> Yes - I'm pretty sure you're hitting the maximum of ~4000 state table
> entries. That's the default value for ipfilter, and can unfortunately
> not be changed without recompiling the kernel.
> Since m0n0wall wasn't initially meant for high volume setups like
> yours, the state/NAT hash table sizes and maximums were just left at


Just want to chime in -

I know this wasn't m0n0's original purpose, but it's inclusion of
VLAN support makes it _very_ attractive for the ISP managed
firewall environment.  Not many commercial firewalls support
an unlimited number of vlans - and they are pricey.

The other thing m0n0 would need (if I'm understanding the
rulesets right) is having an outbound firewall rule for
'WAN' instead of 'ANY'   (ie - to allow isolation between
different OPT interfaces).  I would love to see this in the
next beta as it would have other benefits as well.

Fail-over/HA would be nice too ;)

Thanks

-josh