Your IPv6 gateway is a HE tunnel, yes? This means that IPv6 will show as functional if there is any connectivity for the tunnel. In other words, if IPv4 is functioning, so is IPv6.

@rudger_wolvram: If the any/any rule you posted makes it work, then that means at least NAT is working. Check the configuration settings of uTorrent itself, by default it will randomize the port it listens on. You may also look at enabling uPnP, uTorrent is pretty good about using uPnP. Also, as a side note, for troubleshooting pfSense uPnP, uTorrent is good for that as well because it plays nicely with pfSense's implementation. Also, NATing does not imply allowing access with a rule. For example, I have an old NAT rule for a TS3 server I hosted for a short while, however, after moving to a proper hosted service, the firewall rule itself that allows that access has been disabled, the NAT is still there, but the rule that allowed it is disabled. So if i spun that TS3 server up again, it would never work until I re-enabled the access rules. Exactly, I am sure the NAT is working for that reason. About uTorrent the option to randomize the port is disabled I've just double checked, and the 2 option "UPnP" and "NAT-PMP" are enabled. If I got what you mean, the rules say the last word, let's say so. Hence I need to create a rule that will not be so OPEN as it is the any/any rule that I am using.

I see. When does /tmp fill up anyway? I never saw it significantly used even at 40MB. Any disadvantages by not including swap during install? I just noticed that I'm already at 100% with 120MB of /var ramdisk (it fills usually after 24 hours). Take note though that I have two pfsense boxes of the same exact kind (APU2C4) and they're just used for my home. The first one servers around only 10-15 devices (including mobile phones) and the other serves like only 3-5 devices so they are in no way loaded heavily. I have squid and lightsquid installed but they're both disabled and not configured yet since they were installed so that's not what's causing it to fill up for sure. How do I query which directory inside /var is the culpriut? Would "ls -l" do?

Well, I went ahead and wrote an article on this problem at my website: pfSense not recovering after WAN outage And this is how I resolved it: Using a WAN VLAN with pfSense I created a WAN VLAN and plugged my Internet into that, and then pfSense into another port.  This keeps pfSense from losing link in the WAN port when we lose connection with the ISP. In my case I have FiOS, so put the ONT on Port 1 and pfSense on port 2.  Both untagged ports with the WAN PVID.  Works like a champ.  I sure wish I didn't have to waste two ports on my switch though.  ;)

hola, He activado el proxy transparente sólo http. Me puse las opciones de "Proxy Interface(s)" para salir de la mina a la red LAN posee, que se activa la opción "Allow Users on Interface" y "Allow Users on Interface" sólo para mi lan también. El problema es que estas máquinas de la red pueden navegar a través del proxy, incluso sin que se establezca en "ACLs->Allowed Subnets".

I understand I need the ARP entry because I use the IP address instead of the broadcast address. But using the broadcast address didn't work for some reason. To be honest I only use it once a month(ish) so this is OK for me. Thanks though for all the info, appreciated!

Thanks, it worked!

Yeah would not really be a good idea to go about messing with the compile of your firewall kernel on special use distro like pfsense.  If there is something specific you would like to see included or excluded from the kernel best to put in a feature request to the dev's. If you want to compile stuff in general for freebsd, prob best to fire up generic freebsd install for such play.  Not something that really should be done on system used for your firewall, etc.

It always surprises me the lack of understanding transit networks and downstream routers.  Even from people that supposedly work with routing all the time.  So don't feel all that bad ;) There is this article int he docs https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules This article seems to address work arounds and causes to it that might be set on pfsense itself.  But doesn't really address a common mistake not using transit networks and or placing hosts on what amounts to a transit network, etc.. Should prob take some time and round out the information provided in the above doc, this would prob be a good location for more information on the issue.  I currently just don't have the self motivation to do so ;)

Why not start your own thread. Performance issues are almost always customer per person. No point in ruining someone else's thread by muddying up the discussion.

I doubt it. Your situation seems new to me. All of the walkthroughs that cover routing traffic out public VPN providers should apply. You will just be doing everything twice, making a gateway group of the two VPN endpoints, and routing to that gateway group instead of the single gateway.

For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same.                         Vlan 1000: 10.0.0.2/29                       Static route:  0.0.0.0 0.0.0.0 10.0.0.1 Yeah, that is wrong. the netmasks should both be /24 or both be /29. Can you ping 10.0.0.2 from pfSense and 10.0.0.1 from the switch? Did you create a pfSense gateway for 10.0.0.2? Did you route 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24 to that gateway on pfSense? Does the firewall rule on your transport interface on pfSense (LAN) allow traffic sourced from those subnets? Does outbound NAT on WAN contain rules to map those subnets to WAN address? That's really all that is necessary. Check all those things. I would, personally, make some design changes: My transport network would not be associated at all with the networks on the switch. I would make it something random like 172.18.218.224/29.  I would probably not use 10.0.0.0/8 for anything, but if I did I would make it something random like 10.253.192.0/18. I would route that supernet to the switch, pass traffic from that supernet on LAN, and add outbound NAT for that supernet on WAN. That would enable you to add networks 10.253.192.0/24 through 10.253.255.0/24 on the switch at will without making any changes to the firewall. Assuming 64 /24 networks is enough for the project's maximum anticipated requirements.

Hi , Friends , I have configured pfsense 2.3.1 , I am unable to get internet from lan and I can have a ping on wan and I am receiving ping data in WAN , I have attached the rules which I have assigned and I have connected wan in DHCP with private ip as 194.168.2.104 from my home Tenda router , please help me how to get internet as output from wan to lan. I have kept NAT in outbound as automatic and I have also checked NAT by keeping manual though I am not getting Internet from LAN , Please suggest me the configuration and help me out.

Thanks very much dennypage! For the benefit of anyone reading this thread, this patch solves the problem… You can now send mail from a non-root account without any sudo or other privilege escalation.

I found the documentation https://www.duckdns.org/install.jsp#pfsense

Yep, I must have been doing it right sincce the beginning, but pfblocker having crashed was still blocking incoming connections (still have to be determined why)… COmpletely killing pfblocker and rebooting pfsense, then the port forward has been working fine since 4 days now.. Thanks Johnpoz for pointing out pfblocker in your last post, and thanks for the help!

What is the subnet mask on your LAN? My first suggestion is to change the subnet mask on your IPsec mobile Virtual Address Pool to /24 but that really depends on the subnet of your LAN as to whether that will actually fix it. You could just change the Virtual Address Pool to something like 172.19.241.0/24 and probably fix it, regardless.