For AWS, you need 80 and 443 to firmware.netgate.com only.

Well one thing that comes to mind, is a failover setup (carp)? That would take away lots of your worries, and as it is already a vm the added cost is minimal. Maybe one caveat; Not sure though on the "MAC given by our provider" thing? I seem to remember there was some limitation of spoofing a MAC for a CARP IP… that would be worth a question or search in the CARP forum.

that my wlan card might be supported in the near future… Well known working wireless cards for pfSense If this card will be a someday supported or the plain WiFi ac support was added you might be trying out your card, but until this is not given you can only hope or change your card against another one that is working well.

Worked like a charm! Thank you!!!!!

@martylavender: The two default rules pfSense creates are the only rules under Firewall > Rules Out of interest, what rules are these exactly? In PFS version 2.3.x, the LAN side should have three default rules (One anti-lockout and two LAN-2-any rules for IPv4 and IPv6). The WAN side is what has two default rules. Could you have mistakenly set your WAN interface internally? That might account for the blocks you're seeing in the logs.

This worked for me: http://blog.stefcho.eu/upgrade-from-pfsense-2-1-5-to-2-2-on-hyper-v/

So your not understanding the difference between a host override and a register dhcp static it seems. I do but i wrote it in a bad way, my bad. Let me try to explain it better: DNS-Forwarder -> Enabled nothing more, no DHCP mapping, no host overrides nothing. Now -> DNS-Resolver -> Enabled + -> Static DHCP Register enabled All static mappings won't get resolved now because there is only this in the /var/unbound/host_entries.conf file local-zone: "localdomain" transparent local-data-ptr: "127.0.0.1 localhost" local-data: "localhost A 127.0.0.1" local-data: "localhost.localdomain A 127.0.0.1" local-data-ptr: "::1 localhost" local-data: "localhost AAAA ::1" local-data: "localhost.localdomain AAAA ::1" local-data-ptr: "... FW.localdomain" local-data: "FW.localdomain A ..." local-data: "FW A ..." Which reprents the settings in the DNS-Forwader. It does not matter if I enable the DHCP static mapping at unbound or not, because it won't put it in this file. But when I enable the DHCP static mapping at the !DNS-forwarder! every static mapping is showing in /var/unbound/host_entries.conf Hope I could explain it in a better way, maybe you can reproduce this issue with a testmachine.

Thanks JorgeOliveira for that link – I had seen it, after the fact of course! When I installed 2.2.6 AMD64 from iso I then brought in my full config backup file. I think it's unlikely I would have 'hard coded' any particular update path into my settings, I probably had it set to just install stable updates. I think that is a pretty odd situation to end up in ... running any auto-update on a 64 bit system and ending up with a 32 bit system and I think there should have been some means of preventing that or at least warning about it. In any case, I backed up my config file again, did a clean install of 2.3.1 from the amd64 full install iso, reloaded my config file, and my system is working again. Sadly, it seems my RRD data was lost. It is working again, creating new data, but I can't go back to see old data. Does anyone know how that works? I was looking in /var/db/rrd/ and my files are not too small, like: -rw-r--r--  1 nobody  wheel  144K May 30 18:19 WAN_DHCP-quality.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 ipsec-packets.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 ipsec-traffic.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 lan-packets.rrd -rw-r--r--  1 nobody  wheel  288K May 30 18:19 lan-queuedrops.rrd -rw-r--r--  1 nobody  wheel  288K May 30 18:19 lan-queues.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 lan-traffic.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 ovpns1-packets.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 ovpns1-traffic.rrd -rw-r--r--  1 nobody  wheel    49K May 30 18:19 ovpns1-vpnusers.rrd -rw-r--r--  1 nobody  wheel  575K May 30 18:19 system-mbuf.rrd -rw-r--r--  1 nobody  wheel  718K May 30 18:19 system-memory.rrd -rw-r--r--  1 nobody  wheel  240K May 30 18:19 system-processor.rrd -rw-r--r--  1 nobody  wheel  240K May 30 18:19 system-states.rrd -rw-r--r--  1 root    wheel  8.7K May 30 18:13 updaterrd.sh -rw-r--r--  1 nobody  wheel  384K May 30 18:19 wan-packets.rrd -rw-r--r--  1 nobody  wheel  240K May 30 18:19 wan-queuedrops.rrd -rw-r--r--  1 nobody  wheel  240K May 30 18:19 wan-queues.rrd -rw-r--r--  1 nobody  wheel  384K May 30 18:19 wan-traffic.rrd Is that the size of 'blank' rrd data? Was the data 'poisoned' by running the 32 bit OS briefly? I'm not sure I ever did a backup that contained the full RRD data, my XML backups are usually 150k or so. Thanks.

Perhaps one of you bright lads might like to start committing code instead of taking the piss. ::)

Turned out it was my Logitech M100 mouse. Unplugged it and the problem vanished. Now my only problem is connecting to any servers through the WAN network.

After many hours and a sleepless night, here the result! It works. After i flash the APU1D4 with the latest firmware, i was able to install and configure the pfSense in Version 2.3. Here my result after the upgreade to 2.3.1 Updating pfSense-core repository catalogue… pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. It works! You have to check the latest firmware and use the 2.3 IMG file for the initial installation. Howether why?! Dont know why the 2.3.1 installation file doesn´t work. Regards Markus

Thanks to tree-cutting duties bestowed upon me, I literally have had no energy to tamper with the pfSense box or the clients using them for a bit. Found some time tonight/early morning to see if this has worked. It seems it has! Seems being the important word. I was meaning to set up Hyper-V on my Workstation with a fresh copy of Windows 10 running as a simple sandbox for things. I took this opportunity to set it up fresh and see if the network tampering had done it. The VM was allowed to obtain its IP and DNS server via DHCP - I didn't intervene to change settings at all. Implementing your (Phil's) suggestion with regard to sticking in a single static DHCP entry and then trying to access everything from the new VM showed me that everything was working. I could access \StorageS1 and \ExchangeServer as is (no need for the example.co.uk domain suffix to be appended) and using ipconfig was showing that a Connection-specific DNS suffix of example.co.uk was being sent out to machines. Changing the IP of the JetDirect print server from 192.168.1.202 to 192.168.1.217 and accessing it straight away from the new VM using its hostname (http://HP_JetDirect - creative hostname, I am aware(!)) allowed it to resolve correctly to 192.168.1.217 whilst the workstation (which is host to the VM) was unable to resolve it after a ipconfig /flushdns command. The reason I said 'seems' earlier? It's the pessimist in me - I thought that it may have been owing to the way Hyper-V dealt with name resolution and (possibly) pulling it from the host's built up DNS cache. Seems not, though. However, since on the workstation, I have the DNS suffix manually appended, it introduces another variable into the test. We shall see. To be absolutely sure, I may find a spare NIC, shove it in the machine and have the VM use its own dedicated network port rather than share with the host, or use a machine with a fresh install of Windows. Alas, not a job for 1:30am so thats pushed to tomorrows agenda.

Config should be in /cf/conf/config.xml afaik. In  /cf/conf/backup are all the old versions. Hope you can save some of it.

@Snailkhan: bump .. what about 2.3 and the little updates that always show up in update check ? can we just initate update and close browsers ? yes

Thanks, I'll give this a go.

Exactly, - Choice is a good thing tho - A fully authenticated session via the modem as on DOCSIS is useful - unpiug the router plug in something else - and if you've ever had problems with Comcast connections you'll appreciate this ability. I just find it very odd that for the UK and UK alone your product gets downgraded without your consent. And, on pf 2.3.1. there was no PPPoE/A working so if you have a UK V130 re-flash to earlier FW and it will connect. I bought what I believed was single port modem with built in authentication. It has many uses - router goes tits up an you've still got a connection - router goes tits up with dumb modem and your screwed till you fix or replace it Anyways, some my find the info useful

Now I suceed. After give it another try, I could update and my tunnels are still working. I had to edit and save them new to get them online.

still have the same Problem. Fresh Install on APU1D4 Board