Amazing how culture can affect business, but it's hard to tell since we're all submersed in culture.

That or cygwin, msys, etc…

The windows command prompt "terminal" itself sucks most though. Cygwin with mintty is much, much, much better to deal with than a standard cmd.exe window that has better commands...

Do you know this thread? I'll just leave this here (Hint: it's ARM)

Netgear was launching at the CeBit 2016 their first 802.3bz or NBase-T Switch, called M4200 series
and later this year Q2 or Q3 they are going to launch the WLAN AP named WNDAP740 that is coming
also together with this NBase-T ports. Would be nice to get better wireless ac performance.
Core Switch for routing:
M7300 + Layer3 license - Bigger Core Switch
fully Layer3 routing static or dynamic (RIP,OSPF,VRRP,ECMP,ProxyARP,Multinetting)
M4300 - smaller Core Switch
fully Layer3 routing static or dynamic (VRRP,HRSP, RIP, OSPF, PIM, PBR)
NBase-T:
M4200 Layer2+, NBase-T Switch for Wave2 11ac wireless access points
8 x 2,5 GBit/s PoE+ Ports
2 x 5,0 GBit/s (Combo Ports 2,5 GBit/s or 5,0 GBit/s)
2 x SFP+ 10 GBit/s Slots

@Harvy66:

There are a few possibilities that can explain what you saw

University was doing something similar to pfBlockerNG v2.0

In order to block ads by inspecting the traffic, you have to man in the middle HTTPS. This may be the lesser of evils in some cases, but it is something very important to think about.

Just as a note, pfBlockerNG, is not really MITM for HTTPS. It would be more DNS sinkholing then anything. MITM is evil, and should never be done for content filtering… :)

The default gateway target, which seems to be a DHCP server in my ISP

While I didn't wireshark it this time, I have done so in the past. What I saw was a bunch of dup packet responses getting sent from my WAN. WAN ingress was 100Mb/s and LAN egress was about 70Mb/s. PFSense seems to have filtered out the already acknowledged traffic and responded on behalf of my computer. When I did a trace route to these target IP addresses, while I was still downloading from them, I saw normal 2ms ping here, 10ms ping there, 20ms ping there, then right before it got to the seeder, 2,000+ ms pings. I samples about 10 TCP connections that were causing all of those dup packet responses, and they all had the same large ping jump 1-2 hops away from reaching them, but otherwise good hop pings within their ISP's network. Just not the last 2.

I do use HFSC and CoDel

My ISP does also have some unidentified AQM. All I know is without any shaping on my end, DSLReports says I get about 20-30ms of buffer bloat. With shaping on my end, I get bloat down to about 1ms. This is also reflected when I had a DOS volume attack tested against my connection. I had a service send 110Mb/s at my 100Mb connection and I saw about 10% loss and typically 30ms-40ms of latency. Even when pushed to 200Mb flood, still 30ms-40ms, but something like 50%+ loss. I forget exactly how much, but my connection was dead.

The several crash reports from the IP you sent me are all indicative of a hardware problem.

Made time to test OpenVPN too.
These tests where done from client to PFS to client.

OVPN-Server:
Remote Access (SSL/TLS+User Auth)
udp
tun
tls static key 2048
Diffie Hellman 2048
Certs 2048
Encryption AES-256-CBC
Auth digest SHA512
prng RSA-SHA512 32
fast-io
tls-version-min 1.2 or-highest
No hardware crypto selected
No compression

OVPN-Client export:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.11.200 1194 udp
lport 0
verify-x509-name "OVPN-SERVER-CERT" name
auth-user-pass
ns-cert-type server
comp-lzo no
prng RSA-SHA512 32
tls-version-min 1.2 or-highest

Clients connect with:
Control channel: TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA

PFS:
System/ Advanced/ Miscellaneous - Cryptographic Hardware -> None
VPN/ OpenVPN/ Servers/ Edit - Inter-client communication -> Allowed

Command
:iperf3 -c 10.0.10.3 -t 30

With above config:
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-30.01  sec  534 MBytes  149 Mbits/sec                  sender
[  4]  0.00-30.01  sec  534 MBytes  149 Mbits/sec                  receiver

Above + System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI:
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-30.01  sec  530 MBytes  148 Mbits/sec                  sender
[  4]  0.00-30.01  sec  530 MBytes  148 Mbits/sec                  receiver

Above + OVPN-Server BSD cryptodev engine:
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-30.01  sec  523 MBytes  146 Mbits/sec                  sender
[  4]  0.00-30.01  sec  523 MBytes  146 Mbits/sec                  receiver

Above + add to client and server:
sndbuf 524288
rcvbuf 524288
Which gave:
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-30.01  sec  538 MBytes  150 Mbits/sec                  sender
[  4]  0.00-30.01  sec  538 MBytes  150 Mbits/sec                  receiver

Above + no encryption
cipher none
auth none
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-30.01  sec  967 MBytes  270 Mbits/sec                  sender
[  4]  0.00-30.01  sec  967 MBytes  270 Mbits/sec                  receiver

I think the results for encryption and no encryption speak for themself.

I don`t need big speeds for my home use but if someone has a idea for why enabling/disabling engine makes no difference, i would like to read it.

What is this setting doing? For what does it apply?
System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI
I did not test with that setting off and enabling only BSD crypto in OpenVPN Server, will do that next time.

Run Ping Test. From the tools page, select Start, in the Ping Test (Real Time) box. This will advance you to a page indicating that all of the listed servers will be ping-ed twice per second and every thirty (30) seconds a report on your connection from A to F will be provided.

The Fastirons listed above have been replaced by the Fastiron FCX/SX series (maybe the ICX series as well, I'm more knowledgeable on their current carrier gear than I am edge switching), but expect $3,000 to $4,000 for base models and going up quickly from there. The stuff linked above for 30 bucks went for the same pricing when new years ago - if it makes you feel any better they're still actively updated, the firmware running on my GS was pushed out by brocade just a couple months ago

Now that's a handy little feature, especially when you go back to a box you've  been messin' with to get the rules right.

Makes it easy to find all those spurious rules that do nothing at all in the end.

2.3 is a hit in my books so far, the 12 or so systems I've upgraded so far have been all smooth.

Kudos for an excellent release  :D

seems like a typo calling it a "linux router". but everything with a terminal is "linux" i guess

In pfSense terminology, you want to save the change (= update the config), press apply (for things that have an apply stage) to make it happen on the running system, then have another "confirm all is OK" button that you have to press within "x" minutes, otherwise the system reverts back to the previous config.

That way you can wait a few minutes to see that you have not locked yourself out, and then press "confirm all is OK". If you get locked out then the system will revert back in a few minutes and (hopefully) you can get back in again.

Mostly this sort of thing is great when you are messing with VPN settings on a remote box, using the VPN itself to make the changes.

Thanks. It was one of those things that I saw and wondered "does anyone really care about this?" Glad to know someone does.  :)