Thank you very much I will have to attempt that this weekend. Unfortunately I cannot disconnect any network related things during any hours other than typical maintenance window of 2am-6am.

Given those symptoms I'd be more concerned about the hardware than anything. Or the filesystem integrity at least. Unless the disk is full or something cut off the write (e.g. failing disk/media), it wouldn't just stop writing the config partway.

@jahonix: You should download a copy of pfSense here:  https://www.pfsense.org/download/ What you got is a fork which is obviously not supported in here. Oh, I see. I followed the link from the old monowall website, so I landed in the wrong place. Ok, I will reinstall the version you mentioned. Many thanks.

In the GUI, visit System > Update, Update Settings tab, make sure the Stable branch is selected then click Save even if you did not make any changes. Then try it again. If it still fails, make sure the firewall has working DNS and connectivity from the shell (try to ping some Internet sites by name from a shell prompt)

You need to get more public IPv4 from your isp to handle traffic that is not able to be proxied. Or use ipv6..  Or just use the ports with your fqdn.. So tell your users to connect to your gameserver use ftbminecraft.sarentech.com:25565 All of these different names all just point to the single public IP you have if you can not use a reverse proxy that understands the fqdn your sending in the headers then yeah your going to have to tell pfsense to forward traffic based upon the dest port.

Yes, pfSense is a separate machine on the way in to your network. But you can run it as a VM along with other VMs on the same physical hardware, and have pfSense be the real front-end WAN and then talk to the other VMs in the back end (or out another ethernet or VLAN to more backend systems.

Is this still happening today? If so, first check the time/date on the firewall (and NTP). Is there a proxy or some other device in front of the firewall (your WAN is private, so there must be something there…) which could be interfering with SSL connections?

@ozia: I have a task to do precisely 2.3.2 on ZFS, how can I do this? Your task is not possible. The ZFS installation options were removed from 2.3 because they did not fully work properly, and we did not test or verify their functionality so manually configuring it has undefined, but potentially broken, behavior. We added them back in 2.4 because we switched to the same installer used by FreeBSD and it was stable there. Using ZFS on any version prior to 2.4 is not supported and is most likely going to not work or be unstable. If it was going to work, the procedure you followed was your best chance. Since that didn't work, you're out of luck.

Yeah, use the serial console with proper memstick image (not the VGA one).

@phil.davis: If the upstream device is in "router" mode (you have a private "local" subnet between pfSense WAN and the router) then by default the pfSense WAN will be monitoring the local address on the upstream device. That address will still respond, so pfSense thinks that the link is working, when actually just the cable from pfSense WAN to the upstream device is working. Edit the gateway on each WAN and choose an alternate monitor IP - something that pfSense should be able to ping upstream. e.g. some reliable fixed address at the ISP, or Google 8.8.8.8 8.8.4.4 etc that will indicate that the "internet" is available. Yeap monitoring ip is the key, now when i plug off the fiber cable from router it's switching to WAN-2 in 5 seconds, once more thanks phil :)

@phil.davis: Each single state ("thread" of download/upload) has to live on a single WAN. To the upstream server the packets back and forth have to come from/to the same WAN IP. So a single-threaded download can only run at the speed of the WAN which it gets allocated to. When the WANs are equal bandwidth, the strategy is to put each new connection onto the next WAN, spreading then umber of connections on each WAN equally. Statistically then the WANs should experience about equal load (e.g. if there are 50 "connections" on each then it is likely that the "connections" that are actually wanting lots of bandwidth will be spread between the WANs). If there are only a few connections, then maybe the ones that want bandwidth happen to have been mostly allocated to WAN1 and those that are more idle are on WAN2. In that case, bad luck, WAN1 will be saturated while WAN2 has free bandwidth. If there are significantly different bandwidths on each WAN then you need to put weights on the WANs in the gateway group (they are on the GUI), so that most connections get allocated to the WAN with more bandwidth. If you use a download manager that downloads bits of the file in parallel, then it will make multiple connections and those will (most likely) be spread around the WANs in the gateway group. So you could see total file download speed near the summ of the WAN speeds. Note: You did not mention doing anything with rules. You need to put a rule on LAN that will feed traffic destined for "the internet" into the gateway group. Without doing that, all your traffic will just go out the default gateway. @phil.davis thanks for explanation,now it's much more clear for me,you are right i forgot to mention about firewall setting,i did configure as you mentioned, with IDM downloads speed makes different (it uses two WAN at the same time). Thanks for your time.

@kpa: "Won't it be great when we can run everything virtual without any underlying hardware at all." ::)  ::)  ::) What is your hypervisor running on then? Cosmic energy?  ;D That's what I am hoping for one day, but without quantum fluctuations that will introduce random bit errors.

If this works OK in 2.3.3 it will probably work OK for any further 32bit releases which will probably also be based on 10.3. Steve

That sort of error is almost always a hardware problem. Though I would usually expect it to have random offsets. You might be OK with running a filesystem check from single user mode a few times, or reinstalling. But I wouldn't count on those working 100%. It isn't likely that a change in pfSense from the upgrade caused the problem necessarily. It might be that the amount of writes that happened during the upgrade brought out an existing problem in the disk. How long ago did you purchase that unit? Is it still under warranty? If so, or if you don't know for sure, contact us at support@netgate.com and we can look into it. If you know it's not under warranty, you have a couple options. If that unit was using the eMMC then you could add an M.2 disk and install to that instead. If it was using an M.2 disk already, you could replace it with a different M.2 disk, or remove the M.2 disk and install to eMMC.

@doktornotor: Seems like you need better hardware. It's the C2758 model, it sounds weird, is not it?