@Derelict: Inherited a network and you're not a network guy, huh.  Must not be very important to TPTB that their network actually work. Artecs, don't worry. You don't need to be a network guy to setup pfSense but it helps if you are willing to learn what you do need to know. VLANs are far easier to conceptualize if you understand why they exist. To expand on robi's comments… You have 5 LANs. In the old days, you would need 5 physical ethernet interfaces in your firewall to service them. VLANs enable you to collapse 5 physical networks into just 1 physical network so that only 1 physical interface is required to service them all. This cuts down on cabling and hardware and can make remote moves and changes much easier. VLANs do this by tagging packets with the label that you assigned to them so that they can be identified and separated later. If you have a physical cable plugged into a pfSense ethernet interface that is running one or more tagged VLANs, the other end of the cable should be plugged into a tagged port on a VLAN switch. It is usual to make this port a member of each VLAN that it is servicing. If you have a physical cable plugged into a pfSense ethernet interface that is not declared as a VLAN, the other end of the cable should be plugged into an UNtagged port on a VLAN switch. This port only needs to be a member of the one LAN that it services. Alternatively you could just use a regular Non-VLAN capable switch or even a hub! I hope this helps.

Did the 1st major upgrade one some of the heavier ones in production running about 20 VIP's and shitload of aliases and VLAN's. No issues at all. Everything checked and running with no errors WSE. Very smooth.

I have PM'd you update URL that appears to work. I will get the default URL updated tomorrow for others. Steve

@Abhishek: Wan Speed ?  5Mbps With a WAN speed of 5Mbps and a LAN speed of 1000Mbps there is going to be a lot of buffering either in hardware or in the protocol stack for packets that pass between these networks. A long, long time ago, when 10Mbps LAN speeds were common, Cisco routers had the equivalent processing power of a 16Mhz intel 386sx. It really doesn't need a powerful CPU to move packets in and out of a slow speed network. What will take CPU is packet inspection. An intel E5800 with 2x 64-bit 3.2Ghz cores and 800Mhz bus will be idling most of the time running pfSense. Snort will give it more work to do but it will depend on the rules you select. This is a powerful machine for pfSense.

The previous issue of coming from 2.1.X with a different FreeBSD base version doesn't apply here. The reboot binary would run in 2.2.2 or 2.2.3. The only thing that might cause that would be coming from 32bit except that you say you didn't and also it wouldn't reboot manually without actually pressing the power button. We haven't seen any other reports of this yet in 2.2.3. Steve

The "issue" is that restoring newer config on older versions is neither supported, nor suggested. You can take older configuration and restore it on newer versions which will be handled by the configuration upgrade code. Not the other way round.

Don't know what to tell you. Before the upgrade, staff access to our webpage worked, after, it did not. When I checked the  "Enable NAT Reflection for 1:1 NAT", staff access was restored. I didn't touch anything except the upgrade button.

Trying to upgrade a Netgate C2758 from 2.2 to 2.2.3 still says there's a digital image invalid error.  This is from the repo at https://firmware.netgate.com/auto-update/full_install/amd64 I presume.  As others have reported, disabling image sig checking doesn't help, either. Only workaround for me is to download it, the upload it back manually while ignoring the image check error. Just tried this 5 minutes ago and it's still complaining…

Welcome on board; you will find here a great community in the true FreeBSD spirit, with some (many) extremely talented people (me excluded, as I have claimed myself the title of eternal noob on this forum)  ;D People are nice over here, and always willing to help out. What often helps of course is if you provide clear questions, and clear information as to what you've done yourself, what errors you've seen, etcetera. I think I sort of missed your question to begin with; what is it you need help with? Can you formulate concrete, detailed, questions? As a suggestion: given church, I would setup a VLAN for your guests, and put some content filtering on it (Squid + Squidguard, or Dansguardian). So keep LAN for trusted computers, and VLAN for guests. Captive Portal seems typical for this setup too. On the firewall level, I would absolutely add BB's pfBlockerNG, a package you can't do without. Snort, or Suricata, comes to mind too of course (layered defense: pfBlockerNG blocks bad IP's based on reputation lists, Snort/Suricata examine content of packages and block when something bad is found). Depending on how many guests you will have on your network you will probably also like some traffic shaping, but although I have that in my setup, I have a limited number of clients in my networks which makes it easy to configure. You probably have many, and I am not sure how you could set this up efficiently, so perhaps people more knowledgeable in this area (remember, eternal noob is my on this forum ;D ) can help you there.

Hmm, no issues with Snort on my setup after updating to 2.2.3… but reinstall usually fixes issues.

Get a bigger card, really. Failing that, avoid installing any packages whatsoever.

Affected workstations were rebooted to try to resolve this but failed to get addresses.  Only after another pfSense reboot, and subsequent workstation reboots were they able to get addresses.  Everything is working great now

Also confirming - All done through "auto-updater". Two Soekris 6501-50's on i386 v2.2.2 nanobsd to v2.2.3 upgraded successfully, with package reinstall all OK.  :) Two Soekris 6501-50's on i386 v2.1.5 nanobsd to v2.2.3 upgraded successfully, with package reinstall all OK.  :) Thanks for this update!

@jimp: For what it's worth, I have PPPoE at home and upgraded yesterday while testing the release and there were no problems here. It linked back up immediately after boot. +1. IMO this is the old regressed HW specific issue that's been there ever since 2.2 and ever before 2.1.5.