2.2.1 has fixed this issue. WOL works again for me.

I'm posting an update to my struggle with this issue with the hopes that someone might be able to help. Since my original post I have installed new hardware with a fresh (non-upgraded) install of 2.2 and with all my settings rebuilt from scratch. The problem remained. So I admitted defeat and reverted back to 2.1.5. This fixed the problem and made it very clear that something in 2.2 was the cause. I may just need to report this as a bug, but I'm going to bounce it off the community one more time just in case there's something I'm overlooking.

As dok has mentioned if your using the windows cmd line ftp, it has NEVER supported passive.  So you must of been using active, pfsense before 2.2 had a ftp proxy/helper that would of helped with that. Now there is none, use the new package if you need active connections to work. In a passive connection the server sends you the port to connect to and the client connection.  Unless your filtering outbound traffic from the client there would be no issues in using passive from a client behind pfsense to a server on the public internet or on then wan side of pfsense. https://doc.pfsense.org/index.php/FTP_without_a_Proxy Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead. Another option is the recently added FTP Client Proxy package which leverages ftp-proxy(8) in FreeBSD to allow clients on local interfaces to reach remote FTP servers with active FTP.

The OpenVPN log will show more specifically what's happening, what does it show?

Well - If you have settings that SHOULD chew up 70% of your disk but instead all of your disk space is being used, then you have a problem.

Thanks you so much for your reply! I did what you said, and now the network is cleaner. Unfortunately I'm not able to put our ISP gateway in any sort of "Bridge mode" but the DMZ setting on it is set to my PFsense box (so the ISP router will stop blocking ports) and I setup a static IP address on the adapter that is facing the ISP router.

@j@svg: Anyone know the name of the DHCP relay daemon? dhcrelay. Worth checking whether that's running, though if it's not configured under Services>DHCP Relay it won't be. Even if it is, it can't loop things endlessly in a properly setup network. Not a bad next step in trying to figure out how the requests are being forwarded at all.

@2chemlud: To me this "feature" is absolutely counter-intuitive. If you want to block access to the pfsense from a local net, e.g. OPT1 or LAN, completely, I guess lots of people miss this point. It should be locked from the very beginning (GUI not listening on the WAN IP until further notice). Yeh, there has been discussion about this before. People might try: Add a separate management OPT1 interface with pass all. On the workplace LAN delete the anti-lockout rule, put a block rule at the top that blocks anything to destination LAN IP (thus blocking webGUI, SSH…) Have effectively pass all on LAN after that They think they have blocked webGUI access from LAN, but actually LAN users can get to webGUI on WAN IP or OPT1 IP. In pfSense 2.2. there is "This Firewall (self)" that can be used in rules (e.g. as destination for a block). Using that will block out all webGUI access to all interfaces.

NTop or NTopNG can give you these general stats for any devices connected through the firewall. You can install them in the Packages section.

how do you have these indoor AP mounted at a beach?  They must actually be inside structures?

@stephenw10: What do you have it set to ping there? <1ms pretty much means it's something local in which case apinger can't do it's job properly. Set it to monitor some external address so you know when your WAN connection goes down not just when your modem stops working. Steve Its the address of my modem. The point isnt what I am monitoring but the different result I get. I understand that this function is broken.

Thanks for your clarification.. That helps.. have a nice day  :)

The part you're paying for isn't necessarily the uptime, it's the mean time to repair. You'd be surprised how long even a "five nines" uptime can be down when that's averaged out over a year. If you cable line does go down, how long do they typically take to fix it? What is the time stated in the leased line SLA for repair? An example here in the states, a cable line could be down for days depending on how busy the cable co is and how much yelling is done. A leased line is typically repaired in less than 4 hours, but in either case it depends on the nature of the problem. If someone cuts a line with an excavator it's typically going to be down longer than if it's a bad card or other easily solved issue. If you can handle a bit of downtime in either case, then the extra cash for the fancy SLA may not be worth it. If you can get lines from different providers that enter your building from different wire paths that's even better for redundancy. If the telco provides both the leased line and the ADSL, then odds are if one goes down, they both go down, but if you have a line from cable and another over phone lines then odds are one will remain up. And not that it's relevant in your case, but even on a leased line between two sites, you'd still want to encrypt the traffic. Best practice (and by some standards, a requirement) is to encrypt anything that leaves your location and the network you physically control. Even if the line is "private" it's still equipment that could be compromised, either unknowingly by a third party, or willingly as in a telco granting access to a government agency.

Just learned: Note that if you're on 2.2 there's now a checkbox "Don't Pull Routes" that adds route-nopull for you. Ignore the description on 2.2 - the descriptions for those two similar options are flipped.  Fixed in 2.2.1.  https://redmine.pfsense.org/issues/4273

So when you connect your dlink and it gets public IP.  Disconnect it and reboot your modem (if it has battery backup on modem pull the battery) then connect pfsense or a client.  Does it work then? Quite often when you change a device connected to a modem you have to reboot it to clear the mac cache on the modem.  And I do believe from what I read on that device you have to be connected to port 1 to get the public. You can use pfsense in double nat, if you can not get bridge mode to work.  But if works with dlink then it should work with anything.  Unless for some reason your isp has it locked to that mac of the dlink - if that is the case you can try cloning the mac of the dlink [image: spoofmac.png] [image: spoofmac.png_thumb]

Thanks for your help, I will take a look at that!

Interfaces->Assign - add the OPT1 Enable OPT1 with some other static IPv4/netmask Put rules on OPT1 like: block source any destination this firewall block source any destination LANnet pass source OPT1net destination any If you want to stop LAN devices reaching OPT1, then put a rule at the top of LAN to block source any destination OPT1net.

Untangle Works like a charm! Thanks alot Of course looping my vSwitch was a part of my setup, so had to tweak it abit after advice on the untangle forums :)