Perfect...thanks for the clarification!

Current SSDs are fine. Much faster, and reliable. It's really up to you.

Sorry for the delay, I finally fell asleep. I did, on one link only. I think it was indeed Squid though. IT started [everything] deteriorating fast just a tiny bit later. Downloads were and SSH connections to local hosts would return "broken pipes". I has seen this behavior before this time I almost went insane trying to fix it, even got an SNMP tool, in itself a major undertaking because downloads kept freezing the whole network and failing to complete--finally set it up and the big red indicator that I couldn't clear was something about a DHCP ram disk, which is supposed to be full--the conclusion I kept drawing, still, I stopped DHCP and deploy another box just for DHCP. In the end, I gave up and decided to make the best out of a bad situation and decided to start over installing very carefully the whole network, I had already wiped a couple of times pfSense, BTW, but I was restoring from backup and that last time when I didn't I discovered the backups were snowballing the bad from before. Everything was super fast again, like unbelievably so. I kept the DHCP though, and, I added to that another 4 additional pfSense boxes, RADIUS, 2x DNS and proxied DNS (it dials VPN) these were thin clients with some weird architecture that's 64-bit "but not really", something called i586/i686, I think it's from the '90s. The 32-bit pfSense got them working again. This whole thing pushed me to get creative. :) I'm just happy to help, if I can. I'll keep an eye on that, already wrote it down on the file I write the history of changes I make, my memory sucks. I assume the first one is the same that's downloadable as backup--I'll find out. Anyway, thanks; I doubt it happens again but in a weird way I'm kinda hoping it does out of sheer curiosity.

@stephenw10 Yeah I figured. Just thought since it's not exactly the standard I may as well test it. ZFS also has higher CPU and RAM overhead unless I'm mistaken.

So you moved the AP to a different network and now good? If so my GUESS would be your other network is flooded with broadcast/multcast traffic and or traffic just between wireless and local.. Eating up your wireless bandwidth. Since you say it went away when you isolated to own network - this would SUGGEST large amounts of broadcast or Multicast traffic that does not hurt your overall gig speed.. But can kill wireless. How many clients on your network? Do a simple sniff from one of them do you see large amounts of broadcast traffic? Move it back - is there something going on between wireless clients and devices local.. Say local dropbox or something trying to sync, etc. Just sniff on one of your wireless clients on the network where your slow - do you see lots of broadcast/multicast traffic? But you have seem to have found on your own one of the many reasons you isolate wireless to their own broadcast domain ;) and don't just connect them to your 200 host flat network.. With chatty kathy windows boxes are the worse!!! Does tplink have any sort of broadcast/multicast filtering? Unifi has option to block it from the lan side to the wireless side - this could break some stuff depending on what your doing.. [image: 1539853308636-blockbroadcast.png] I don't need to block it because my wireless networks are not connected to large lan networks with lots of broadcast traffic. I see 300+ mbps on any of my clients that support such speeds.. And even the clients I have I tend to tweak them to lower noise output. I sniff my networks now and then and if I see any sort of weird noisy traffic I investigate and disable.. Not a big deal if you have a handful of clients but if your have hundreds then sure it could kill wifi networks that are not filtered from having to send that traffic over the wifi. And block multicast at the switch port the AP is connected to anyway.

Don't use NTFS maybe? Not at all clear on what you're doing here though. Steve

Thanks jim that should hopefully hold off any posts about it.. If not will have a place to point the questions too.

@BBcan177 Proxy has regex indeed, however without SSL inspection it simply ignores anything that goes over https including those adverts. That will be useful feature for the pfBlockerNG once implemented. Thanks for the great package btw!

thanks man.

Do you see anything blocked in the firewall log? Do you see any states in the state table when you try to connect through it? What version of pfSense are you running? pfSense 2.4.4 is built on FreeBSD 11.2 and ESXi only supports that from v6.5 officially. https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software&details=1&operatingSystems=232&productNames=15&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc&testConfig=16 Steve

Mmm, I would think there are better ways to do this. But if you wanted to do it like this you will need to setup an OpenVPN tunnel between the two sites to route traffic across, you can't route over IPSec for this. You will need the OpenVPN interfaces assigned at least at the UK end to get reply-to states on traffic coming across the tunnel. Then: Move the VMs to the 192.168.20.0/24 subnet in the UK. That may well be non-trivial! Change your port forwards in the US firewall to point to the new internal IPs. Add policy routing rules on the UK firewall to route traffic from those VM out via the US if that is required for traffic initiated by the VMs. Add outbound NAT rules on the US side for the 20.0/24 subnet to allo that traffic out. Steve

Thank you very much for your comprehensive answer. It is highly appreciated.

Hey, thanks for all the replies folks. I can go either way - already have an isolated DMZ for my chinese cameras - but I think I'll use VPN for external access and disable that NAT rule altogether. I have been leaning in this direction - the only reason I have not done it is that it another thing I have to teach my wife to do on her phone - make sure she has a VPN session up - when she is attemping to access an internal resource on my network. I'll do some reading on setting up the vpn server feature on pfsense... Romany

So does Anyconnect indicate that its down? If it does not than you that implies there something else going on. I would suggest you go to a DOS prompt and have a constant ping going to some internal address at your business (ping xxx.somecompany.com -t) and leave it pinging. When the problem comes back - see if your pings are still sucessful. If the internal host is no longer pingable than that confirms you have some type of loss of connectivity. You can also bring up your Anyconnect window - click on the "gear head" symbol - and go to statistics. You should see send and receive frames incrementing. I run Anyconnects for days thru my firewall and never have issues....

Did you disable checksum off-loading in System > Advanced > Networking? You can probably configure a mirror port on the switch to send all the packets going to/from the ISP to a capture device. Steve

Hi Sorry for the confusion. The diagram is just the current setup and how i would like it to work as it looks like my only option. I am not saying that the iphone MAC address is passing through 2 routers. I would like to however know how it is possible that companies like purple wifi and wifi spark can get it to work like the way in the diargram https://purple.ai/?utm_source=google&utm_medium=cpc&utm_campaign=764304889&ppc_keyword=purple%20wifi&gclid=EAIaIQobChMIx_z_j7mI3gIVCZ3VCh29KwZIEAAYASAAEgK-I_D_BwE https://www.wifispark.com/ What type of server would they be using, windows, linux, cloud based?. When i tested with purple wifi, my iphone mac address was passing through me router and then through purple wifi's router then onto their server. Unless it was carried out another way. Im just looking for a free open source way of achieving this as i have over 2500 AP's which can be costly if i go with purple wifi. Thanks

The sha256 file is a text file containing the expected checksum. The checksum of that txt file is not expected to be the same. Steve

thanks man I solved XDDD

@grimson Thanks for your time, but I usually don't trust people enough to send screen shots. I usually don't want anyone to know 'anything' about my firewall settings. But it's solved so unfortunately I'm afraid you've wasted your time. Sorry for that. I tend to not respond to anyone I really don't want to help, so as to alleviate such "wasted time," if in fact I decide to deem it such. Though I usually don't see helping someone as wasted time. We each decide for ourselves what is and is not wasted time, as such we each should act accordingly. I would hope that everyone understands this fact, because it'll usually yield more happiness during ones lifetime. Have a good one my friend! And thanks again for your time!