Thanks for the reply. I actually figured out a workaround … I created another 1:1 NAT rule with OpenVPN as the interface.  Otherwise the rule is the same for the 1:1 NAT rule that sends public traffic to the private IP. NB: for OpenVPN clients who do not use the "send all traffic over the VPN" option, accessing the public IP is no problem, but for clients who DO send all their traffic over the VPN, this is necessary to connect to public IPs.  In a few critical scripts which we share with our customers the public hostname/IP is configured, so staff who might use those scripts from a hotel/airport/conference while tunneling all traffic to the firewall make this configuration requisite.

@compy: I clicked over to the "Traffic" tab after Steam downloaded 13.6GB of new games (Thanks humble bundle!), and none of the WAN numbers were even close to this. I'm guessing I'm either looking at the wrong graph, or just missing something. The traffic RRD graphs show bandwidth consumed (bits per second). Its not clear to me how you compared "bits per second" with bytes and determined they "weren't even close". The attached traffic RRD graph from my system shows (mostly) 2Mbps download for about 24 hours on Friday and Saturday. 24 hours of 2Mbps gives a a bit under 22GB which is probably "close enough" for a download of a 17GB file (and possibly other files as well). Is it possible you downloaded compressed data and the report showed uncompressed data? [image: status_rrd_graph_img.png] [image: status_rrd_graph_img.png_thumb]

Seems highly unlikely to be honest. What theme are you running?  What version did you install exactly? 32 or 64 bit? What browser are you using?

You actually do want all those things, you just want an add-on module that creates them all for you for that one simple use scenareo you described.  Alas…  I'm no dev.

@stephenw10: I presume at that point the console is completely non-responsive, it's not possible to login? It doesn't matter what shell the admin user is set to run if you can't login as admin. Yeah, the shell is correct, I just wanted to check whether toggling the GUI checkbox does actually does something or not… Sounds like completely different problem. Rather then hunting for gremlins, a quick reinstall and backup restore should sort it out if it worked before.

Here's what I finally did on my setup: I created a subinterface (VLAN interface) with a "random" VLAN ID on one of my physical interfaces and assigned a /32 to it. It can basically be used the same way as a loopback can, but the benefit is that you can assign it and use it in menu selections such as GRE tunnel source in my case.

Fixed! Changed: Interfaces : Wan Static IP config: changed the  "/1" to "/24" I hope this helps someone!

Using VMs you are effectively using the same NIC/driver combination for every case but I guess that includes pfSense. Interesting that m0n0wall shows less latency. It's based on FreeBSD 8.2 last time I checked. pfSense 2.0.x is build on 8.1 and 2.1RC on 8.3 so all different versions. You could try an older pfSense, 1.2.3 was built on FreeBSD 7.3 (I think). It can only support one PPPoE session though so limited. You could try PC-BSD which is easy to setup. Various versions built on various FreeBSD versions are available. I agree though that testing a VM of FreeBSD 8.3 is probably the best test you could do. I've no idea how to setup a PPPoE session directly in FreeBSD though.  ::) Steve

This works perfectly. FYI, anyone who is doing this, you must disable any previous NAT & firewall rules for 443 aside from the OpenVPN 443 rule. So far so good, all exchange services are working. (Exchange 2013*)

made an SH script to accomplish what I needed. thought I would share it. #! /bin/sh timeout=$1 sleeptime=$2 command=$3 # test pid is still around PIDActive() { pid=$1 test=`ps -p $pid | grep $pid` if [ -z "$test" ]; then return 1 fi return 0 } # run command & capture pid $command& commandpid=$! # What happens first? pid exits or timeout counter=0 while PIDActive $commandpid && [ "$counter" -le "$timeout" ]; do     sleep $sleeptime     counter=`expr $counter + $sleeptime` done # if we get to this point and the pid is still active, kill it PIDActive $commandpid && kill -s KILL  $commandpid

Exactly. I'm sure the dev team have thought about doing this before (the last time I suggested it perhaps!). There would be no point in starting anything without some sort of official sanction I think. Steve

ok, makes sense, it is leaving the lan interface OUT to the lan PC/client like you said. yes, there is a vlan interface that i didnt add the statistics for since it is rarely used.

Yeah - Don't go too crazy with how much RAM you give squid cache.  The Docs recommend no more than 1/2 and I've tried it higher and it was sort of flakey.  I'm only running 4GB on my home router.  Perhaps if you have 8 or 12 GB or more, you can allocate alot more than half.  Not sure.

No on 2.0.1. You can do that on 2.1 though. (System > Advanced, Misc tab, box is right under the sticky checkbox)

If you're using the built-in load balancer, it's unlikely to work in that way. You'd be better off with a package like HAproxy that has several different methods of maintaining a persistent client-server relationship.

You probably need to check System > Advanced, Firewall Tab, "Bypass firewall rules for traffic on the same interface"

Yup! I have 1000/1000 and speed betwen around 70 MB/s :)

i know. lack of time and some private stuff. have not worked on pfsense for a long time so i am starting from the  beginning.

OK, that's why I thought. This is a regression before our previous FW but all other stuff on pfsense make this nothing. Thanks you.