@stinkfly123 said in Dual WAN - Speed Test Different over WiFi than Ethernet:

@kevindd992002 thank you
I am using ookla speedtest (pretty standard)
yes connected to WiFi via AC (laptop web browser and iPhone App)
Local file transfer speeds are almost wire rate (900+ Mbps) on 1Gb links
Going to do some internal network troubleshooting

Thanks for your feedback, appreciate it

Right. When I say local file transfer though, I was pertaining to local file transfer speeds when using this wifi client. I'm sure that won't reach 900+ Mbps for Wifi so I'm curious as to what speeds your wifi client can reach when doing local file transfer from/to it.

Do you have a public port on the internet?

What services does your pfsense run?

So it was routing those pings to 1.1.1.1 through the wrong GW because of the "dns server" setting on "general setup" for that GW, after changing it to 1.0.0.1, I was able to use the default gateway while doing a ping for that IP from tier 2 GW, as expected.

I've wasted like 5 hours digging in this ...

@tomatonoheta said in Policy based routing disconnect rdp session but icmp is fine:

firewall rule option "state type" to sloppy,

Not a good fix, temp work around until you fix the asymmetrical

Your other thread blocked out the IPs.. Were those public? the private ones, which direction was that in - where is opt1 and lan in your drawing, etc. is FW another pfsense or something else? etc.

@kevindd992002 Traffic from one host ( PC ) to another ( router ) will only flow over one link.

Suggest you look at the LACP documentation:-

https://docs.netgate.com/pfsense/en/latest/interfaces/lagg.html

"Traffic is balanced between all ports on the LAG, however, for communication between two single hosts it will only use one single port at a time because the client will only talk to one MAC address at a time. For multiple connections through multiple devices, this limitation effectively becomes irrelevant. The limitation is also not relevant for failover."

"Using a LAGG does not necessarily guarantee full throughput equal to the sum of all interfaces. In particular, a single flow will not exceed the throughput of a LAGG member interface. Traffic on a LAGG is hashed in such a way that flows between two hosts, such as this firewall and an upstream gateway, would only use a single link since the flow is between a single MAC address on each side.

In networks where many hosts communicate with different MAC addresses, the usage can approach the sum of all interfaces in the LAGG."

Your previous test is irrelevant if you connected the gateway devices directly to the 2.5 and 1 Gbps prots on the client.

@stephenw10
Many thanks for the explanation Steve. I can’t tell you how relieved to hear that. I expect that this issue is covered in the pfS document somewhere, but I don’t recall seeing it.
Bruce.

@stephenw10

It does seem to work, something else was getting in the way.

I was doing my initial testing with ssh port 22, when that is set to WANGroup (instead of wan1,wan2,etc) it seems to want to go to the ssh server on the router.

Instead tested it with something else (that pfSense wouldn't have its own port listening) and that works okay.

This is on 2.5.x, it does not work on 2.4.x.

@t__2 said in Multi WAN Failover - DNS Queries and Open States Causing Traffic to Failover WAN:

Looking at this in more depth today. I turned on logging for that floating rule and then filtered the logs with the source IP of the Netgear modem. So what it looks like is happening is the Netgear modem is sending UDP packets to seemingly random IP's on port 53 (DNS) out our main WAN! I have no idea why that would even happen. Anyway I looked at the IP's and used whois to find out where they are going. Most of them are going to IP's owned by Microsoft. Some to Amazon. Others to other large US companies and others to foreign companies.
I also disabled the floating rule and did a packet capture on the higher traffic that happens. I can see it still doing DNS queries at large companies.

I recently hit the same issue on a brand new MR5200. putting on my tinfoil hat here, it's probably some tracking code in the firmware, what for or why, is anyone else's guess.

https://community.netgear.com/t5/Mobile-Routers-Hotspots-Modems/Netgear-Nighthawk-M5-MR5200-WAN-issue/m-p/2175323/highlight/true#M20286

@orangehand The parent interface is mvneta1; see step 6 in the instructions.

In addition to what mcury said the switch has 4 ports. When you're configuring the switch it's only dealing with those 4 ports not the others. See the picture for the 3100 in the upper right on this post, the 2100 is the same idea.

@daddygo Thank you for your answer.
The ISP box give mi a private IP LAN side and have a DHCP ranomly allocated public IP fiber wan side.
I will try to dig deeper in the Pfsense wan log to see if I can detect the problem

Another thing... I call it a Fiber Modem because it modulate between ELECTRICAL datas signal TO LIGHT datas signal, old phone line modem was modulating between electrical and sound datas.
But a the end, its a Fiber router also.

@fabiensch said in Gateway "dynamic":

It's curious that this "dynamic" gateway was created because my LAN interface is in static IP ... not DHCP or PPPoE

If you have a gateway you want to get to via your lan interface, this would be done via setting up the gateway, not by setting a gateway on the actual lan interface.

It is odd if your saying your lan is set as static..

Make sure the gateway is not actually set on your lan interface, this will cause pfsense to think your lan is actually a wan interface, etc.

If you have a router downstream of your lan, then create the gateway in routing / gateways - and then setup whatever routes you want to use that gateway with.

@jonthewise said in pfSense replacing a Cisco Router - not acting as expected:

It would seem most people that use pfSense either connect to a layer 1 network, or actually know something about networking (okay, I know a little bit, but mostly just enough to get myself into trouble LOL)

That should say layer2, but when I try to edit it's flagging my post as spam and won't let me save

@jcubillo
Replying to myself since a friend found this answer and might help somebody else in the future:

"""
You need to install the System Patches package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
And apply Patch ID 7dbe76cd5756082cbd67db1b93acb606ad84996e

Then you need to reinstall the FRR package.
see https://redmine.pfsense.org/issues/11290#note-12
"""

This is from:
https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade/8

I did exactly that and now Zebra follows the CARP VHID status.

@phurious those all look like out of state blocks.. they are all R or FA, etc. I don't see any Syn blocks.

If you renabled the firewall while it would be expected to see out of state traffic until the devices all recreate sessions with syn and new states are created.

@pille99
hello again.
what i completly forgot to mention. the external IP is bound to a MAC. so, the esx has the interfaces with MAC configured and working. as i have seen, the mac address can only be entered at the interface page.