@jbhowlesr: So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain. This quote is probably the best way to end the post. I can't stop feeling I kicked a hornet's nest here. In hindsight I think johnpoz answer was the better answer in a higher order of right and wrong. It seems more and more home users are using PFSense  and rightly so. Regarding Default Deny, M.Ranum once wrote:"It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done." This is especially true for a home environment. Number 1 for any home user should be the manual. For a DD policy you must know Network basics, protocols and ports etc.  If not you may drive yourself mad if your internet hungry kids don't get to you first. Go back to the Default PFSense Lan rules and call it a day, no harm , no foul. In my view if you are running Microsoft you have bigger problems anyway in your network. :o sorry, don't shoot the messenger. I noticed the "Feedback" post and debated to reply here or on that one. Since your subject line was succinct I wanted to make sure others of future searches were well aware of the possible issues. I repeat Default Deny is not for everyone. If I sparked your interest, Great! But on the forums you may be hard pressed to find someone to know what is running on your private network. DD policy requires intimate knowledge of what is running on your machines. Only you can figure that one out. Research before implementing and a good grasp of network protocol and basics is a must. I do not think there will ever be an easy button for this type of setup. Sorry if I started you down a path you may not have wanted to travel. But, hey,  you asked.  ;)

Ah thank you :)

Thanks heper for pointing me in the right direction. This pfsense is running on a vm machine under virtualbox. There is a setting for the bios clock if it will send UTC or local time to the vm machine. I had it on Local and it needed to be on UTC for pfsense. Changed it and waited out the last update time of rrd and then the reboots are ok. I believed my clock was Ok since I have ntp on the host server and ntp in pfsense. /Best regards illern.

Oops apologies for not searching the bugtracker

thank you guys. will try to disable in BIOS. I will play a bit more with squid, hopefully, it is just human error. Thanks, will update. Update: 1, changed to dedicated to avoid fail over. NOT from within BIOS, but from web config. 2, squid works after fresh reconfiguration. Don't use old config file.

This was the issue: https://forum.pfsense.org/index.php?topic=109763.0

chpalmer- If your using ports 0-3 try moving over to ports 4-7 until you get your replacement.  Once the ports start going they tend to run in pairs… Thanks for the heads-up on the NIC ports. I remember reading in the excellent "Firebox" section of the forums that the right side ports (msk0 thru msk3) were suspicious, and based  on the comments I've avoided using those.  So I'm reluctant to make any change pending the replacement firewall(s.) Still, wondering about the root cause.  I was under some duress, and didn't copy the logs before rebooting.  A quick glance at the dashboard gave the false impression all was okay.  Seems like the auto-reboot script similar to https://forum.pfsense.org/index.php/topic,17243.0.html could have brought the box up without my intervention.  Seems there's mixed thought on reboot scripts, but I've now added a variation that might come in handy, if called upon. Thanks everyone… Peter

2.3-RELEASE is out today

I get to plug another hole in my knowledge every day. That seems to have fixed it.

I had issues upgrading from RC to 2.3 release but I did a clean install in like 15 minutes I was back up and running. Thank you all who were involved in the project and getting 2.3 released. Well done guys. Very impressive release.

I just updated pfSense to 2.3 and added that line to System Tunables. Let's see how it goes now. Regarding Hardware: ASUSTeK COMPUTER INC. P8H77-M PRO Intel i3-3220 re3: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet="">re2: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet="">re1: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet="">re0:<realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet=""></realtek></realtek></realtek></realtek>

Not that it's likely to be an issue, but it looks like phil.davis and sinhkh87 were using two different alias names - sinhkh87: Alias created with name wordpress_org phil.davis: It worked for me looking up the exact same name wordpress.org and pressing "Add alias". Still much more likely to be "updated-before-current-changes" problem, but just in case….....

If you want a more secure CA you should look into something that supports CRL's to be fetched from outside the device. Also set up an offline root CA (a virtual machine on a crypted drive, never attached to the internet or something similar) and a intermediate CA that is available for signing and CRL's. The offline root CA is only used to publish a new CRL for the intermediate CA. Then again.. is there any point of doing this for home use? Probably not..

I went ahead and just used the native pfsense implementation and retired the VM. It's now working. Thank you though for the help!

I'll try..Could you point me to one of those threads? thanks again

pfSense needs separate interfaces for WAN and LAN. If you can't add another physical interface your only other choice is to connect a VLAN capable switch and use VLAN interfaces for WAN and LAN.