Are you sure the entire line is going down? After such a 'crash' have you tried attaching a separate device (laptop?) to your switch and pinging an outside address before restarting everything?

Thanks guys this weekend when the internet at work is not in use I will try OPENVPN

I can reproduce this at will on embedded alix2d13 running 2.2.6-RELEASE (i386): lagg0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether <removed>inet6 <removed>prefixlen 64 scopeid 0x8         inet <removed>netmask 0xffffff00 broadcast 192.168.17.255         nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect         status: active         laggproto lacp lagghash l2,l3,l4         laggport: vr2 flags=1c <active,collecting,distributing>laggport: vr1 flags=1c <active,collecting,distributing>lagg0_vlan9: flags=8803 <up,broadcast,simplex,multicast>metric 0 mtu 1500         ether 00:00:00:00:00:00         inet6 <removed>prefixlen 64 scopeid 0xa         inet <removed>netmask 0xffffff00 broadcast 192.168.18.255         nd6 options=21 <performnud,auto_linklocal>vlan: 0 vlanpcp: 0 parent interface: <none>lagg0_vlan10: flags=8803 <up,broadcast,simplex,multicast>metric 0 mtu 1500         ether 00:00:00:00:00:00         inet6 <removed>prefixlen 64 scopeid 0x9         inet <removed>netmask 0xffffff00 broadcast 192.168.19.255         nd6 options=21 <performnud,auto_linklocal>vlan: 0 vlanpcp: 0 parent interface:</performnud,auto_linklocal></removed></removed></up,broadcast,simplex,multicast></none></performnud,auto_linklocal></removed></removed></up,broadcast,simplex,multicast></active,collecting,distributing></active,collecting,distributing></performnud,auto_linklocal></removed></removed></removed></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast> the vlanid is 0 and interface is none in such cases. Sadly this happens on every reboot or alteration to the LAGG. This is the first time I'm using such a setup on pfsense, thus I don't know if this ever worked before on this platform. I left a comment in the related issue: https://redmine.pfsense.org/issues/3976 but I don't think I have permission to reopen the ticket.

I often encounter this problem arp,Finally I use forced dhcp resolved. client must re get new ip and obtain IP via DHCP,Secretly setting is can't use Internet.packets will not be sent to pfsense cisco switch–>Try cisco DAI+DHCP Snooping ruckus controller-->enable option:"Enable Force DHCP,disconnect client if client does not obtain valid IP in XX seconds"

plink, ssh , wireshark and tcpdump remote auto start. https://forum.pfsense.org/index.php?topic=89917.msg497700

I am having some difficulty creating a site to site VPN using IPSec. pfSense to Draytek IPSec VPN IPsec tunnel established but no traffic - SOLVED! IPSec VPN between pfSense 2.x and DrayTek Vigor 2910 Often made failures: On both sides must be different IP ranges or networks 192.168.1.0/24 - 192.168.2.0/24 (255.255.255.0) pfSense aggressive mode instead of main mode Less secure but mostly good working using MD5 and DES on both sides SHA1 was over long time failing on the DrayTek side

You could try out Squid & SquidGuard & SARG plus setting up user authentication which would be able to add one device per user and then you will get a detailed report over that Internet access. The other thing is to install PRTG for monitoring for the entire network, to get this detailed informations about all PCs and or each single one.

I have a third site that I was planning on pushing the AES-NI to, and I think I will try that over the weekend - I will have to wait and see if it crashes that. The greater brother of yours SG-4860 will be able to push 500+ MBit/s over IPSec VPN tunnel and this stable as a rock, so perhaps it will be more pending then on the lower power or a miss configuration perhaps. If it doesn't, it's more than likely hardware related. Do you really think that the hardware is malformed or buggy because your IPSec VPN is failing? Hm, I am not really sure but you got two support calls for that actions like explained here in that case. Did you ever thought about that, to take one of this to solve that issues by professional support?

There isn't any mechanism for LDAP to give that info to pfSense. It does work for OpenVPN logins using RADIUS with the rules passed back in Cisco acl style using an avpair reply attribute (Search around, there are examples on the forum), but LDAP doesn't have a way to do that at this time. You could set that up in NPS, most likely.

I want pfsense to act like a normal router with a firewall that blocks any one from behind the wan to see whats in please Yes?  as it does by default… And?  ^What Divsys said^

If you register the unit and login to the portal, you can download a full installation image for the factory firmware. It's technically possible to switch using a firmware upgrade, but it's not recommended. You can backup the config and reinstall and be up and running in a few minutes in most cases.

I'm not sure what happened, but after I posted last night, I went and did some firewall and port scans. Just fooling around. After that, I checked the packages again and THEY WERE ALL THERE. So, all's well.  ;D

Well yeah the default any any rule allows icmp, if your not going to use a any any rule and you want to ping you would have to have a rule that allows icmp. So my wireless guest segment is pretty locked down, but you can see I allow them to ping pfsense interface so they can validate connectivity.  Then any other IP of the firewall at all on any port is blocked.  I then allow them out to anything they want as long as not rfc1918 (local networks) - this allows them internet access.  Notice they can not even use pfsense for dns, I hand them public via dhcp for that. [image: allowicmp.png] [image: allowicmp.png_thumb]

My question: who is "Hugh", and why is he worried about packet loss via pfSense?

Your "Filter rule association" shows "None", which means your port forward was created, but there's no associated firewall rule that is actually allowing the traffic thru the firewall.  Change the "Filter rule association" section to "Add associated filter rule". Should be good to go as far as PFsense is concerned.

no proxy. most of the storage is consumed by ntopng i presume.

Hello, use a radius server for all internally employees and the captive portal for all guests only. Set them up in different VLANs and install Squid & SquidGuard & SARG to realize a proper logging for all actions you want. You could also setup static IP addresses and/or a user authentication for Squid. many ways are able to wake on.

i know what you mean, but if this is the point, so they should remove the feature and say it's not exist for security reasons or whatever, but they choose to put half of it, as you could enable it but you won't be able to bypass any sites with FQDN you must get all IPs and bypass it.