Looks to me like the router is detecting an outage and attempting to restart services to bring it backup.  Since dpinger is showing the latency I wouldn't suspect it to be one of the other services unless you are pegged at 100% utilization on the box (which you aren't).  +1 for piBa's suggestion to check the quality graphs.  I suspect you'll see latency and packet loss in there.  See if they correlate to anything in the traffic graphs.  In certain instances maxing out your upload can cause it as well if the gateway is too busy processing packets to respond to an arp command from the router.  I would suspect the cpu spikes are an effect of the outage and not the cause.  The graphs and logs will point to which is which.

Guys,

Please see my post here to disable vlan1.  It is on page#5

https://forum.pfsense.org/index.php?topic=123324.msg763557#msg763557

Intel CPU's don't start self-throttling until 100c and don't shutdown until 110c. I had a GPU that run at 105c-108c while gaming, I played about 6-12 hours of games per day, and I gave that card to my brother after using it for 6 years.

There are really only two things you want to keep cool in your computer. Your HDs and your memory. That being said, below 50c is pretty much safe for anything and above 70c typically means something is wrong with the cooling. If you can touch the component without burning yourself, it's fine.

@BlueKobold:

the box is providing internet via ipsec from another pfesnse box.

And all Internet traffic is going through the other box? And all DHCP and DNS entries must be
cached and for caching they must be stored too, perhaps on one end to less RAM available?

i used this guide to route internet to our main site, so only ipsec traffic is leaving the firewall that is crashing.

https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

What part did you try and is not working?  So you did a packet capture on your wan and show the traffic getting there?

Love to help you but without more info impossible to even guess where the problem is.

"which turned out to have basic core switch capability"

Any switch could be your core to be honest.. It doesn't have to do routing, etc.  It could be a dumb switch.. The nutshell of the access, distribution, core is just a pyramid way of looking at how you fan out your network from the edge to the devices.

Such a layout as attached, be it all dumb switches could be seen as top switch as core, middle as distribution and bottom row as access.  With your devices connected to the access layer.

It for sure can get way more complicated than that, and normally there is stacks with redundant connections, etc.  If all you have is access switches directly connected to pfsense then pfsense becomes your combo core/distribution layer, etc.  Or you could look at it like you don't have the core or the distribution layer, etc.

access-dist-core.png
access-dist-core.png_thumb

Thank you bartkowski. I will look into these and see how I can accomplish what I need to do.

Thanks. I have tried that to no avail. I'll have to keep looking tomorrow and try to work out what has changed over the weekend.

Thank you for the info, but the problem is the same regardless of the browser used. Mozilla firefox or Internet explorer

@gelcom:

Thanks for the reply!

I believe it's easy to get SFP specs to match ONT's specs.

From an educational point of view how is it possible to configure pfSense to act like this (or any other) ONT?

As I mentioned, that ONT is very likely the demarcation point between you and the ISP.  It will have functions such as status monitoring, configuration and more that your ISP expects to be there.  You can't replicate that with pfSense or anything else.  It's part of the ISPs network and you just can't remove it.  Also, in many areas, regulations require a demark point, so you're not allowed to remove it.  In my work, I have set up many customers on fibre.  There was always a piece of equipment, owned by the carrier or ISP that was the demark.  There were even 2, where one carrier was providing service for another.  There might also be VLANs or MPLS involved.  That box is an essential part of your connection.  Don't remove it.

stuff on the same lan doesn't pass your router/firewall ….
if you put your nas on a different interface & run a reverse proxy, you could work around your "issue"

personally i'd just create a bookmark/favorite .... but thats just me

I am looking at the Qotom Q3554G4 or the SUPERMICRO MBD-X11SBA-LN4F-O to start with.

If you will be getting your hands on the Supermicro hardware, 2 points from me above that will be nice to know;

It is also able as a bare bone from Supermicro SuperServer E200-9B only RAM and mSATA must be installed. Long thread about the board, but worth the time reading it

My router has a WiFi and Guest WiFi. Can I use the Guest WiFi from the AP and have it isolated from my private internal network?

Three things must be given to realize that;

pfSense must support VLANs (by default) the WLAN AP must be supporting multi-SSIDs (more then one SSID) WLAN AP must be capable and supporting of Multi-VLANs too (more then one VLAN)

I am planning on connecting the AP to a switch.

the network switch must or should be supporting VLANs too

Modem –> pfSense --> Switch -- > AP (internal Wifi)
                                                          (Guest WiFi)

Set up two SSIDs likes private and guest Set up two VLANs on all devices, pfSense, switch and the WiFi AP put each SSID in its own VLAN in At the WiFi AP the VLANs must be set as tagged too due to the circumstance of using more then one VLAN there!

It works with PPPoE. 192.168.2.1 is Fiber Modem (Hub 3000) provided by ISP Bell. It connected to Bell's Fiber network via a SFP (ONT).

Seems to me that some core files like
/usr/local/lib/php/20131226/rrd.so
/usr/local/lib/php/20131226/curl.so
are missing or - worse - present but not in their 'good' state (due to disk errors ?).

Do a clean re install - and to be sure : test your disk.

@johnpoz:

You don't use dns internally? Wow??  That is just plain nuts…  Shoot even MS got on board with dns server back in the NT 3.51 Days.. mid 90's  So your over 20 years for sure...

Good luck with IPv6 without using names ;) hehehe

Ha! True story. Just in my own playpen, never even thought of it. Go ahead shame me into it, lol

It's a client-side problem, so there wouldn't be any difference on 2.4. Use IKEv2.