You might try putting this into google: T05.0 3-Critical Comcast Seems to be pertinent results to me.

So i made a fresh install and tested it with 2 other hosts. My results: host1->pfsense 930 Mb/s 75-80% CPU pfsense->host1 940Mb/s  60% CPU host1->host2 (via pfsense as router/NAT) 720Mb/s ~25% CPU on pfsense This looks somewhat better. So, i guess pfsense handles handles forwarding packets not the same way as passing to user space app. The only thing to figure out is cpu usage when using PPP WAN (my test setup had static IP), but i think it should not be much worse. I consider my issue resolved. Thank you all.

MAC spoofing should work fine. Their switch can't tell the difference. Diagnostics > Packet Capture on WAN and set the level of detail to full and check the MAC and IP addresses being sent.

after a week trying i finally made a script to change the wifi password on my SG-2440 from the command line i know its a dirty script but it does do the job its syncs the pfsense graphical interface and its making a html file where the current password is stored. this script runs in the crontab every 23:59 and logs all command to my syslog machine (splunk) the code #!/bin/sh currconfigpwd="`/bin/cat /cf/conf/config.xml |/usr/bin/grep passphrase | /usr/bin/cut -f 2 -d\">\" | /usr/bin/cut -f 1 -d\"<\"`" newpwd="`/bin/cat /dev/urandom | /usr/bin/tr -dc 'a-zA-Z0-9' | /usr/bin/fold -w 8 | /usr/bin/head -n 1`" currwlanconfpwd="`/bin/cat /var/etc/hostapd_ath0_wlan0.conf |/usr/bin/grep wpa_passphrase |/usr/bin/cut -f 2 -d\"=\"`" /bin/echo "change-wifi-password : This script will update the wifi password with 6 random chars." /bin/echo "change-wifi-password : --------------------------------------------------------------" /bin/echo "change-wifi-password : Current wifi password in /cf/conf/config.xml : $currconfigpwd " /bin/echo "change-wifi-password : Current wifi password in /var/etc/hostapd_ath0_wlan0.conf : $currwlanconfpwd " if [ "$currconfigpwd" != "$currwlanconfpwd" ] then /bin/echo "change-wifi-password : Passwords are not equal ... exiting " /bin/echo "-- $currconfigpwd -- $currwlanconfpwd --" exit 1 fi /bin/echo -n "change-wifi-password : Removing old /var/run/hostapd_ath0_wlan0.pid file ..." /bin/rm /var/run/hostapd_ath0_wlan0.pid /bin/echo "Done!" /bin/echo -n "change-wifi-password : Seting new password ($newpwd) in /var/etc/hostapd_ath0_wlan0.conf ..." /bin/cat /var/etc/hostapd_ath0_wlan0.conf | /usr/bin/sed "s/$currwlanconfpwd/$newpwd/" > /var/etc/hostapd_ath0_wlan0.conf.NEW /bin/mv /var/etc/hostapd_ath0_wlan0.conf.NEW /var/etc/hostapd_ath0_wlan0.conf /bin/echo "Done!" /bin/echo -n "change-wifi-password : Killing old hostapd_ath0_wlan0 daemon ..." #psnum="`/bin/ps aux |/usr/bin/grep \"/usr/sbin/hostapd -B -P /var/run/hostapd_ath0_wlan0.pid\" |/usr/bin/grep -v /usr/bin/grep | /usr/bin/awk '{print $2}'`" psnum="`/bin/ps -auxw |/usr/bin/grep hostapd_ath0_wlan0.pid|/usr/bin/grep -v /usr/bin/grep | /usr/bin/awk '{print $2}'`" /bin/echo -n "$psnum " /bin/kill $psnum /bin/echo "Done!" /bin/echo -n "change-wifi-password : Starting hostapd_ath0_wlan0 daemon ..." /usr/sbin/hostapd -B -P /var/run/hostapd_ath0_wlan0.pid /var/etc/hostapd_ath0_wlan0.conf >/dev/null /bin/echo "Done!" /bin/echo -n "change-wifi-password : Seting new password ($newpwd) in /cf/conf/config.xml ..." /bin/rm /cf/conf/config.xml.NEW /usr/bin/sed "s|$currconfigpwd|$newpwd|" /cf/conf/config.xml >/cf/conf/config.xml.NEW /bin/cp /cf/conf/config.xml.NEW /cf/conf/config.xml /bin/rm /tmp/config.cache /bin/sleep 1 /usr/local/bin/php -f /root/write-apply.php /bin/echo "Done!" /bin/echo -n "change-wifi-password : Making intranet webpage passwordoftheday.html in /usr/local/www ..." /bin/echo " <center>" >/usr/local/www/passwordoftheday.html /bin/echo " **PASSWORD OF THE DAY WILL BE ACTIVE FOR 24 HOURS** ##### Generated on : `date` " >>/usr/local/www/passwordoftheday.html /bin/echo " **PASSWORD : $newpwd** " >>/usr/local/www/passwordoftheday.html /bin/echo "Done!" and the write-apply.php file #!/usr/local/bin/php -q require_once('/etc/inc/pkg-utils.inc'); require_once('/etc/inc/config.lib.inc'); write_config(); ?> have fun with it ;-) m </center>

You're right. Selecting the interface and logging out did it for me. After relogin and browsing through the menus it still kept my interface. Thank you!

Hi again, my Problem is still there. I found out now, that the Problem is the Slave-System! Exactly after five days the second Server does something with the Carp and the Routing failes. I don't know what happen there but after reboot from the Slave-System everything is fine again - till the next five days. The Master-Hardware is changed, the slave not. Should i? What should i Test next? I have no ideas anymore and it's not so nice to get sunday a wake up call from the company that the problem is back again. Thanks!

It is far easier to allow PoS, VPN and allow access to a particular (scout) site than it is to block just things that are hosted all over the world, on CDNs, etc. •  Block video from playing in facebook (not necessarily block facebook though) Good luck with that since facebook is pretty much all HTTPS. Might as well try to allow whatsapp but block whatsapp messages containing curse words. I believe what you are trying to do is pretty much impossible and you would be better spending your time blocking everything and passing only what they need access to.

There is currently no pagination in the logs.

btw i can ping the hostvm but not the ip of the set 192.168.1.1 at lan

Same problem here.  Doesn't happen particularly often, but usually it is terminal (i.e. it doesn't recover).  The firewall still does all it is supposed to do, but web console just doesn't respond.  Our firewall box has several IPSec and OpenVPN VPNs set up on it, but there doesn't seem to be a specific action that causes it.

Isn't that related to port security of your switch? I'm pretty sure that can be handled by SNMP and the various tools available. Wait, with ports you refer to IP ports, not switch ports, right? Something in the SNMP MIBs for pfSense maybe?

If you disabled IPv6 in the GUI then it's doing what you asked. It's blocking and logging IPv6 since that's what the option does. You could instead make a floating tab rule to block – and not log -- IPv6 from any/to any, and make sure all of your interfaces have IPv6 set to "None" as well. You could also use a block (and not log) rule on each of the interface tabs.

Does he want to use static arp?  I can not tell what the OP wants to be honest.. But I like the use your switch post from Derelict ;)

Thanks everyone for the input everyone… You've helped me think this over... and given: I want/need ease of maintenance-simple backup/restore. Custom scripts with least privilege possible-under an user with minimal rights. It's only a couple of scripts and a few kb of disk space. (A partition is not warranted.) /root is not completely under user control… file backup plugin uses it. I'm thinking that it would be hard to do better than: creating a user: custom (with minimal rights). Stick everything in /home/custom Write a quick script to tar.gz /home/custom and scp to my FreeNAS box for backup (or maybe use the file backup plugin, but given that it doesn't do time versions automatically or allow granular restore or multiple backup profiles.) A normal configuration restore will recreate everything except the actual scripts in /home/custom If I'm missing something or anyone has any other suggestions, be glad to hear them.

@pfcode: Hi, I found this in the system log, Unbound fatal error: could not open ports, then unbound stopped working. Only occurred under the combination of IPv6 and pfBlockerNG DNSBL.  What was happened: when the IP changes, it tries to stop/start Unbound… But unbound takes a little more time to do that with DNSBL enabled... So it fails to start .... I was told that its not a package issue, but something in pfSense code. I experienced a similar issue last night with my HE.NET IPv6 Tunnel. I am running on the latest dev (2.3.2-DEVELOPMENT (amd64) built on Mon Jul 18 23:27:23 CDT 2016 FreeBSD 10.3-RELEASE-p5)

Why are you running statics on your lan? Well if you don't have dhcp on your wired lan, then no wireless isn't going to have it either..  To turn ANY wifi router into an AP 3 things. Set its lan IP to be on the network your going to connect it to turn off its dhcp server connect it to your network via on of its LAN ports not its wan…