"The other reason to have the bulk of the network L3 switched on the switch is for pfSense upgrades.  An upgrade shouldn't take down my ability to stream that webcam video internally, or my ability to stream music or video internally." While I agree with this for sure, what happens when you want to upgrade your switch firmware? ;) what is being used for internal dns?  While you might not have an issue while your streaming a movie or music and you reboot pfsense. When do you do your pfsense upgrades?  I do them after hours or before household hours because I am up early..  Or sometimes whenever.. Reboot of pfsense never takes more than a couple of minutes, etc.  If someone was watching a movie I wouldn't do the update then ;) "The reason I want to segment all this stuff is security." Completely and utterly agree with you 100%  I just do not see doing it at the switch, which clearly while it has some basic ACL functionality does not have the ease of creating the exact firewall rules and logging of hits on these rules like your switch is going to have. As to how large companies do it - sure they have core L3 switches, I have supported many a large company..  They rarely firewall between their segments, even though they should!!  Most often I see a large core switch, say a nexus 7k but there are no ACLs between segments.  Sure they will have their services that are open to the public internet behind a firewall and isolated from their core network.. I really don't see that as any sort of reason to do a downstream in your home setup.. If your pfsense box can not handle the wire speed you need between segments, prob better to get a faster pfsense box ;) heheeh  It will make your life much easier that is for sure.  I have toyed with putting my sg300 in L3 mode and doing a downtream setup.. This would for sure give me way faster speeds between my segments.  But the thing is I have my segments isolated for security.  The ports I do have open between segments like printing, access to my plex.  Pfsense can more than handle the speed needed. More than happy to help you work out the details of such a setup, I just don't see the actual value in doing it is all ;)

I connect into openvpn to my home network from work pretty much every single day, and it stays connected from the morning until I leave pretty much..  So rock solid for 8 hours at a time 5 days a week for years have been doing this..

If for home use sure outdated model for less $ is prob fine sure.  Yeah those are both managed switch, so should provide you prob pretty much all the features you might need for home use.  Vlan support being the big one.  As to all the other features they might support I would have to look.  Fully managed should include stuff like snmp for monitoring, sending of traps.  And many other bells and whistles that you may or may not need.  But would provide you with future proofing, for possible future use.

Hello?  Anyone home? Here's some screen shots: [image: 2016-09-09_9-20-22.jpg] [image: 2016-09-09_9-20-22.jpg_thumb] [image: 2016-09-09_9-21-05.jpg] [image: 2016-09-09_9-21-05.jpg_thumb]

When you are making your configuration changes on the router\gateway, are you connecting your computer directly to the router\gateway to make those changes?

Should this be posted in a different spot given the lack of even a 'your nuts'  (kidding of course).

@jimp: The Chrome regex parser has a bug in that it does not allow escaped characters inside a list, even though it is a valid – but not required -- regex expression. Not required unless a character class includes a character that needs to be escaped that is.  Such as, oh say a backslash.

@vamdolly: Hi witch cpu would be right for the job a duo core or quad core for pfsense using vpn, snort and antivirus if im not mistaken vpn is better with more but im not to sure. You're right, OpenVPN it's not scalable so is better to have a multi-core CPU.

They generally perform worse for two reasons, they offload all of the work to the CPU, and they have crap driver support. No matter how good your hardware is, no driver support will kill it. And depending on several thing, 2ms is really really bad. I get a 0.2ms ping average, and a min ping of 0.008ms. Even my 8 year old Dells with an Integrated Intel NIC that Intel claims costs about $0.01 to add to the chipset, averaged about 0.3ms. But lets not get sidetracked with hardware knocking before the issue gets narrowed down a bit. One thing you may want to do while trying to make the firewall shuffle packets around is to look at the System Activity and see if CPU usage is abnormally high an what is using it. When doing this kind of test, best to do a load test through the firewall and not to it, it makes a difference since firewall stuff is done in the kernel while iperf is done in userland.

Okay, so the random shutdowns were not because of… 0x0ahd1: Address or Write Phase Parity Error Detected in TARG. Yesterday in the evening we had a power supply failure. We replaced the power supply and the system has yet to go down since. However we still get the "0x0ahd1: Address or Write Phase Parity Error Detected in TARG." errors in the logs. Are we looking at a HDD failure in the works?

@jimp: To make it stay across upgrades, use a <menu>tag inside the packages section of your config.xml. Install a package and then look at its <menu>tag and follow the same general syntax. </menu> </menu> agreed! This is the best way to add a menu link that stays across upgrades and updates!

Hi, Thanks, I changed the hosts files to point locally to our proxy server (e.g. wiki.domain.com points to the local ip of the proxy) and this is working great now, the COMODO certificates are returned and the application works. Thanks for the help. Kind Regards, Gary

Install the sudo package and use it. Then you can grant access to users or groups from the GUI.

Do not use an obsolete 2.0.x version, use a current version (2.3.2). The patch is no longer necessary and packages for 2.0.x have been removed, which is why you can't find it. If you post on the OpenVPN board here asking for help with what you're trying to accomplish using 2.3.2, you're more likely to get accurate and relevant help.

thanks I'm an idiot for not looking there first…

@jimp: Difficult to say without more detail, but on smaller hardware, just watching the dashboard on its own will cause a spike in CPU usage because it takes a fair amount of CPU time to process all of the data required to draw the dashboard. In other words, the act of measuring can change the results. Even on my i5 quad-core, viewing the web front-end bumps the CPU from 300mhz to 800mhz-1600mhz due to increased CPU load.

I wonder if a nic can manage certain amount of users because I have about 50-60 users on my network.

Noted I can't seem to understand clearly what your saying in the second sentence of your paragraph though. Can you put it in more of a layman's term.