Yeah that is not how you would do that..

Use a switch to distribute the vlans to access switches.  The connection to pfsense can be a trunk with all the vlans on it, or from the distribution switch you can have uplinks for every vlan to physical or mix and match depending on what your intervlan traffic will be - you wouldn't want intervlan traffic having to hairpin, etc.

In my experience, it's best to send system logs to an external syslog server. You avoid filling up the local filesystem with historical data for one thing and - depending on the syslog server you use - you can often find the data more searchable.

I do not know your requirements and do not have a recommendation for you.
I can only tell you what I use.  Whether or not it is appropriate for you is something you will have to decide.
I use the default log file size.

"I wonder what the return policy is on a $200k SAN device that you've had for 2 months before you realized you can't control LUN layout."

hehehe oh that is funny… Did you pay for already?  Most companies float payment for atleast 90+ days ;)  Tell them it does not meet your requirements, and the person that ordered it has been flogged out back for it.. If they ever want any future business from you they will take it back or get the model that allows you to do what you want..

But I hear year, work with people that have been the field for years and years, and still don't get what amounts to basic concepts.. And then they are too scared to bring it up if having a discussion... So for example when you stated "we needed to have a LUN backed by contiguous storage" he could of just asked - and that means what exactly??

Been dealing quite a bit of late with just local switching stuff, and be amazed at how many people that have been doing it for years and years just don't quite grasp that a lagg or etherchannel/portchannel/etc  is not 1+1=2, but just 2 x 1 and 1, etc..  No specific device talking to another specific device across that will ever see more than 1, etc.

Had a whole augment with a architect how you can not replace a 6509 with a 4500x and some access switches in a stack.. And they were uplinking the stack to the 4500 with 1+1 lagg..  With no clue to what the intervlan traffic was and how that could be a bottleneck.. Their thought process was that the wan link is not even gig..  Sure if you wan to save some cost and there is NO intervlan traffic, then maybe.. Production facility you have to assume intervlan, and maybe quite a bit of it..  Atleast allow for each vlan to have an uplink so your not hairpinning, etc.

If your WAN graph has huge incoming bandwidth and no similar traffic matching on LAN outbound then it's the squid cache.

@johnpoz:

ok then if 192.168.1/24 is one of your other networks then that rule makes sense.

Too early for me I guess, It looked like your were creating a rule for the local network to the local network.  But you are forwarding 3389 in from your wan, which is internet… Is it not??  So your wan is only your own local network?? As long as public internet can not get to 3389 then your sure..

there are some webservers with some sites on some vlans.

And even then not on two different interfaces.

To assist with the problem I wrote a workaround with scripting and startup files here:
http://wp.me/p2jcLn-xr

Please visit the site to get this working.

As a last point, I hate having to edit configuration files of broken software, so please pfSense fix this for us?

pfsense doesn't give 2 shits to what website your going to.. It has nothing to even look at what that might be.  It only moves packets, it either allows them or doesn't allow them.

Are you running proxy package?  Snort?  What packages are you running?

So syn_sent would indicate that it sent a syn, and never got a syn,ack..

Why don't sniff on your wan.. When you try and open a website do you see the syn sent?  And do you get a syn,ack back?  If not then no not going to work.

But again pfsense doesn't freaking care where your going, it just moves the packets..  I would sniff and see what is going on..

if you have devices in esxi on the same vswitch that can not talk to each other and your seeing this traffic go to pfsense, my guess would be you have a mask wrong somewhere on one of the vms.  So the 1 vm sends him syn and he answers back syn,ack to pfsense because from his mask the IP talking to him is on a different network.

I'd read that UPnP was one of the vectors. Included for thoroughness.

@almomdegal:

@jimp:

What type of WAN do you have there?

I recall talking to a customer a few years back and their cable modem crapped out with around that many connections going through it

I have a dedicated link using copper wire
2 cable modens from 2 different ISP

What are the respective bitrates?

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Create a new rule on LAN.  Place it above the Default allow LAN to any rule.

Action: Block
Source: Single host or alias
Source address: IP address of Win10 box
Destination: any

Click Save.  Clear the states of the Win10 IP address via Diagnostics - States and then try to get out on the Win10 box.

Thanks for your help, and sorry for the lack of info. The problem was with the STA server.
Thanks again.

Destination port for what kind of rule? Where? What's the exact circumstance?

In pfSense you may also let create the firewall rules for incoming traffic automatically by the NAT prot forwarding rules. Take a look at the option "Filter rule association".

If you allow traffic from an internal interface to the internet with destination "any", this allow also traffic to other interfaces, off course. If you don't want this you have to restrict the destination in your rule. E.g. you can set the invert check at destination and select LAN net to allow access to anywhere but LAN. If you need different subnets here, add an alias including all at first and use this alias in the destination box.