@bfts: phil.davis, thanks for the answer, this was what I was hoping for. I guess now I really have to figure out how this lovely piece of software works  ;) Looking forward to have more fun with pfSense  :) Or, have the tech put the DSL modem in bridge mode.

The AP was rebooting itself every 20 minutes. I was thrown off the trail by the fact that the packet loss was showing up every 40 minutes, and that the rate of loss didn't appear consistent, except in chunks of 24 hours. The latter can be explained by rounding, since the rrd samples are 5 minutes, while the down time was less than a minute. I don't know how to explain the fact that every second outage was not manifest in the rrd graph though. As for the ssh hanging, you're right, I didn't have the box checked to override state killing on gateway failure, so pfsense was killing all states when that backhaul went down.

@JohnnyBeGood: Where is the best place to check if WAN is still UP? I would look at ifconfig in the console if you can otherwise look in Status: Interfaces: Steve

So I "fixed" it. Turns out that it most likely was the netgear switch sending out the pause packets, even tho it was updated to latest firmware version and all.. I bought a Cisco SG300-10 switch and set it up with the same basic vlan configuration and enabled flow control on every port aaaand whatta you know? Everything works without a hitch.. Soo, lesson learned: Not EVER buying a netgear product again! SG300-10 has the added bonus of being able to handle the igmp proxying between VLANs, so pfSense doesn't have to!

You could create a teamviewer alias and create a rule that basically says from noallowed internet to !teamview (negated rules) block, with a default allow afterwards. In the alias, you would put something like www.teamviewer.com teamviewer.com and any custom url. You could also put and IP range for teamviewer if you know it. There are schedules in pfsense. It is considered better if you use them in an opposite manner than expected. There are docs and forum posts on this. You can also create an alias with a fireall rule at the top for facebook (DNS Entries or IP Ranges) that blocks it.

Have you set firewall rules on VLAN10? DHCP should still work however. Try running a packet capture on em0 to see if any VLAN10 tagged dhcp requests or offers are there. How does the wireless router handle VLANs? Is it trunked through or are you just hopnig it won't strip the tags or dumpt the packets? Steve

Thanks Steve, While that didn't work off the bat, I was able to remove both gateways and then re-added the one I wanted successfully. Thanks for your help

sim traduz bem sim

@stephenw10: What firewall rules do you have on WAN? Any unsolicited traffic on WAN should be blocked by default so why is it showing as 'in-pass'? The obvious answer the that is that it's not unsolicited, something on your LAN is asking for it. Why then is that traffic not showing up on an internal interface? If you didn't know Akamai are a content distribution network used by many companies including Microsoft to deliver updates service packs etc. I would guess that one or more machines on your internal network has got stuck in Windows update loop, downloading the updates, failing to apply them and then trying again. If you go to Diagnostics: States: rather than state summary, and then filter by the offending external IP you should see the NAT state showing your internal machine requesting the traffic. Steve I originally assumed it was a PC, tablet, etc on the LAN causing this like you said, but nothing ever appeared to be sending or receiving anything. It's stopped as of now so its  a bit harder to check on, I am not sure what actually stopped it though, and whether or not I had any part. Using States and filtering by a few of the IP addresses only showed traffic between my public IP and the offending IPs. I'm not sure if this is because it's been a few hours since it stopped, I assume it gets cleared out a bit? Below is the Traffic graph for the last week on the WLAN(i dont have anything on the wired LAN). [image: Screenshot_from_2014_02_20_04_23_24.jpg]

@jimp: That's just how IPsec operates currently. The traffic follows the routing table, so unless you have a route telling it to go "out" the LAN, it will not be sourced from the LAN and will end up going out WAN. If you want better control over the VPN routing, you'll need to use a routed VPN setup such as OpenVPN or IPsec in transport mode + GRE. OpenVPN is much easier if the other side supports it. If your WAN has a static IP, you might be able to work around that by adding another IPsec Phase 2 to cover the path from your WAN IP to the 10.10.10.x network on both ends. Thanks Jim, I tried to create a 2nd phase 2 on both pfSense Routers without success. I set the 2nd PH2 to, Tunnel IPv4                                                  (Also tried to change the Type to WAN Subnet) Type - Address xxx.xxx.xxx.xxx / 32  (WAN address)  Nat/BINAt - None Network - 10.10.1.0 /24                                  (Tried to set this as the remote router 10.10.1.1 /32 ESP tried AES, than Blowfish separately. (all on Auto) Tried with one or several Hashes PFS 512,1024,2048, OFF No Luck. Also tried to turn on "Prefer older IPsec SAs" First PH is solid, First 2nd phase no issue either. ESP 2048, AES256, SHA512 I will try to debug with an ssh shell using      racoon -F -d -v -f /var/etc/racoon.conf Thanks.

@droth1988: You could just get an express card NIC, if your netbook has a slot.  Thats what I used for my netbook, works great. http://en.wikipedia.org/wiki/ExpressCard I have the slot yeah, but not got the card, moved onto a whole pc a friend gave me @rjcrowder: @droth1988: You could just get an express card NIC, if your netbook has a slot.  Thats what I used for my netbook, works great. http://en.wikipedia.org/wiki/ExpressCard I've been searching for a Gig ExpressCard that works on on 2.1. Are you using a Gig card? If so, which one? Unfortunately I dont have one sorry :(, and am no longer using a netbook.

Thanks. 2.1 upgrade is in the works, but I have to make sure it's not going to affect our production network adversely. Realistically we are just going to duplicate our config to a 2.1 install on newer hardware. I'll try disabling the state killing. As far as I can tell it is detecting the GW and I'm not seeing anything being marked as "down".

Not sure I let it get to 3.8M states before taking action - this is production traffic.  My experience is that the adaptive settings don't really help.  When pfSense tosses states for an active connection the sender tries again, apparently the sender has more capacity to generate new connections/states than pfSense has capacity to keep up - pfSense loses every time, so far no matter what the settings are.  My recourse is to reduce the traffic, though that does not meet our business needs.

Yes… This host "Bigfeller" has both the wan IP and Lan IP assigned to the same mac address on Diagnostics/ARP table. IPConfig /all on this host does not show this connection.

You can't just get "some" of the HTTPS in that way. The channel is encrypted before the site request is ever made, and you can't always guess the site by secondary characteristics like the server IP or DNS lookups. You have to see inside the encrypted communication, which is impossible without proxying their traffic explicitly or performing a man-in-the-middle attack on their SSL connection. In most cases, you have to have the clients set their browser's proxy settings to the firewall in order to see any HTTPS. I believe the squid3-dev and/or dansguardian packages can intercept HTTPS transparently but you still have to install a trusted root cert of your own creation on the clients.

The error suggests that somehow it's half installed. The menu and XML entries may be there in the config but not the actual files. Remove and install Lightsquid again and it should work.

It only uses the default unless you have set "allow default gateway switching" under System > Advanced on the Misc tab.

FreeBSD has a tpm(4) driver but it only mentions storing cryptographic keys as far as I can see, nothing about RNGs