Thanks!
I hope others have experience regarding this.

Yep, I agree something looks very wrong here. What sort of DDoS attack do you think is happening here? Most of the traffic is coming from your server, if anything ddos related is happening it's your server doing the attacking.
Why so many ports open?

Steve

I believe so, it's done via boot0cfg

From boot0cfg(8):

-t ticks
            Set the timeout value to ticks.  (There are approximately 18.2
            ticks per second.)

Did you read the system logs? I noticed something similar the other day when I shut down a vpn connection, and on checking the system logs noticed that pfSense restarted a bunch of services, triggered by the vpn state change. I haven't noticed that before, normally it's seamless.

@mkent:

The pfsense reverted back to a DHCP IP address last night about 3am of it's own accord.

The behaviour you describe is seriously unusual. :o  In your place my assumption would be that hardware is failing or that pfSense was corrupted during the original installation. If I was in your position and had a firewall behaving that way I would check the drive for problems, format the drive and reload it from scratch using install media that I'd verified the checksum on beforehand.

If the problem persists after a full reinstall, I'd suspect either a driver incompatibility or a hardware issue which I would then start looking for in the runtime and boot logs for inconsistencies or errors.

Here are the possible hardware causes that come to mind in troubleshooting order based on my personal experiences:
    a. Cabling and/or switch (use a different port and cable)
    b. LAN NIC (To verify, try swapping the LAN and WAN assignments using the console menu item #1 and see if the WAN then exhibits the same issue.)
    c. Hard disk (check the logs for errors, use Diagnostics: SMART Status: Perform Self-tests, badblocks*)
    d. RAM (replacing is the often the surest way to confirm)
    e. BIOS bug/corruption (reinstall/upgrade bios)
    f. Motherboard

badblocks can erase all your data depending on options but is great at finding drive media problems
    pkg_add -r e2fsprogs
    http://www.freebsd.org/cgi/man.cgi?query=badblocks&sektion=8&apropos=0&manpath=SuSE+Linux%2fi386+7.3

I have the same issue.

Checked the status of the gateway, and that is marked as active.
NAT is set to automatic mode to carry the connection from LAN to WAN, but still there is no internet connection to my virtualbox hosts.

There is a Cron package addon you can install to allow cron style scripts.

Go to "System->Packages->Available Packages" and look for Cron.

Finally back with one week of testing.

I replaced my wireless router with a gigabit switch and then connected the router back into the network as a wireless access point farther downstream.

Seems to have worked well. The router must have gotten all weird with heavy load.

Thank you all for suggestions and help. It was the difference between failure and getting this thing fixed.

yay i'm on the list… and there is no update for my board yet... at least you cant get to via the internet

For others' information: this issue auto-solved in 2.2 Alpha, which suggests it might be a driver issue specific to 2.1.x.

that's why we are here :-)
pfSense has a very active community, and lot's of them are network guru's.

Hello mindfulCoyote,

Thanks for answer me, you are right :). I managed configure this option and tonight i'll test ipsec failover with virtual ip.

;D

@MindfulCoyote:

Not to be pithy, but I think a diagram would be a great place to start. It would add clarity to your description as well as invite commentary. Aside from the additional detail it gives us, just creating the diagram can solidify your own conceptualization. Doesn't have to be fancy, but it should include your major goals like the server "DMZ" and split routing with as much detail as you are interested in adding.

You could include this info in the diagram, but lacking the diagram, some questions that I have based on your description are:
I'm not entirely clear on the topology. Are you saying it's something like:
(LAN1 & LAN2) –> Switch(es) --> pfSense --> Cisco --> (ISP1 & ISP 2)

What is the bandwidth of the various links (internet & internal). (pfSense will become a chokepoint in your design, not sure if a Netgate 7541 is up to it? I think the Netgate 7541 includes one year of support... maybe that's a resource for you?)

What is the Cisco model number and why do you want to remove it? (Cisco's are generally fairly reliable and generally quite good at doing what they were designed to do.)

Your flow diagram is correct. One ISP is currently 50Mbps and the other is 30Mbps. I will draw out a clearer diagram as soon as I can. As far as the hardware goes I was led to believe that it is more than enough for our needs so I hope that this is true. I will check with my Netgate contract… I know there is support but hadn't considered that they may actually help with the firewall setup beyond the basics.

@woodie03:

How to create bandwidth allocation per IP?

Start here: Firewall: Traffic Shaper: Wizards
Choose "Single Lan multi Wan" (or whichever is appropriateto your topology.)
Quick how to: http://pfsensesetup.com/qos-management-using-the-traffic-shaper-wizard/
Online documentation: https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
Full documentation ("The Book"): http://pfsense.org/book <– I recommend this highly.

@woodie03:

How to iliminate idle connection?

For Captive Portal? Services: Captiveportal: Zones: Idle timeout
https://doc.pfsense.org/smiller/Captive_Portal.htm

I just tried your config and it's working fine for me.

First, I created a Target category named 'Google' and filled it with your domain/IP list and set its description to 'Test WL'.

Next, I created a custom Group ACL so that I could test without screwing up access for my users.  I called my group "Test".  The group has only my IP address in it.  For Target Rules, I have Test WL [Google] on top set to Whitelist, and my Default access [all] set to Deny. Redirect mode is Ext URL redirect (enter URL) and Redirect is http://www.mycompany.com.

When you make your changes, SquidGuard has a little weirdness that makes you go back to the General tab, click Save and then click Apply.  If you don't do this, your changes won't be acted on and nothing will work as you expected.

Now when I go to any URL that isn't in your list, I get my company page.  When I go to any of your URLs, they work perfectly.

@MMacD:

Yes, it's console output.  '#' most recently.

I've used a number of different kvm's and seen them fail a lot of different ways (and more frequently then anticipated). I would suspect the cable first, then the kvm. Temporarily substituting a standard monitor and keyboard in their place would isolate that possibility. Also, if it turns out to be the board, you could try a different USB port for the keyboard input (or swap a USB for the PS2 if it's OG).

So not too good as a room heater then.
You need a rack of overclocked Netburst Xeons.  :P

Seriously though. pfSense has great traffic shaping/limiting features:
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

Using Squid as a 'web accelerator' is unlikely to make much difference if you only have a few machines.

Steve