Yes you could use an interface group, or maybe floating rules to do this. However you will still need to edit each rule on OPT1 and switch the interface to the group. You could potentially edit the config file to do that which would be faster but far more open to typos. The rule order might also be compromised. You would need to test that to be sure. Steve

Looks like a hardware failure, probably bad RAM given the message. Potentially some video card issue. Juts booting with the DIMMs in proves nothing really. You need to run a few loops through memtest (I prefer 86+ http://www.memtest.org/) before you can be sure it's good. Steve

You need to run at least some actual throughput tests to determine if your indexing test is at all accurate I would say. The Xeon-D CPUs you tested both have turbo speeds of 2.5 and 2.6GHz. pf is somewhat multithreaded but OpenVPN is not. You are not testing the complete system though so you might hit some other restriction you're not aware of. Steve

pfBasic, There is no enough way to say thank you, you just made my day, Thank you for taking the time to write every letter, I really appreciate your valuable time for sharing your knowledge and experience with the community. I have a AMD PC with FX 8350 and 8Gb ram + gts 450 sitting in the basement, I will start immediately playing with it to get my hand dirty in pfsense. I am waiting for Ryzen 1920x to arrive, as I will use it 24/7 for VFX and I hope to run pfSense at the same time with this rig through KVM. so here is what I am going to do: I will run two KVM, one with Win10 and the other with pfsense, and I will plug my wan cable directly with the PC(dual intel Nic) and make bridge from PC(pfsense) to the DD WRT router to have dual band wifi network access. can I make kvm windows 10 to use pfsense not my ISP wan as gateway (they are both running on same machine) ? can this done virtually or I need to add more nic and port link from dd wrt? Have a wonderful weekend

Get a VPN account from somewhere.  Configure OpenVPN to connect pfSense to it.  Use policy-based routing to route whatever traffic you want over the VPN link.  No idea how well this would work (if at all) in conjunction with squid.

@johnpoz: "But when i plug my laptop into the switch thats on OPT1 it doesnt give me a valid IP address." What does this have to do with vpn client connection on pfsense? Did you enable dhcp on your opt1 interface on pfsense? Hi, thank you for bearing with me on this.. I am learning :) I have followed this guide for OPT1 https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ When i check system logs/gateways i get sendto error: 65 I have OPT1 setup on static IP as per that guide. I have also changed it to DHCP with not luck.

Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks. The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial, USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.

6. I've gone into firewall > NAT > outbound and set it to hybrid (as we still have an actual private LAN behind the PFSENSE which still needs NAT). I then created a mapping rule for interface WAN with source ANY destination 192.168.158.168/29 (network) and set the option to "Do not NAT" in the rule This is backwards. Should be: interface WAN with source Network 192.168.158.168/29 destination any and set the option to "Do not NAT" in the rule I assume the 192.168 is simply a place-holder for the actual, public IP addresses. You can avoid this confusion there by using 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 in your examples where you want to use BS address space and want everyone to know you're really not talking about RFC1918 space. https://tools.ietf.org/html/rfc5735 (eta: oh already asked and answered. Not many people know about these example/documentation subnets so I'll leave it here).

problem solved. all the thing was about setting acl rules "allow" or deny" list. i set the rules its working now.

Hi JohnPoz I reinstalled the PFsense and configured the servers as you outlined - success! Thank you for your help - I obviously changed something post set up.  Your outlining of the way it was to work has made the process much clearer - once again thank you for taking the time to help me.

Just going to follow up on this and bring some closure to this thread.  I continued to have crashes with the APU2 unit as well.  I tried a fresh install and reconfiguration by hand instead of restoring the config, which still resulted in many crashes per day.  We resorted to OPNsense and reconfigured by hand, things are stable since deploying it on the APU2 this past Sunday.  I did submit a few more crash reports in hopes that there would be some key info there to help the guys behind pfSense, if it is indeed some kind of bug.  Will revisit this issue when I can afford some more downtime, or when 2.4 is released. Thanks for all of the input and help, sorry we couldn't get it figured out.  Some kind of bizarre quirk specific to my configuration/environment I'm sure.

Disabling the default setting "Enable DNSSEC Support" lets things work correctly again with Forwarding Mode enabled.  The OpenDNS public DNS servers do not use DNSSEC.  Should forwarding lookups fail when DNSSEC support is enabled but where forwarding DNS servers do not support DNSSEC? I would expect lookups to fail only when DNS servers support DNSSEC but where what is returned does not validate correctly.

Well…. turned out some user put a Tp-link managed switch in somewhere that was using 192.168.0.1, which by chance is the same as pfsense LAN. I dont know why, but this did not show up in the system log until hours later, and then it was in there every 20 seconds: Jul 27 11:15:40 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:35 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:03 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:14:46 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1!

We have noticed the change at several systems: One Example: 8 vcpus Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz 8 CPUs: 8 package(s) x 1 core(s) Version used before:  2.3.3-RELEASE-p1 Throughput: 1 - 2 Gbit/s States < 10k Conns/s < 100 We have changed several parameters (virtual-infrastructure, hw-firmware, and pfsense-update) We noticed that sync traffic is reaching 10% of WAN-Traffic which is a real huge increase. I have attached two files (after_update is the sync-traffic, wan_traffic is the wan traffic). At time our solution is to turn sync off. I have also noticed that high traffic rates ( > 4 Gbit/s) are only achivable with sync turned off. [image: 170727_after_update.PNG] [image: 170727_after_update.PNG_thumb] [image: 170727_wan_traffic_after_update.PNG] [image: 170727_wan_traffic_after_update.PNG_thumb]

I tried again using an OpenVPN setup. I followed this tutorial: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server I have the same problem. Either I can only access the internal resources, but no internet. Either I can access the internal resources but internet is from mobile provider. Can't get my phone to use the VPN internet connection. What am I doing wrong? Is this thing even possible? I did check the "Force all client generated traffic through the tunnel." option. No internet on phone, only LAN resources.

Thank you !

Unfortunately I think that's true. It would need to be something from upstream anyway. I have no idea where that device even is I was testing with anymore.  ;) Steve