I had some similar issues as well, turns out I set three things: I enabled SNORT as the IDS I had Automatically checked the block systems from SNORT The SNORT IDS automatically blocked some web pages that had been flagged by innocuous http inspect errors ( BYTE BLOCK etc) Once I suppressed the false flags http inspect, I then reset (cleared) all the blocked sites and poof I could get to where I had been unable to previously. ~Zackis

IDK if this can give a clue but I'll leave it here: The last events were on last Thursday (13. April) where the connection went down several times in the afternoon. Only thing that helped was pulling the LAN cable between modem and pfsense and replugging it. Screenshot: http://imgur.com/a/XcmId Then, 14. - 17. April was Public Holiday so nobody in the office, not a single connection loss in this time. Now, back on working day, first disconnect happened around 9 AM…

@mikeisfly: No need to port forward all ports, just have the ISP assign your PfSense box a statically assigned IP address. Then put that IP address in their router's DMZ. That should forward all unsolicited traffic to your PfSense box. Thanks for an alternative approach, the install is happening today, will present the options to them.

Hi Guys, Do you guys know how to do this? Steps?  :( I'm new to PFSense and not sure if this can be done. I see this topic is  2+ years old but no solution is mentioned. Can I get some help in same situation? I have pfsense instance with 1 NIC with let's say Public IP is 1.1.1.1 I have a web server instance that not on local network and hosted somewhere else with public IP 2.2.2.2 VPN is not an option on these IPs. I'm trying to configure pfsense so all traffic arriving on ports (80,443,20,21,22) on IP 1.1.1.1 is forwarded to 2.2.2.2 on the same ports. I am able to do it with SOCAT utility using the following command socat TCP-LISTEN:80,fork TCP:2.2.2.2:80 but it's a small utility and no proper deamon/service is available for it. The only other option is IPTable  but I really like pfsense GUI and I can use it for VPN as well. Can someone please help?

The SG-1000 will not push 80Mbps of encrypted traffic unfortunately. Not yet at least, it does have hardware crypto for which a driver has not yet been developed. No figures for that yet though. You would be looking at the SG-2220 to do that on our hardware. Thanks, Steve

To reach PC2 pfSense will need to have a static route to 10.2.0.0/16 via the other router. Unless that is it's default route. The inverse is also true. The other router will need a route to 10.1.0.0/16 via pfSense unless that is it's default. Obviously you will need the right firewall rules in place to pass that traffic too. Check the firewall logs to see if anything is blocked. More information needed to diagnose further. Steve

your doing a downstream router.. Yeah there are a few things that have to happen.  And this downstream router is on a lan side port right. your not using it as your wan on pfsense? While I like your /30 transit.. Your other segments - why are you using /16?? There are quite a few threads that go over downstream routing with pfsense.  I should prob put something up on the wiki, seems to come up quite often as of late. Your going to need to create a gateway on pfsense pointing to this /30 IP of the downstream router.  And then a route for the network behind the downstream router.  Your then going to have to adjust the rules on your transit network to allow the downstream.  And your also going to need to alter your pfsense outbound nat rules if these downstream networks are going to use pfsense for internet access, etc.

Is there anywhere else to specify a "default gateway" for the internals of pfSense?

Last come back here but yeah it sounds like you can just hand external DNS servers to DMZ clients if they only need to resolve unfiltered external hosts. No need to bother with dual DNS on the firewall etc. Steve

If your WAN is not multi-100-megabit and the realtek is reliable, it's a good choice to use the realtek on WAN. If it gives you problems, move it to intel.

OK.  So, since I haven't ever renamed the "copy" when I'm in there, it just doesn't do anything with it?  I would have expected the "copy" button to generate a copy with "copy" or something appended, and then I'd have to edit that copy.  Thanks. EDIT:  Confirmed it.  The behavior is as you described.  Thanks, again.

That worked! I also had some issues with adding it back but i think i know how the link agg options work now! Thank you for your time and for saving mine!

Uh. There is no such "feature". WTH.

There's no other practical way because redirecting locally originating traffic isn't possible with PF, only static routes work. There is the setfib(1) system that can be used to assign an alternate routing table to a process but it's not exposed trough the pfSense GUI in any way. The gateway selection for the DNS forwarders (at the General Setup page) are using static routes, that just isn't spelled out for you. The reason static routes are a working solution for the DNS forwarders is that you'll never enter anything else but raw IP addresses as the DNS forwarders, each of the entered forwarders can be redirected individually by static routes. With NTP peers it's more complicated because the NTP service in a default setup will contact multiple peer candidates that you don't know in advance and can't be caught with static routes, you'll need a manual setup with raw IP addresses as the peers if you want to use static routes to redirect the traffic to a different gateway.

Ok, so please fix this in the next release.