Thanks guys!  I ended up upgrading to the latest version of pfsense and re-installing the new exported client and it works fine!

@stephenw10:

You will see traffic passing between two internal interfaces vlan or not.
The only way you wouldn't see that is if your switch is layer 3 and is setup to route between the vlans.

Steve

thanks.  that does make sense.

Thank you all very much …

The way I found to solve it was back a backup that ha had done a month ago ...

Being that I have not changed anything in the settings ...

Very Strange ...

Given as solved then ...

It's not a private IP address. Do you own that IP?

Steve

Exactly.

1. All switches default to one VLAN across all ports, almost (?) always VLAN1.

2. Nope but this is the reason some people don't trust VLANs for separating network segments especially, say, WAN and LAN. That and the possibility that your switch firmware has some exploitable bug allowing packets to change VLAN, never seen that either.

3. Some switches have an unmanaged mode they default to that is indicated somehow. The Dell PowerConnect range, for example, have a managed mode LED on the front that tells you the switch has been configured away from it's default state. If it did default back to unmanaged mode the LED would go out, you would know.

Steve

Not quite sure what you're asking for since it's a little vague, but perhaps this?

Diagnostics > Backup/Restore, Config History tab

There isn't a way to do that currently because what tends to happen is less that apinger sees it recover and more than apinger is restarted and it is assumed that the gateway is up. If you received an e-mail whenever it assumed a gateway was up, you would not be happy. :-)

That is likely to improve in the future especially now that we restart apinger less frequently.

It isn't used for anything post-install, but there is also a Lua interpreter included ( /usr/local/bin/lua50 ) and of course you can run shell scripts or install your own packages as cmb described.

PHP is the best choice for most things, as that's what most of the other code uses.

At the moment, yes, but it looks like that will be better on 2.2

@stephenw10:

Exactly, ML-PPP is the best you can do.
I don't see how this could be done with multiple VPN connections as they're too high up the OSI model. I would think you need something below layer3. Do you have a link to anything explaining this?

Steve

I'd think OpenVPN TAP would get you to the level you'd need.

Jimp made some comments about a feature like this being on the roadmap but being way down on the list unless someone sponsored the development. He also said something about possibly using Kickstarter for larger features like this.

Am I correct in assuming that "WAN in" is traffic coming from the internet into the WAN interface, and that LAN "out" is traffic leaving the LAN segment?

All "In/Out" on the Traffic Graph and table of bandwidth In/Out by IP are relative to the interface or client being reported.
A download from the internet comes In to WAN, Out of LAN and In to the end client system on LAN.
An upload comes Out of the end client system, In to LAN and Out of WAN.

<started another="" thread="" with="" details="" of="" my="" issue="">Hopefully someone will respond there…hopefully.</started>

TCP window size is a parameter at a higher layer that end-systems use to work out how much data to have outstanding in the pipeline before waiting/expecting ACKs to have come back. I played with this many years ago tuning continuous flows of a data acquisition process across a long link. TCP window size needs to be adjusted on the end-systems.

Steve,

I'd noticed that checkbox previously, but had misinterpreted its likely behaviour and steered well clear.

But, with it enabled, I'm certainly getting a bit closer to where I wanted to be, though it still leaves PermitRootLogin enabled globally.  I had intended to disable Root from the WAN.
(It may well be that KeyAuthenticationOnly, when no-one has the key, is as hacker-proof as a total prohibition on RootLogin would be anyway).

I am, however, beginning to suspect that pfSense may not be correctly honouring MATHES of host addresses when given in the form "192.168.1.0/24" (as specified in the man pages you pointed me at) whilst it does accept "192.168.1.*".  This may explain some, if not most, of my earlier confusion.

More news when I've done some more testing…

Have you looked at Dell PowerConnect?  Can get 24-port, Gb, layer 3 switches for under $2k.
Have older 6224 running on SAN duty for over two years with no problems.

http://www.dell.com/us/business/p/powerconnect-6200-series/pd?refid=powerconnect-6200-series&baynote_bnrank=0&baynote_irrank=0&~ck=baynoteSearch&isredir=true

Vince