A follow up: There was indeed a baud rate mismatch when transitioning from BIOS boot messages to kernel boot messages.  But in my defense, the presence of that mismatch seemed to make the kernel "want" a carriage return to continue to load.  So yes, it's possible that loading a config file that causes that console baud rate mismatch can cause the system to hang.  YMMV of course.

I didn't  find a way to reset the WAN-IP from the developershell without a reboot. If anyone knows i'd like to hear about a solution without a reboot. My developer-shell solution looks like this $config['interfaces']['wan']['disabled'] = false; $config['interfaces']['wan']['ipaddr'] = "<ip>"; $config['interfaces']['wan']['subnet'] = "<subnet>"; $config['gateways']['gateway_item'][0]['gateway'] = "<gw>"; $config['gateways']['gateway_item'][0]['name'] = "GW_WAN"; $config['gateways']['gateway_item'][0]['interface'] = "wan"; $config['gateways']['gateway_item'][0]['monitor_disable'] = true; $config['gateways']['gateway_item'][0]['defaultgw'] = true; write_config(); exec; system_reboot_sync(); exec;</gw></subnet></ip> exit  <- Systems reboot, is not executed

They are not pinging your modem from 8.8.8.8. Traceroute out and, when you see packet loss to 8.8.8.8 ping something closer. If you can reliably see loss to something closer - preferably within your ISP's own network - try complaining about that. Squeaky wheel gets the grease, as they say. Now just to say we have this same version of pfsense running at my office with the same provider only difference is at my house it is a slower connection so any help would be appreciated. Are you moving traffic anywhere close to what the ISP says you should be able to do during these periods of ICMP packet loss?

finally found solution for the ARP problem, nothing with pfSesne but the vmware. Simpy set promiscuous mode on for vSwitch will solve this. Reference : http://unix.stackexchange.com/questions/23004/openvpn-bridge-cant-access-machines-on-local-network

Thanks everyone. Appreciate the feedback.

No, because for security reasons it has to report every attempted connection. The alternative would be someone/something nefarious hitting the port and you'd never know.

is theire any configuration to add to the pfsense firewall or some NAT to do or Forwarding Rules? By default, only LAN gets a firewall rule to allow access.  OPT1 does not, so you will likely need to add at least one rule.  Look at your LAN rules and find the one labelled Default allow LAN to any.  Make a rule exactly like this one but on the OPT1 interface instead of LAN.

2FA is already what you have.. You have the cert and a username and password if you want it, that is 2FA..  How many factors do you need?  I think we should put in a dna test before you get on..

I don't need to do that.. But my mtu on my gif to HE is set to 1480 mtu gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1480</up,pointopoint,running,multicast>

just a wild thought this might be a nice add to pfblockerng or both ids/ips packages

Well, the WAN interfaces on each pfsense HA-node does not share a virtual IP, so there is no seamless failover of sessions between the HA nodes, if one node goes down, the backup node will take over, but all state/sessions are lost and needs to be re-initialized. like you said, in order for this to be done correctly one would have to have some control over the upstream hardware (which I don't).

"The other reason to have the bulk of the network L3 switched on the switch is for pfSense upgrades.  An upgrade shouldn't take down my ability to stream that webcam video internally, or my ability to stream music or video internally." While I agree with this for sure, what happens when you want to upgrade your switch firmware? ;) what is being used for internal dns?  While you might not have an issue while your streaming a movie or music and you reboot pfsense. When do you do your pfsense upgrades?  I do them after hours or before household hours because I am up early..  Or sometimes whenever.. Reboot of pfsense never takes more than a couple of minutes, etc.  If someone was watching a movie I wouldn't do the update then ;) "The reason I want to segment all this stuff is security." Completely and utterly agree with you 100%  I just do not see doing it at the switch, which clearly while it has some basic ACL functionality does not have the ease of creating the exact firewall rules and logging of hits on these rules like your switch is going to have. As to how large companies do it - sure they have core L3 switches, I have supported many a large company..  They rarely firewall between their segments, even though they should!!  Most often I see a large core switch, say a nexus 7k but there are no ACLs between segments.  Sure they will have their services that are open to the public internet behind a firewall and isolated from their core network.. I really don't see that as any sort of reason to do a downstream in your home setup.. If your pfsense box can not handle the wire speed you need between segments, prob better to get a faster pfsense box ;) heheeh  It will make your life much easier that is for sure.  I have toyed with putting my sg300 in L3 mode and doing a downtream setup.. This would for sure give me way faster speeds between my segments.  But the thing is I have my segments isolated for security.  The ports I do have open between segments like printing, access to my plex.  Pfsense can more than handle the speed needed. More than happy to help you work out the details of such a setup, I just don't see the actual value in doing it is all ;)

I connect into openvpn to my home network from work pretty much every single day, and it stays connected from the morning until I leave pretty much..  So rock solid for 8 hours at a time 5 days a week for years have been doing this..

If for home use sure outdated model for less $ is prob fine sure.  Yeah those are both managed switch, so should provide you prob pretty much all the features you might need for home use.  Vlan support being the big one.  As to all the other features they might support I would have to look.  Fully managed should include stuff like snmp for monitoring, sending of traps.  And many other bells and whistles that you may or may not need.  But would provide you with future proofing, for possible future use.