Solution: The solution is relatively easy and involves the system time that uses my Hypervisor time (+2) and adds another +2 for my time zone setting in pfSense. This gets me a wrong time, obviously. After NTP updates the time it is correct again, but old times are not updated. So the time line is sent down to the dumps. At least, this explains the 2 hours difference between the settings. To be honest, that is crap (not pfSense's fault, nor Hypervisor's) and I don't know what would be a solution. Maybe pfSense should allow to set a time next to time zone (and overwrite bios time)? PS I would love a statistic pointing out how many bugs are related to time zone and file format conversion fun :-)

@Derelict: There is no OpenVPN package on 2.1.5.  It's part of the base system.  Are you talking about the client export utility? Anyway. Now that all that is out of there, step back and take another look at the /tmp/rules.debug and all your interfaces and rules. My apologies, yes the client Export Utility for OpenVPN.

The first line shows that 4 haproxy processes are running, if you have long living sessions, and a few applied config changes that could be fine.. It could also mean a few did not shutdown properly.. You might want to check the pfsense systemlog it should show what pid was running and what gets started..(if package was recently re- installed) Either way it seems indeed maxproc is high enough for haproxy… What you could try is to install lsof, and check for open handles. Not sure if that will work.. lsof | awk '{print $2}' | sort | uniq -c | sort -n then check if the pid of haproxy indeed has a high number of handles.

That didnt work out too well… This morning, SSH to ALL machines on LAN failed (Temporary DNS name resolution), the firewall was suspiciously slow (and not responsive), I couldnt reach the internet from any machine... Deactivated all rules under OPT1, and rebooted the firewall, all is back to normal. For now I will assume this is only a glitch in the firewall and not related to my OPT1 rules, unless someone can point out that it is..

Thankx for asking! Forget about it, just a strange idea after not enough coffee this morning… We're all safe, I guess :-D

Also debugging my procedure … I noticed that the first time I run mysqld (for the root password setup, etc) I have to run /usr/local/etc/rc.d/mysql-server onestart After the root password is setup, I can then run /usr/local/etc/rc.d/mysql-server.sh [start|stop] :-[

Thanks a lot cmb for your your kind and accurate answer… Pedreter.

http://www.logicsupply.com/components/expansion-cards/ade4rtlang/ http://www.logicsupply.com/components/expansion-cards/ade4inlang/ If you can find the motherboards that the above two devices fit, that might be an option. I have one of the motherboards and I have a total of 6 1Gb NICs (2 onboard, 4 daughterboard)

Something not right with that NIC, probably a mis-programmed EEPROM. Easiest work around would be to keep the interface in promiscuous mode (which is why it works with tcpdump running), alternatively if you use a diff NIC it's not likely to be an issue. A <shellcmd>to run "ifconfig em0 promisc" would work around (search doc.pfsense.org for info).</shellcmd>

A client on your network is pulling something from 184.29.106.120 via HTTP. That's an Akamai IP, which is a CDN used by a bunch of companies to host their downloads. Best that shows is someone is downloading something. Filter states for the external IP to find the internal host.

@stephenw10: Interesting. So what are you running in the jails and what is hosting, FreeBSD? Steve Host is pfsense and the jails run FreeBSD. I don't think an alternate setup is possible. I believe pfsense can't run in a jail, and jails cant run anything but FreeBSD. I have a guest with asterisk, and another with apache/transmission/samba.

Squid is probably running on port 3128, not 80. The GUI is probably on 80. Check/change squid to be on port 3128, and configure your browser's proxy settings to use port 3128 and not 80 for the proxy.

You will either have to configure the software firewall on your workstation to answer an icmp echo or turn off the software firewall completely.

Are these all public IPs? Steve

@cwyant55: I'm assuming I could also assign the "old" WAN IP to the new box and get it working without rebooting our Verizon box? Thanks for your help. Not in the most common scenario, where the additional WAN IPs are IP alias or CARP VIPs. If they're routing your additional IPs to your WAN IP, then you'll have to move over the WAN IP so the routing functions. That's less common.