Try the changes mentioned here: http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards

you welcome  ;D

@handanril: You can block under dns forwarding. I personally like to use opendns to restrict content. I checked ultrareach and with medium settings opendns blocked it as a proxy anonymizer. no, not the ultrareach.com website.  there is a program (http://ultrareach.com/download/u.zip) there you can download and run it in your computer.  it will bypass your firewall. try it. it is for windows only!

@dotdash: Yeah, it's getting blocked. A quick check with the all-knowing Google indicates that the traffic may be related to something called 'valve/steam'. It is some sort of mechanism those young steampunk kids use to play those online games. Try banning those under forty from your network and see if the traffic disappears. Hey now. I'm over forty and still play games ;)

It could be that you still have states open. Please reset your states and see if it starts blocking outgoing to those IPs.

That worked like a champ!  I discovered I was on an ancient version of pfSense and once I upgraded, I found that all of the settings you specified were there.  Thank you again for your help!

It seems to me you are in a multi-tenant situation? In this case I would put each tenant in their own VLAN with their own network. This is "best practice" for many other reason. Then I would set out a clear policy and establish an hourly rate for network services which includes fixing any mistakes or other issues beyond your control.

sorry for the very late reply of my first post. the download issue just went away when i installed pfsense to a new hardware.also upgraded it from 1.2.3 to the latest version and its working now. haven't rebooted it since last month.  ;D.

Another nice feature is to browse to http://x.x.x.x/status.php. Might give you more info that you wanted, but it's a quick and dirty way to get info on pretty much your entire system.

Seems like each core should give you about 1.5Gbit/s of throughput (excluding the ack throughput in the reverse direction). I'm not certain how the ratio of upstream vs downstream is like in real world testing (seems to be approximately 1:3.5 interrupt loading based on your top output) for your traffic but you aren't likely to see 20Gbps total since one side would choke first without jumbo frames.  Then there's the actual limits when it comes to processing the packets (as cmb mentioned, it's locked to one core). i.e.  4 cores are used for downstream NIC, 4 are used to handle the acks coming back on the other NIC.  Since the downstream >> acks, the downstream will saturate their 4 cores first whilst the 4 cores handling the ack side would idle at about 70%. Also, note that slices work based on per connection (TCP/ UDP).  A single connection cannot be sliced.  If you really wanted to test the limits, use more host/ clients and open more simultaneous connections. Try for an even mix (1 WAN to LAN for each LAN to WAN) so you get approximately equal amounts of upstream and downstream traffic.  That should allow for the best utilization (since there should be equal packet rates in both directions) of the available cores.

Great to hear that. I have no clue about the tunnables - just tried it and it works perfect for protecting webservers over 3 month at 1-2gb traffic per day now.

@ gabpirate To use the Alias in the Firewall Rule go to: Destination -> Type Change to Single Host or Alias In the Address box, type in the name of the Alias (It should auto-complete).

wow! I guess you just pin-pointed it… indeed:I just switcjed the WAN interface from"static" to "pppoe" and was happy to see it receiving an ISP IP. but then if I 'ifconfig' the whole stuff I can clearly see the WAN vr1 interface has no IP. this shall explain a routing root cause...? next question is how to fix this..

Or you can just create an alias, enter your range, and pfsense will do the work for you. Use that alias as the target in your rules.

I am currently running my pfsense on a OLD P3 800mhz, with 512MB ram..  Have no issues with it at all, I vpn INTO it pretty much every day from work. Now if your trying to setup a site to site sort of vpn, for say news or p2p download, etc.  Then yeah that might be a bit much, buddy on another board just set that up with the giganews vpn and he has a fairly new box dual cpu 1.8GHz I think and when he downloads through the the vpn his cpu was at 50%, etc.  And that was at the 50Mbit connection, so I doubt a old p3 could really handle that sort of vpn.  But as road warrior server into your network it works great! I keep meaning to update the box to something somewhat current, but hey it keeps ticking!

@dhatz - you are spot on. Every time a domain name cannot be resolved to an ip address everything fails. The host name stuff is a good idea but the numty big bank also seems to change the ip addresses without much warning - so I would still get some issues from time to time. The alias setup sound like what i need to look at. I am also interested in the having a WebGUI instead of command line so I can show someone else how to resolve this issue if it occurs. I have an old machine to test on so I will start looking at pfsense. Thank you for your replies.

@yasmania: How do I have to configure the Firewall, so that Thunderbird comes directly into the Internet with POP3 / SMTP / IMAP? [img]https://dl-web.dropbox.com/get/Bilder/FirewallRules.jpg?w=65683bfd[/img] I'm not sure I fully understand you. However, set squid to transparent mode, so that it will serve http/https/ftp automatically.  You will not use Squid for email services. Also, your image did not display, as it is a Dropbox link.  Just post the image as an attachment next time.