oh i'm sorry, because missmatch perseption about VLAN in my mind. the realy need is diferent subnet in LAN card (172.16.1.1/24, 172.16.11.1/25). regards

Sorry for not being very clear in my post. I wanted to let pfsense users to know  that it is not that hard to get verizon to provision the data over ethernet so that you can  use pfsense instead of actiontec.

Yes. You could have two lan subnets off of separate interfaces- either two separate NICs, or vlan interfaces with a managed switch.

I thought so, but meanwhile I found that disabling scrubbing won't solve the problem with sending messages from the tax report programs. Their a nightmare to setup and maintain and I'm more and more convinced that this system is causing the problem and not the connection, so there is no need for the setting. I will upgrade the second box anyway but that will have to wait until I'm on site. Thanks for the suggestions.

The default, at least on my boxes, seems to be 1200s (20m). You can set it temporarily (until reboot) with the command sysctl net.link.ether.inet.max_age=1200 If you want to make it permanent, add a line to /etc/sysctl.conf

@wallabybob: In /boot/loader.conf you could add the line vm.kmem_size="768M" to set the physical memory available to the kernel to 768MB. Forget about monitoring vm.kmem_size; it won't change. I was confusing it with something else. Sorry! The other commands are still useful for monitoring how much of the available memory is in use. TNX. Will try. BR Sasa

@ktims: Wondering on the rationale for this. It's currently being set larger than the total memory on my ALIX box and I'm concerned that something stupid is going to happen when/if the allocator ever tries to use this extra memory. There is no point setting vm.kmem_size larger than physical memory size. You probably don't want the kernel growing to use all of physical memory and leaving nothing for applications. On my pfSense box which has had multiple upgrades through the 1.2.1 series and is now running the released 1.2.1 /boot/loader.conf contains autoboot_delay="1" kern.ipc.nmbclusters="0" I don't remember making any changes to this file. I wonder how your /boot/loader.conf got an entry for vm.kmem_size. I suspect you could safely delete it. I wonder if there is any other "junk" in there.

Got my questions answerd by cmb (thanks again!) on the support mailing list.  Here they are for the archives and anyone else searching the forums: For the FTP helper to be started on the WAN interface, you need have the FTP helper enabled for that interface, a NAT rule for server port 21 defined and if not NATing the WAN IP, be using a CARP Virtual IP address (not ProxyARP or Other). Anything can be entered for the CARP VIP password, group and frequency. The FTP helper is started by code in /etc/inc/filter.inc.

I had actually tried messing with that, it didn't help. After getting incredibly frustrating and going around turning absolutely everything off it turns out it was OpenVPN causing the problem. I have no idea how or why, but if I disable the tunnel I can access the site. It makes no sense why a VPN tunnel would effect such particular sites.

I have an Alix 2c3 running 1.2.1 with dhcp and dnsmasq without problems. Does the service just die randomly, can you restart it? That message is what you would see in the logs if you stopped the service via status, services. It says the service received a SIGnal to TERMinate- if it was crashing, I would expect a different message logged.

My dns server was my primary DC and it still is. Sorry to say.. i have installed isa 2006 configured it. and now all my problems are gone. Thanks for all your help anyway!

Port 21 on LAN interface is not the same as port 21 on WAN interface. It is open on LAN interface because of the ftp-helper, if you really want to close the port you can turn off the helper at: Interfaces->LAN->"Disable the userland FTP-Proxy application", but doing so will break outbound ftp unless you configure firewall rules yourself for outbound ftp.