Who said it was being forwarded anywhere?

I still think my problem was their 'cloud' middleware.

Yes, it's not a good idea to block with almost all of the countries selected. In regards to your boot issue, you should have previously received "pfctl" memory failure notifications?? Also, unless you have open wan ports, you should use "permit outbound" rules as pfSense is a state full firewall by design. pfBlockerNG, is more than a country blocker, you should read the thread I linked above for other threat source lists which can help protect your network from known malicious ips.

So, Resolved.  I submitted a trouble-ticket with support.  Since I couldn't find any reference of this on the search engines or within this forum, I'll post the fix: From the looks of your errors, it seems that /etc has become corrupt on your filesystem. The safest thing to do here is a clean install. The memstick image you'll need to download is located here: https://firmware.netgate.com/firmware/memstick/netgate-memstick-serial-2.2-RELEASE-amd64.img.gz Instructions for extracting that image and writing it out to a USB memstick can be found here: https://doc.pfsense.org/index.php/Writing_Disk_Images Once written, connect to your serial console and boot device from the USB memstick. You may need to pick Option 3 to boot from USB device at the first menu. At the install menu, choose quick/easy install. When prompted for the system type select APU/VK-T40E.

@Wolf666: Half-Bridge is not supported, as far as I know. I was in the same ship, my ISP only supports PPPoA, when I moved to pfSense I changed my modem. Now I use a Draytek 120 which has a sort of PPPoE<->PPPoA relay. I simply configure my pfSense to use PPPoE, I put my ISP account there, pfSense passes them to Draytek which takes care of PPPoE->PPoA connection. It works flawlessly (low pings, latency near 0), my connection is 20/1. Since Vigor is a chip box, I bought 1 more as a spare. I found this site talking about something similar to my configuration: http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet so I tried this commands: route add -net gatewayip/32 -iface em0 route add default gatewayip gatewayip is my isp gateway ip address received by dhcp from the half-bridge modem. With this system it works but I have dynamic IP, so every time the connection drops or the modem is restarted I have to digit the commands and find the new gateway… I've done like you, I bought 2 Vigor 120. Thanks for your reply! If somebody knows how to automate the commands above every time the connection drops please let me know! Thanks!

Anything attached to the Internet is attacked/scanned/probed/enumerated/logged hundreds of times per day, every day.  That's normal.  The error you're seeing is to do with the pfSense WebGUI which is served using Lighttpd.  One thing that seems to trigger this error is when you have WebGUI running in HTTPS mode, but you access it via HTTP with port 443 specified.  Are you doing that? http://pfsense_LAN_IP:443/

Great Thanks for your help With that information I was able to do some more searching and came up with this document. It solved my problem https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F Jason

So it has been a week…and nothing has happened so far. The FW has been perfectly stable and there have been no unscheduled reboots except for the one that will have happened at 2am on Sunday morning. Anyway, simple question, I think we all agree that doing a packet capture would be a good thing to grab to see if there is any traffic trying to reach the Internet...is there any reason why I couldn't get my script to do that? Rather than going  "Ping, fault found, reboot" why can't I say "Ping, fault found, packet capture for 2 minutes on WAN interface, save pcap file to log dir, reboot". That way when the event occurs again I will have a capture to look at after a failure that will be allow us to (hopefully) narrow down the cause of the fault. If this is possible, can someone provide the additional lines of code that need to be inserted?

Further to the above, I'm making good progress with the basic version of pfsense 2.2 firewall syslog events - just about have all IPv4 TCP/UDP working and will start on ICMP and IPv6 after that. One thing I don't have the facility to do at home is CARP, so I would very much appreciate it if people could post me some example CARP event messages for me to make sure my patterns are matching correctly.

Except that not everything on the network is a javascript-capable web browser.

Got it working… First off I had to update zabbix server to 2.4.4, which required update to Ubuntu 14.04 (well maybe it was doable on 12.04 but I needed to upgrade anyways). After that I had to configure the agents behind to proxy to each use their respective subnet proxy, even though they're the same: server1 is 172.16.1.5/24, gateway (pfsense with zabbix proxy) is 172.16.1.254, so agent points to 172.16.1.254. server2 is 172.16.5.5/24, gateway (same pfsense) is 172.16.5.254. I tried using 172.16.1.254 as proxy since these subnets are open in between, but that didn't work. Only when I set 172.16.5.254 as proxy it worked. Which I find weird, but okay. Lastly, in zabbix web I had to setup each host with their internal LAN ip (i.e server1 172.16.1.5), not the external IP of the router as you would when not using a proxy. Strange that there are no info at all about this in the manual, or even on google. When you're a newbie at zabbix like me it's not really obvious.

This: https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks Steve

Yeah, I guess.  I understand your approach. Clearly the hardware should be able to detect, and report that it's only working within a 1G infrastructure. However in this case I'm stuck with what hardware i've got.  I guess if it comes to it, I'll have to change the software..  Either hack a workaround into pfSense or more likely do something manually with a base operating system. Even if I was flexible on hardware, I might still have good reasons to want to run the interface at a particular speed/duplex, depending on my requirement at the time.  Auto detect is not always the right answer. …  So I still think this as should be seen as a fault  -  If pfSense is prepared to offer speed/media opt on a base network interface, then it should be smart enough to realise.. that when it is dealing with a lagg virtual if, then it should drill down to the underlying media and offer a speed/duplex combination that is common to all interfaces I'm thinking for this purpose the cable medium doesn't need to be relevant -  for example, baseT, and baseSX ; these could go together as member interfaces, so long as both are set to the same duplex and speed rating. XW

I was actually about to respond to phil.davis saying that I noticed on my patch screen it has the github URL for the patch file, like: http://github.com/pfsense/pfsense/commit/e69a0cf3a216c8647a6def4eee41ab01319ce90f.patch So if I take off the .patch, that brings me to the page that shows me which branch it's on. It's still trial and error through to see if I got the right one. I also tried browsing the repo and finding one of the files that was patched and seeing which ID it should be, but that's more difficult IMO than the method above. It would just be easier to have the branch identified on the revision but I don't do this often so as long as I have a way to verify I'm getting the right patch that helps me out a lot.

Sorry I made a typo My Lan 1 interface is 192.168.0.0/24 My Lan 2 interface is 192.168.3.0/24 The 192.168.1.0/24 range is in use on a VPN that is not related to this Unless you think it makes a difference? Thanks for the response I'm still having trouble getting this to work