Thank you John for your help, as I wrote you in the PM also  :-*

Just a small update: Synology has done some remote debugging for two hours with two guys, leading to the diagnose they need guy-3, who wasn't in the house  ;D

So they will try again next Monday, and I will update what comes from it.

Eventually you will discover that you cannot tag vlan 1.

If you ever want to "trunk" vlan1 across a trunk port with other vlans you will have to change it.  Some gear might allow it, some might not.  The stuff that won't is usually the higher end gear that is actually trying to meet the specifications.

Once you decide to start tagging any traffic at all in your network, you are better off forgetting vlan1 exists.  In the dot1q environment, it doesn't.

Using the default management VLAN 1 for real traffic is usually a hassle.

Using it as a management VLAN is usually a hassle too.  Yes, it's easier out-of-the-box-for-the-typical-frys-customer but it's just, well, suboptimal.  If you have gear that HAS to have it's management VLAN on VLAN 1, you are way better off setting up an untagged port on your real management vlan on a real switch and plugging such gear into it.  Any gear that doesn't let you change the management VLAN from VLAN1 should be discarded.

If the vpn server is configured correctly and the client, routes exist.

If the interface associated with the vpn client is configured in outbound NAT to be used with a certain subnet, thats where the traffic will go.

Seems simple to me.

128MB is the absolute minimum RAM requirement and it would probably require some tweaking to run in that. 256MB is really the minimum you want, more would be better. If that's the hardware you have maybe consider m0n0wall as an alternative.
Not sure you can do a LAGG with wifi connections. Even if you could the other end would have to support it and you probably wouldn't get any increase in bandwidth probably less in fact. If the router supports simultaneous dual band you might be able to achieve something with two cards but support for 5GHz wifi in pfSense is almost non existent. Make sure whatever you use supports client mode, many Ralink USB wifi devices run great in access point mode but not as a client. Just get something with a decent antenna and take some time to align it for best signal.

Steve

Simple mistake, I'm sure.

Yes it was.  :)

k… there's no logical reason that I can think of that exceptions would stop working if DG is working in general. Are you saying that DG is running fine, but it is not updating with any new exceptions that you add? If so... the only thing I can figure is that the UI is not updating the execptions list. The UI updates a text config file that resides in one of the DG directories and then it tells DG to re-read the config file. Did you check that the exceptions are being written to the text file in the DG directory (can't remember the name of the file off the top of my head)?

Also, if it started when Snort was installed, a logical first thing to try would be to uninstall snort...

If you go to Diagnostics>Halt System, does that power it off?

Whether or not the system powers back on after power loss has nothing to do with whether or not it powered off beforehand. If it's set to always power on after AC power is restored, it'll power on regardless of whether it shut itself off.

Solution:
The solution is relatively easy and involves the system time that uses my Hypervisor time (+2) and adds another +2 for my time zone setting in pfSense. This gets me a wrong time,
obviously. After NTP updates the time it is correct again, but old times are not updated. So the time line is sent down to the dumps. At least, this explains the 2 hours difference between the settings.

To be honest, that is crap (not pfSense's fault, nor Hypervisor's) and I don't know what would be a solution. Maybe pfSense should allow to set a time next to time zone (and overwrite bios time)?

PS I would love a statistic pointing out how many bugs are related to time zone and file format conversion fun :-)

@Derelict:

There is no OpenVPN package on 2.1.5.  It's part of the base system.  Are you talking about the client export utility?

Anyway. Now that all that is out of there, step back and take another look at the /tmp/rules.debug and all your interfaces and rules.

My apologies, yes the client Export Utility for OpenVPN.

The first line shows that 4 haproxy processes are running, if you have long living sessions, and a few applied config changes that could be fine.. It could also mean a few did not shutdown properly.. You might want to check the pfsense systemlog it should show what pid was running and what gets started..(if package was recently re- installed)

Either way it seems indeed maxproc is high enough for haproxy…

What you could try is to install lsof, and check for open handles. Not sure if that will work..

then check if the pid of haproxy indeed has a high number of handles.

That didnt work out too well… This morning, SSH to ALL machines on LAN failed (Temporary DNS name resolution), the firewall was suspiciously slow (and not responsive), I couldnt reach the internet from any machine...

Deactivated all rules under OPT1, and rebooted the firewall, all is back to normal.

For now I will assume this is only a glitch in the firewall and not related to my OPT1 rules, unless someone can point out that it is..

Thankx for asking! Forget about it, just a strange idea after not enough coffee this morning… We're all safe, I guess :-D

Also debugging my procedure … I noticed that the first time I run mysqld (for the root password setup, etc) I have to run /usr/local/etc/rc.d/mysql-server onestart

After the root password is setup, I can then run /usr/local/etc/rc.d/mysql-server.sh [start|stop]

:-[

Thanks a lot cmb for your your kind and accurate answer…

Pedreter.

http://www.logicsupply.com/components/expansion-cards/ade4rtlang/
http://www.logicsupply.com/components/expansion-cards/ade4inlang/

If you can find the motherboards that the above two devices fit, that might be an option.
I have one of the motherboards and I have a total of 6 1Gb NICs (2 onboard, 4 daughterboard)