The default gateway target, which seems to be a DHCP server in my ISP While I didn't wireshark it this time, I have done so in the past. What I saw was a bunch of dup packet responses getting sent from my WAN. WAN ingress was 100Mb/s and LAN egress was about 70Mb/s. PFSense seems to have filtered out the already acknowledged traffic and responded on behalf of my computer. When I did a trace route to these target IP addresses, while I was still downloading from them, I saw normal 2ms ping here, 10ms ping there, 20ms ping there, then right before it got to the seeder, 2,000+ ms pings. I samples about 10 TCP connections that were causing all of those dup packet responses, and they all had the same large ping jump 1-2 hops away from reaching them, but otherwise good hop pings within their ISP's network. Just not the last 2. I do use HFSC and CoDel My ISP does also have some unidentified AQM. All I know is without any shaping on my end, DSLReports says I get about 20-30ms of buffer bloat. With shaping on my end, I get bloat down to about 1ms. This is also reflected when I had a DOS volume attack tested against my connection. I had a service send 110Mb/s at my 100Mb connection and I saw about 10% loss and typically 30ms-40ms of latency. Even when pushed to 200Mb flood, still 30ms-40ms, but something like 50%+ loss. I forget exactly how much, but my connection was dead.

The several crash reports from the IP you sent me are all indicative of a hardware problem.

Made time to test OpenVPN too. These tests where done from client to PFS to client. OVPN-Server: Remote Access (SSL/TLS+User Auth) udp tun tls static key 2048 Diffie Hellman 2048 Certs 2048 Encryption AES-256-CBC Auth digest SHA512 prng RSA-SHA512 32 fast-io tls-version-min 1.2 or-highest No hardware crypto selected No compression OVPN-Client export: dev tun persist-tun persist-key cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote 192.168.11.200 1194 udp lport 0 verify-x509-name "OVPN-SERVER-CERT" name auth-user-pass ns-cert-type server comp-lzo no prng RSA-SHA512 32 tls-version-min 1.2 or-highest Clients connect with: Control channel: TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA PFS: System/ Advanced/ Miscellaneous - Cryptographic Hardware -> None VPN/ OpenVPN/ Servers/ Edit - Inter-client communication -> Allowed Command :iperf3 -c 10.0.10.3 -t 30 With above config: [ ID] Interval          Transfer    Bandwidth [  4]  0.00-30.01  sec  534 MBytes  149 Mbits/sec                  sender [  4]  0.00-30.01  sec  534 MBytes  149 Mbits/sec                  receiver Above + System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI: [ ID] Interval          Transfer    Bandwidth [  4]  0.00-30.01  sec  530 MBytes  148 Mbits/sec                  sender [  4]  0.00-30.01  sec  530 MBytes  148 Mbits/sec                  receiver Above + OVPN-Server BSD cryptodev engine: [ ID] Interval          Transfer    Bandwidth [  4]  0.00-30.01  sec  523 MBytes  146 Mbits/sec                  sender [  4]  0.00-30.01  sec  523 MBytes  146 Mbits/sec                  receiver Above + add to client and server: sndbuf 524288 rcvbuf 524288 Which gave: [ ID] Interval          Transfer    Bandwidth [  4]  0.00-30.01  sec  538 MBytes  150 Mbits/sec                  sender [  4]  0.00-30.01  sec  538 MBytes  150 Mbits/sec                  receiver Above + no encryption cipher none auth none [ ID] Interval          Transfer    Bandwidth [  4]  0.00-30.01  sec  967 MBytes  270 Mbits/sec                  sender [  4]  0.00-30.01  sec  967 MBytes  270 Mbits/sec                  receiver I think the results for encryption and no encryption speak for themself. I don`t need big speeds for my home use but if someone has a idea for why enabling/disabling engine makes no difference, i would like to read it. What is this setting doing? For what does it apply? System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI I did not test with that setting off and enabling only BSD crypto in OpenVPN Server, will do that next time.

Run Ping Test. From the tools page, select Start, in the Ping Test (Real Time) box. This will advance you to a page indicating that all of the listed servers will be ping-ed twice per second and every thirty (30) seconds a report on your connection from A to F will be provided.

The Fastirons listed above have been replaced by the Fastiron FCX/SX series (maybe the ICX series as well, I'm more knowledgeable on their current carrier gear than I am edge switching), but expect $3,000 to $4,000 for base models and going up quickly from there. The stuff linked above for 30 bucks went for the same pricing when new years ago - if it makes you feel any better they're still actively updated, the firmware running on my GS was pushed out by brocade just a couple months ago

Now that's a handy little feature, especially when you go back to a box you've  been messin' with to get the rules right. Makes it easy to find all those spurious rules that do nothing at all in the end. 2.3 is a hit in my books so far, the 12 or so systems I've upgraded so far have been all smooth. Kudos for an excellent release  :D

seems like a typo calling it a "linux router". but everything with a terminal is "linux" i guess

In pfSense terminology, you want to save the change (= update the config), press apply (for things that have an apply stage) to make it happen on the running system, then have another "confirm all is OK" button that you have to press within "x" minutes, otherwise the system reverts back to the previous config. That way you can wait a few minutes to see that you have not locked yourself out, and then press "confirm all is OK". If you get locked out then the system will revert back in a few minutes and (hopefully) you can get back in again. Mostly this sort of thing is great when you are messing with VPN settings on a remote box, using the VPN itself to make the changes.

Thanks. It was one of those things that I saw and wondered "does anyone really care about this?" Glad to know someone does.  :)

Yes, Derelict is joining the team.  We only recruit the best. There is no need for Derelict to leave Vegas,  I was born and raised there, my father was born there, my grandfather moved there to work on Boulder/Hoover Dam.  My brother and mother are buried there.  My father, sister, aunt, nephews, nieces and cousins live in Vegas.  The Netgate warehouse was actually in Las Vegas for a couple years, not too far from where Derelict lives. In other words, al oeste Vegas es mi barrio. I threw down on the mod status because .. why not?  Dude works here (soon), he can be a force for even more good in the community.

Forgot to add Yet!! :-)

development by copy-paste chaos Also known as full stackoverflow development.

https://doc.pfsense.org/index.php/Installing_pfSense and lots of other docs at https://doc.pfsense.org/index.php/Main_Page