@Harvy66:

Looks like you enabled polling. Instead of an event based system that reacts when new packets come in, it spins at 100% CPU checking to see if any new packets came in.

You rock :) Thanks.

I would certainly expect it to. You will only get close to the limit of it's abilities trying to fill the pipe with encrypted traffic. But even then since OpenVPN is single threaded it can only use one core leaving the other to do whatever else may be required.

The D525 won't do that.

Steve

@pvr2002:

I am in the process of familiarizing myself with the Cisco IOS and have a Cisco 3750 (with routing functionality).  Please see attachment for current working network setup.

I am trying to enable IP routing on the 3750 and only route internet traffic through to the Virtual PFSense box.  I have successfully setup IP routing and ACLs to prevent vlans from talking on the switch.  However, I am running into issues determining how to get the switch to forward traffic onto the Virtual PFSense box.  I attempted to utilize RIP between the switch and PFSense, but was only able to get access from VLAN100 (even if shutting off all ACLs) to the PFSense VLAN100 Interface.  The other 3 VLANs did not communicate at all.  Can anyone provide any insight as to what may be the issue?

Thanks in advance.

1. Decide whether you want cisco switch to route between vlans and route all the traffic to pfsense through a interconnect network ( pink colored in Derelict's diagram) or (2) .

In this case (1)  you need to have VLANs created on the L3 switch, assign ports to VLANs , enable ip routing by configuring a routed port on L3 switch, static route on L3 sw to route all traffic to the transit IP of pfSense. On Pfsense you also need to add static routes to all your vlans  through pfsense transit IP address. ( otherwise routing won't work). In this case you also have to configure DHCP helper or  server on each L3 interface …. or use static IP addresses.  Also configure outgoing  rules on pfSense to allow traffic. Don't use routing protocols only if you have multiple network with multiple routers...

2. Use L3 sw as a L2 sw ( similar to your drawing , create vlans, assign ports to vlans, create trunk ports  on L3 sw  and on vSwitch + pfSense, configure vlan interfaces on pfSense - LAN  or wan ( for wan you also add gateway IP address), enable dhcp on  each interface , enable outgoing rules on each vlan ... .

If you have a small network I would recommend to route all traffic to pfsense box ( 2)  so you can also inspect inter vlan traffic if you wish ( from security perspective).

Check this topic also : https://forum.pfsense.org/index.php?topic=57239.0

you can dump  ...  show run conf

BR,
Adrian

Take your Cisco config line-by-line and recreate it on pfSense.

There is no guide that you will find that will cover this situation. The problem description is not very well communicated. What is currently doing the tunnels? Why do you need to keep the Cisco in-place?

Something like this:

pfSense-Layer-3-Switch.png
pfSense-Layer-3-Switch.png_thumb

I know you can do bridging and mac address spoofing in pfSense, but I'm not sure about the packet redirection over the bridges.

Please call the support od the AT&T company and ask fpr their devices able  to use together with the AT&T GIGAPOWER 
it could be only the Pace 5268AC you are using but with some luck you could also go with the Arris NVG599
from AT&T. If so, do it, this device is still offering a so called "IP passthrough mode" and then you will be able to place
all of your own devices firewall behind that "mode" or router. Link to that conversation: DSL-reports

Question:
But does ATT Gigapower allow authentication from a third party user owned router or does it have to go secondary to their own?
Answer:
You must use their router.  There is a kludged "IP Passthrough" mode to allow you to put your own router behind it though.

ok,  i kind of solved my problem.
i had a firewall rule to only allow the ntp port to be open in my pfsense openvpn setup.
i guess it couldn't communicate with the main router through the ntp port.
i thought that if i pointed the ntp server of the pfsense firewall to the main router that it would work. it didn't.
maybe i have to open a port somewhere for it to work?

anyway, i just removed that firewall rule and pool.ntp.org servers now work.

Yes you could use an interface group, or maybe floating rules to do this. However you will still need to edit each rule on OPT1 and switch the interface to the group.

You could potentially edit the config file to do that which would be faster but far more open to typos. The rule order might also be compromised. You would need to test that to be sure.

Steve

Looks like a hardware failure, probably bad RAM given the message. Potentially some video card issue.

Juts booting with the DIMMs in proves nothing really. You need to run a few loops through memtest (I prefer 86+ http://www.memtest.org/) before you can be sure it's good.

Steve

You need to run at least some actual throughput tests to determine if your indexing test is at all accurate I would say.

The Xeon-D CPUs you tested both have turbo speeds of 2.5 and 2.6GHz.

pf is somewhat multithreaded but OpenVPN is not. You are not testing the complete system though so you might hit some other restriction you're not aware of.

Steve

pfBasic, There is no enough way to say thank you, you just made my day, Thank you for taking the time to write every letter, I really appreciate your valuable time for sharing your knowledge and experience with the community.

I have a AMD PC with FX 8350 and 8Gb ram + gts 450 sitting in the basement, I will start immediately playing with it to get my hand dirty in pfsense.

I am waiting for Ryzen 1920x to arrive, as I will use it 24/7 for VFX and I hope to run pfSense at the same time with this rig through KVM.

so here is what I am going to do:
I will run two KVM, one with Win10 and the other with pfsense, and I will plug my wan cable directly with the PC(dual intel Nic) and make bridge from PC(pfsense) to the DD WRT router to have dual band wifi network access.
can I make kvm windows 10 to use pfsense not my ISP wan as gateway (they are both running on same machine) ? can this done virtually or I need to add more nic and port link from dd wrt?

Have a wonderful weekend

Get a VPN account from somewhere.  Configure OpenVPN to connect pfSense to it.  Use policy-based routing to route whatever traffic you want over the VPN link.  No idea how well this would work (if at all) in conjunction with squid.

@johnpoz:

"But when i plug my laptop into the switch thats on OPT1 it doesnt give me a valid IP address."

What does this have to do with vpn client connection on pfsense?

Did you enable dhcp on your opt1 interface on pfsense?

Hi, thank you for bearing with me on this.. I am learning :)

I have followed this guide for OPT1
https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

When i check system logs/gateways i get
sendto error: 65

I have OPT1 setup on static IP as per that guide. I have also changed it to DHCP with not luck.

Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the
stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would
work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial,
USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be
the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.

6. I've gone into firewall > NAT > outbound and set it to hybrid (as we still have an actual private LAN behind the PFSENSE which still needs NAT). I then created a mapping rule for interface WAN with source ANY destination 192.168.158.168/29 (network) and set the option to "Do not NAT" in the rule

This is backwards. Should be:

interface WAN with source Network 192.168.158.168/29 destination any and set the option to "Do not NAT" in the rule

I assume the 192.168 is simply a place-holder for the actual, public IP addresses. You can avoid this confusion there by using 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 in your examples where you want to use BS address space and want everyone to know you're really not talking about RFC1918 space. https://tools.ietf.org/html/rfc5735 (eta: oh already asked and answered. Not many people know about these example/documentation subnets so I'll leave it here).

problem solved. all the thing was about setting acl rules "allow" or deny" list. i set the rules its working now.

Hi JohnPoz

I reinstalled the PFsense and configured the servers as you outlined - success!

Thank you for your help - I obviously changed something post set up.  Your outlining of the way it was to work has made the process much clearer - once again thank you for taking the time to help me.