Not amused! Ok i am a old network administrator who uses mrtg/rrd since 20 Years or more.  Many Eyecandy monitoring comes and goes in this time. But i am trained to see some problems or irregulate stuff out of a bunch of graphs. Yes the new graphical interface is nice. But i prefer the old overview.

Thanks everyone!! These are all great suggestions. As of right now I have pfsense doing everything and the internet is up and running which makes the wife and kids happy. I think I will try having the 3750g do dhcp in the future along with my 3 vlans but for now I will let it function as is. The first thing on the agenda is to get my media server working again. Have any of you used finch? Thinking about trying to get Pfsense and Plex on the same box. Or building a new pfsense micro router and using the existing hardware for my plex. Any suggestions?

I was seeing the exact same issue on a newly upgraded 2.3 box. It appears the script must now run as root vs. just running as an admin user. I already had the 'sudo' package installed on the box so once I added 'sudo' to the beginning of my previous check command, it works perfectly.

Using interface_bring_down() followed by interface_configure() on the interface will change the IP addresses of the interface, but there's so much mopping up to do afterwards that a reboot is really your only option. pfSense was not designed to be reconfigured from a command line interface. If you're curious, look at the if ($_POST['apply']) { } block of /usr/local/www/interfaces.php (line 441 onwards in 2.3).

Can any of the current pfsense boxes hand 1Gbps throughput? The SG-4860 is able to do so and 500+ MBit/s of IPSec throughput too! It's not a pps thing. No we are talking about real MBit/s. I'm going to be using good old ftp to transfer stuff. You should swap over to S/FTP or FTP/S soon as possible, the FTP protocol is one of the unsecured ones you would be able to use and FileZilla is free of charge as server and client software and vsftp too. It's only 3 hops away on a 10Gbps link. I will be running snort. I do run OpenVPN at times. That will be no problem. Just trying to get a gauge of what sort of hardware I need.  Be it the stuff pfsense sells or white box stuff. Both will be able to serve your needs for that. The budget will be mostly let it more then often fail or make it worth to discuss more about.

Nobody have an answer for me here? Not some hints? Something to try? Names to call me? Sheldon

@randyruiz: To add a further data point. I have a centos 7 vm spun up on the same host using virtio drivers going out of the same MACVTAP interface. This centos vm is giving me 970Mb as measured by IPERF in throughput. So this points further to freebsd and pfsense as where the problem lies. you might try changing rx offloading off as well (so rx off) and see if that gets the rest back, although usually only tx off is required. But yeah Freebsd is one of the outliers right now that drops these unchecksummed packets, most other OS'ses handle them without issue Of course make sure you're doing the tx/rx off for both the pfsense wan and lan virtio adapters not just one. If that's still not doing it I'd monitor cpu usage inside and outside of the VM and see if you're not hitting a bottleneck elsewhere Sorry I can't be of more help as I've never used KVM before. You might get more KVM specific help if you ask in the virtualization subforum

The rate output is, and always has been, a little odd in that regard. It doesn't necessarily show everything depending, and doesn't show IPv6 at all. It's good for seeing when a specific IP is sending a lot of data. Beyond that, it's never been useful for much. The actual graph data is correct and includes IPv4 and IPv6, that pulls from the NIC's counters.

Install a browser extension like RefControl that lets you disable the HTTP_REFERER header on the browser, then login by IP address as usual.

@brandonpoc: I'd connect in and reinstall 2.2.6 on the virtual machine but I can't because I can't VPN in. I don't understand why it was necessary to completely nuke it (and not provide a package, as far as I can tell, for reinstalling it for those dependent on it). There is always a balancing act between convenience and security. It is not surprising that the pfSense team, as responsible vendors of security software, have taken the decision to remove older security standards that are known to be weak or compromised, also to configure system components to require security best practice. The removal of the PPTP server had been advertised for some time - there were numerous posts in the forums and it was clearly mentioned in the 2.3 release notes. There is an argument that the auto-updater ought to point the user to the release notes before allowing the install of a major upgrade, which has been suggested elsewhere in the forum. The new modularised structure of pfSense should allow for more frequent, smaller updates, which will help prevent the install shock of larger updates. Whether an update is large or small, I would argue that it is unwise to install a new version on a production firewall remotely without any form of physical or remote 'lights out' access. Upgrading one member of a clustered installation is not entirely foolproof, as it might prove impossible to force a failover to a working server remotely if the upgrade goes wrong. I believe it was a deliberate decision not to create a PPTP server package. Those users that had ignored the warnings in recent versions of pfSense to discontinue use of PPTP as a VPN protocol would likely have installed the package and continued to use PPTP, even if it was inappropriate for them to do so. Not every user is competent to evaluate whether PPTP is still appropriate for their environment in the light of the known brokenness. As has been said, you can either rely entirely on encrypted protocols (in which case a switch to SNMPv3 would be wise, if possible), or move to a supported VPN standard. divsys has given you a couple of suggestions for OpenSSL support in OS X. You might also like to consider IKEv2 - with carefully chosen parameters, it can work using the built in clients on a wide variety of OSes (though you may well find that the strongSwan app works better than the built in IKEv2 functionality on Android - you can find the app in the Google Play store). IKEv2 tends to be much less troublesome than IKEv1 IPsec. The historic security philosophy was to leave old, weaker standards enabled for compatibility. This approach became discredited and has been abandoned in recent years, as people were leaving weak and broken settings enabled, such as the pathetically weak 40 bit export cyphers in SSL, also the trivially broken WEP. These old standards provided no more than an illusion of security and created an unnecessarily broad attack surface. With many of the recent SSL/TLS attacks being downgrade attacks, the risk of leaving old standards in place implemented by poorly maintained code become clear: the time had come for these older standards to be retired and the code removed. The recent forced upgrade to SHA256 signatures in SSL/TLS certificates driven by the browser vendors is another example of forced abandonment of an older standard - in this case, the questionable SHA1 hash function. Other hardening in pfSense 2.3 can catch out the unwary. WEP has been removed from the wireless code, as it is utterly broken and there are few wireless devices still in use that do not support at least WPA (though it is best to use WPA2 with WPA mixed mode turned off if all devices support WPA2). TLS 1.0 is not supported any more due to security concerns, so those still following outdated advice to disable TLS 1.1 and TLS 1.2 in their browser will be unable to connect to the user interface in HTTPS mode. I got briefly caught out by the tighter requirements for key exchange imposed by the SSH2 server in 2.3 - I tried connecting to a newly upgraded box from an SSH profile on a secondary workstation that did not have modern DH and ECDH methods enabled, so I couldn't connect until I enabled a suitable key exchange method.

Ok, this was resolved. I added several logging statements to the PGP files and found that pfsense thought it was in booting mode (it had been up for 14 hours or so already.) Rebooted and all is good.

Enabling TRIM worked. Very nice (:

Steve, your suggestion worked like a charm. I feel a bit stupid for not figuring this on my own. Anyway, maybe it is a bug after all. When user configures interface to get IP from DHCP, it shouldn't take any other settings into consideration, doesn't it?

Huh, not sure what happened to your old post, but it got weird. What do you get for: ls -l /var/dhcpd/var/db/

The 4-port Intel NIC fixed the issue.

@xbipin it was fixed by Jorge M. Oliveira & steve_b please confirm by gitsync or waiting for the next round of snapshots https://redmine.pfsense.org/issues/6175

Yep, unbound with forwarding mode off will query the roots and other authoritative DNS servers directly. That's the expected result in that configuration.