012113f770 panic() at panic+0x43/frame 0xfffffe012113f7d0 pmap_remove_pages() at pmap_remove_pages+0x736/frame 0xfffffe012113f8b0 vmspace_exit() at vmspace_exit+0x9c/frame 0xfffffe012113f8f0 exit1() at exit1+0x65f/frame 0xfffffe012113f980 sys_sys_exit() at sys_sys_exit+0xe/frame 0xfffffe012113f990 amd64_syscall() at amd64_syscall+0x40f/frame 0xfffffe012113fab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe012113fab0 --- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x8008fa14a, rsp = 0x7fffffffec48, rbp = 0x7fffffffec60 --- panic: bad pte va 8008a2000 pte 0 cpuid = 1 KDB: enter: panic The crash is in memory manipulation, an area high unlikely to be a software fault. Furthermore, that panic string indicates a memory location within a page table has spontaneously changed to 0, which wouldn't have happened via software. I checked a couple of the other panics and they were different, but still in random low-level areas that generally point to hardware faults.

@jimp, Changed RAM 5 days ago. pfSense has not crashed once in the past 5 days so it looks like the problem has been solved. I put the suspect RAM in another computer and its been running fine since then as well. My guess is that the old RAM is good, but was not seated well. In changing the RAM, I happened to fix the problem by seating the new RAM properly. Thanks for the help jimp.

My guess is that the USB NIC is the main suspect, I've yet to see one that works well on FreeBSD.

@robi: @jdillard: There is an export to CSV Anybody has an idea what are the values in the first column? The next columns are "packet loss", "delay average", ""delay std. dev.", but the first column header is missing. I was guessing it's Unix timestamp, but it's not, because a calculation from that number gives errorneous results. I need to present a log to my boss, and I can't decode timestamps to absolute time values… It's UNIX time with three extra digits on the end for sub-second precision (not that RRD really needs it…)

@iTestAndroid: What do you mean? NAS is connected to the pfSense firewall and thats the way I want it to be, so data in NAS will be secured and I will have some good controls over it's network and its activities and who's accessing it via pfSense. Do you mean to say that the NAS is on a separate network than your internal users? If the NAS is on the same network as your users, then all traffic forwards at the switch level and shouldn't be affected by pfSense.

Thanks for your reply JorgeOliveira, i saw the post you are linking and i will try it, im just thinking that it must be a bug. The firewall did not have internet access when i upgraded it and i think that may have resulted it this situation.

Thanks so much Derelict :) Working now. Used to be able to do this without gateway groups , hmmmm. Anyways, really appreciate the feedback.

ive used pfblocker to resolve all the google asn numbers via whois and used it in the rules to allow this ASN destinations…not to block...

@peter808: The solution does not work if u have enabled "two-factor-authentification" (so we did) in your Google-Apps-account. The "apps-password" we have generated do not work, showing "Error: 535-5.7.8 Username and Password not accepted.". We tried several different generated apps-passwords, no luck. Any hints? Hi I also have two  factor authentication enabled but unable to send email. I disabled it and enabled access to less secure apps now while m able to relay emails but all are landing in my Gmail address not in mailbox which I specified in  Notification E-Mail address. No email is being sent there. I tried multiple addresses.

Disregard. I missed a firewall rule and resolved my own error.