At the moment, yes, but it looks like that will be better on 2.2

@stephenw10: Exactly, ML-PPP is the best you can do. I don't see how this could be done with multiple VPN connections as they're too high up the OSI model. I would think you need something below layer3. Do you have a link to anything explaining this? Steve I'd think OpenVPN TAP would get you to the level you'd need. Jimp made some comments about a feature like this being on the roadmap but being way down on the list unless someone sponsored the development. He also said something about possibly using Kickstarter for larger features like this.

Am I correct in assuming that "WAN in" is traffic coming from the internet into the WAN interface, and that LAN "out" is traffic leaving the LAN segment? All "In/Out" on the Traffic Graph and table of bandwidth In/Out by IP are relative to the interface or client being reported. A download from the internet comes In to WAN, Out of LAN and In to the end client system on LAN. An upload comes Out of the end client system, In to LAN and Out of WAN.

<started another="" thread="" with="" details="" of="" my="" issue="">Hopefully someone will respond there…hopefully.</started>

TCP window size is a parameter at a higher layer that end-systems use to work out how much data to have outstanding in the pipeline before waiting/expecting ACKs to have come back. I played with this many years ago tuning continuous flows of a data acquisition process across a long link. TCP window size needs to be adjusted on the end-systems.

Steve, I'd noticed that checkbox previously, but had misinterpreted its likely behaviour and steered well clear. But, with it enabled, I'm certainly getting a bit closer to where I wanted to be, though it still leaves PermitRootLogin enabled globally.  I had intended to disable Root from the WAN. (It may well be that KeyAuthenticationOnly, when no-one has the key, is as hacker-proof as a total prohibition on RootLogin would be anyway). I am, however, beginning to suspect that pfSense may not be correctly honouring MATHES of host addresses when given in the form "192.168.1.0/24" (as specified in the man pages you pointed me at) whilst it does accept "192.168.1.*".  This may explain some, if not most, of my earlier confusion. More news when I've done some more testing…

Have you looked at Dell PowerConnect?  Can get 24-port, Gb, layer 3 switches for under $2k. Have older 6224 running on SAN duty for over two years with no problems. http://www.dell.com/us/business/p/powerconnect-6200-series/pd?refid=powerconnect-6200-series&baynote_bnrank=0&baynote_irrank=0&~ck=baynoteSearch&isredir=true Vince

Happy to help. For the benefit of other readers - if an interface has a gateway set, then pfSense by default assumes it is a WAN-style interface, a pathway to the public internet, so things like automatic outbound NAT are done on those interfaces to translate LAN IPs into WAN IPs suitable for the public internet. If you have a LAN like this OPT1 that is just a local subnet with a gateway to other internal networks, then you do not have to set that internal gateway as the actual gateway on the interface settings. You can just add a gateway in System->Routing and then add static route/s telling pfSense what internal networks are reached through that gateway. Then pfSense will understand that it is not a gateway out to the public internet in general.

Can you provide a topology?  It sounds like you have Internet <> Router 1 <> pfsense If this is correct, have you set port forwards on Router 1?  If not, you need to forward these ports to the IP address of the WAN interface on pfSense.

Have you in some way proved the connection to be good? Somehow removed pfSense from the link and tested? Speedtest.net is not a good test because it uses multiple connections to maximise the throughput. Try simply downloading a laarge file from a known good source. I have no idea where you are so I can't recommend one but I use the Thinkbroadband test files at http://www.thinkbroadband.com/download.html here in the UK. If it's still limited at your client machine you can then try downloading it directly to the pfSense box: root@pfsense.fire.box]/root(2): fetch -o /dev/null http://download.thinkbroadband.com/50MB.zip /dev/null                                    100% of  50 MB 1961 kBps 00m00s I notice in your config file that you have some traffic shaping options: <ezshaper><step1><numberofconnections>1</numberofconnections></step1> <step3><enable>on</enable> <provider>Asterisk</provider> <connuploadspeed>%</connuploadspeed> <conndownloadspeed>%</conndownloadspeed> <connupload>30</connupload> <conndownload>30</conndownload> <download>300</download> <downloadspeed>Mb</downloadspeed> <conn0upload>300</conn0upload> <conn0uploadspeed>Mb</conn0uploadspeed></step3> <step4><step2><downloadscheduler>HFSC</downloadscheduler> <conn0uploadscheduler>HFSC</conn0uploadscheduler> <conn0upload>1</conn0upload> <conn0uploadspeed>Gb</conn0uploadspeed> <conn0download>1</conn0download> <conn0downloadspeed>Gb</conn0downloadspeed> <conn0interface>wan</conn0interface></step2></step4></ezshaper> Are you running asterisk? Did you set these up intentionally? I'm no expert in traffic shaping (which seem like a bit of a black art!) and I can't see how this would be limiting you but still…. Steve

Thanks, I set it up like this: [image: PO3agBs.png] [image: UqdPjjl.png] [image: S3jNLy3.png]

I have this board as well.  I initially had this issue with the 64bit version, but when I reinstalled with the 32bit version I got a dhcp address on my wan link right away.  I did not have to change any ip v6 settings.

Yeah it is true, it creates the rule for you - doesn't mean there is not two rules ;) Do with it what you will, combinations of possibilities are almost endless..  But I can tell you, you get some other engineer that finds this - and he is going to go WTF were they smokin??  ;)