Well, finally seems to be fixed "magically". On last friday I left the firewall configured and with the problem exposed above. Yesterday I did a test to continue trying to fix the problem and bingo… is working fine. Anyway tomorrow i've to do another test to see if still working. greetings and thanks!!

Though I am new to pfsense,  or rather firewall,  I had similar questions. With my experience with pfsense for last couple of months,  I am trying to answer in my own way. Can you configure via the webGUI to use Tor (instead of a VPN)? If not, will it be easy to transfer all traffic to the tor client SOCKS (I have basic Debian experience).  – >  Not tried hence can not answer. I want to fully control my home network. This means that I want to white list machines based on their MAC (beside the normal WPA password etc. it's purely for human control and not technical security), is this possible (via the webGUI)?  --->  You can   Confiigure dhcp service  and allocate static address based on mac addresses per device, disallow unknown devices.  All thru webgui. I want to manage internet speeds per device (or network) to the outside. Can I for example give my own Desktop atleast 90% of the 20Mbps to the outside and other machines less? This is one of the key factors why I'm thinking about pfSense (or another system in between).  – You can do thru webgui.   Steps –1) Create firewall rule that your lan network traffic only to your pfsense box.  2) configure limiter  on per device basis.  (  on you tube, you will get plenty video's how to set this ) Is it a good idea to place Wireless cards inside my PfSense box (which means it will be both a firewall and WiFi AP)?  **No it is not a good idea as a very few internal wireless cards are compatible to pfsense.  Best is to use standard wireless router without routing. ** What hardware should be applicable for a 1000Mbps internal network with about 20 devices (Laptops/PC's/Phones)? Core i3? Core i5?  –  .  **Standard core2duo with 2gb and a pair of  intel based lan card of 1gb is more than sufficient for the purpose ( Actually I am using this setup for 50 + devices with no issues.  ) ** Best of luck !!!

There is a specific forum for OpenVPN issues.  Perhaps someone in there might know.

The URL for that dynamic DNS services has changed. It is fixed for 2.2.* by this: https://github.com/pfsense/pfsense/commit/fdc515af3361bd0371f236557fa018b41d61578c but you will need to make that change on your system - e.g. with the System Patches package.

That's not a "backdoor" or even a vulnerability, it was named by a moron. It's using administrative functions of the system, post-authentication as a root-level user, to copy files to the system. It can be summarized as "I can root your box, just give me your root password." Uh huh, you can. With every OS ever created. When you're authenticated with full administrative credentials, there is no limit to what you can do, whether pfSense or Windows or Linux or BSD or anything else.

Not sure what helped, but changed a single line in the server config file… After local was my IP address, but changed this to my dyndns host name. Also added my modem on a virtual interface as a static IP and now everything works, even after reboots! :-D

They apparently changed their update URL semi-recently, and no longer support HTTPS. I updated the client for 2.3 (and 2.2.7 if there is one, but probably won't be) to use the new dyns URL. Thanks to GP^ on IRC for noting the change and this thread.

Use netflow and prtg. It can give you a real insight into what's going on in the network. For torrent you can use snort at least to identify users doing so.

Softflowd does not send netflow v5 or v9 that NTA will understand. This is because in all netflow packages, both Interface Indexes = 0 in exported flows: https://thwack.solarwinds.com/thread/31006 By forcing the traffic to be shown as you probably have done in NTA, you are only seeing what the NTA can decipher from SNMP data. Unfortunately, doing so excludes all traffic not originating from the router and multicast, as you have seen. NTA is extremely picky about netflow. The only netflow that I have been able to get working reliably with NTA on pfsense is Pfflowd. Unfortunately, on recent PfSense versions, this no longer works: https://forum.pfsense.org/index.php?topic=88441.0

@jimp: A general FreeBSD forum would be better for that but it's not a really complicated issue. It depends on how you login and/or how the shell starts. Try making .bash_profile instead, or linking the two. Indeed, this worked: $ mv .bashrc .bash_profile I will anyway ask on a FreeBSD forum and post the link here, for those interested. Thanks you.

If you want multiple, discrete, SSIDs then your AP needs to be on a tagged port and be able to tag each SSID with a separate VLAN. If you only want one SSID just put it on an untagged port on the VLAN you want.

Agreed running a downstream router can be a huge learning experience. Not sure what harmful traffic you would want/need to isolate from your firewall?  If you mean blocking clients from access to gui, ssh or even services your running on pfsense sure..  But its meant to be your firewall, so I would think you would want to filter all your traffic through it all it to filter/isolate clients and services from each other. The filtering capabilities are going to be much better using pfsense than any l3 switch I can think of ;) Isolation of traffic like voip and data sure can be done with vlans or even physical segments routing the traffic through pfsense. To be honest the only reason I can think of a downstream router in a home setup would be learning experience or if you need to move traffic between segments that require none or very min filtering, And the interfaces of pfsense are not just up to it.  I would look to updating the pfsense box and or its interfaces if this is the case as better option other than just the pure learning aspect of the downstream router. I have toyed with turning on my sg300 l3 mode, since my pfsense runs in vm and can not really push full gig that I have seen in testing.  I could for sure update my vm host to accomplish this.  But the simpler solution (KISS) was to just put those devices that move lots of data on the same segment so they don't go through pfsense at all.  Since these devices don't really need filtering.. Where I need/want filtering is between my wifi and my lan - no real need for 100% util of gig there - wifi just can not do it anyway, and my internet connection is no where close to gig..  Come on google fiber in Chicagoland ;)  Chicago is on the list… And I isolate my wired stuff like TVs, and console devices on their own segments..  They again don't really need full gig speeds..  I want full gig between my workstation and my vm host/nas/etc  So I just put them on the same segment keep pfsense out of the mix for traffic between these devices. I took the OP to being on a home/lab sort of setup and not production, maybe I was mistaken in this?

No sorry. :-\ I had other evidence, for example by removing the first VLAN. In doing so the vlan_50 had appeared as output of "netstat -g4" (not seen before). From there I had found on freebsd forum a post that talked about a known issue related to a maximum limit of virtual interfaces …. but then I gave up: I was losing too much time. In the end I think it's the igmp proxy module to be quite buggy, maybe the developer should think of alternatives .....

@awebster: Check that your interfaces are properly negotiating link speed/duplex; on both ends of each link. A 100mbps Half-duplex link would produce what you're experiencing. pfsense reports: BRIDGEIN interface (wan, em0) Media: 1000baseT <full-duplex>BRIDGEOUT interface (opt1, em1) Media: 1000baseT <full-duplex>LAN interface (lan, nfe0) Media: 1000baseT <full-duplex,flowcontrol,master,rxpause,txpause></full-duplex,flowcontrol,master,rxpause,txpause></full-duplex></full-duplex> this matches the uplink and local switch port configurations.

Is the Netgear/DD-WRT router running as a router or as a WLAN AP? If there, at the Netgear, NAT will be done on the WAN Port it could be based on this issue that there will be no traffic running over this ports then. I would let the Netgear running in WLAN AP mode and let do the pfSense the entire DHCP part if needed.