"through the L3 switch" So you have downstream networks from pfsense..  Does pfsense know how to get to those networks?  Have you setup nat so pfsense nats those networks, do the firewall rules allow for those other networks.  Normally when you have a downstream L3 switch doing routing you would connect that to your edge or wan router with a transit network. While you might have your downstream router pointing to pfsense as its default gateway, how does pfsense know how to get to those downstream networks??  You either need to create routes to them or run a routing protocol so pfsense learns how to get to them.  This sort of setup can also lead to asynchronous routing issues depending how everything is connected.. If for example you have a device in the 192.168.1.0/24 network using pfsense as gateway..  And he wants to talk to IP say in the 10 network, his gateway is pfsense, pfsense sends it to your L3 switch that routes it to the 10 hanging off it.. But when the 10 devices talks back the L3 switch says oh I have that 192.168.1 directly connected and just sends the traffic direct to client on that network.  So you have a asynchronous route - not good.  This is why downstream is normally connected via a transit so you don't run into that problem. Why don't you post a diagram and your network and we can work out where your problem is.. [image: downstreamnetworks.png] [image: downstreamnetworks.png_thumb]

Nice, I'll try it, thank you for the explanation. – Nicolas

@knebb: Anyways, despite of the pfSense doc telling the passwords are stored in cleartext for PPPoE they are not. I found the config.xml file, but there was only a password hash! So how does authentication for PPPoE work if the password is stored as hash? It's not a hash. It's base64-encoded because the config.xml will make kaboom when you put some special chars there. https://www.base64decode.org/

@ptt: Read/Serach about "Host Overrides"  https://doc.pfsense.org/index.php/Main_Page Thank you for your help

Hybrid outbound NAT is probably what you want. You can direct NAT to use any available public address of the proper type as the inside global (mapped) address based on any unmapped characteristics of the traffic (source, dest, etc).

Its ok man, Sorry for this topic. Thanks for your help.

That's all based on essentially just 2 lines there. ffs_clusteralloc at the beginning of the bt, and curthread being c-icap. Plus the entirety of the bt being the same functions on all 3.

Thank you! Both excellent suggestions!

@BlueKobold: You could be trying out to enable the following; PowerD (hi adaptive) Is really urgent to get the power from the CPU that is just in the moment needed increasing the mbuf size step by step You might be having to less RAM inside to do so tuning for Broadcom NICs Could be a hit, but not a must be. Installing better NICs likes Intel server grade net work adapters Would be the best option here as I see it right. Tuning and Troubleshooting Network Cards "System->Advanced“ "Use PowerD" enable hi adaptive I have already tried using Intel (Server) NIC and did not see any difference. For this reason, I'll leave tuning the Broadcoms until later. PowerD was not selected, but was already set at "hiadaptive". I presume checking this activates the daemon and requires a reboot? Edit: Random other information that makes me think this is not pfSense or (my) network related:  Other media (amazon/Netflix) play fine, only Hulu is having the issue.

Hi, i had also equel problem but only with a slow, sometime broken connection to pfsense  WebGui from lan. Suricata show me ACK missmatch and other crazy thinks. My problem was a flapping WAN port . Setting to 1GbitFD fixed on card and switch solved also my problem. Maybe a bad cable but now it runs… regards max

That's what "sticky" is supposed to do. But all of that is handled by pf, which comes from FreeBSD/OpenBSD – That sort of feature would need to be added there first and then make its way into pfSense.

Thanks stsowen683, good useful info! I'll look into that.

I am currently on 2.2.4, will plan an upgrade window to get to 2.2.5 and see if it persists.

but can you people please explain what are the features in pfsense that we can call this a Firewall, Firewalls are filtering traffic by using rules or rule sets, in pfSense this job is done by the packet filter pf. as i think pfsense have only squid in it? And ClamAV as a AV, Snort or Suricata as a IDS/IPS, but this are only features, options and functions that came by default or over a packet system inside of pfSense. There are also on top many different variants of firewalls available on the market and they all will be differ each from another by using different techniques and functions. One of them would be the "NG-Firewall" that is working also application based. Please elaborate. A router is routing packets from one to another or more networks, a firewall is inspecting packets to separate packets from one to another or more networks and because that a firewall is also capable to route packets make them not automatically being in the same area or on the same stage of devices.

Backtraces all seem to be memory operations. Could be running out of RAM, could have flaky RAM, etc.

Definitely!

Because it is a handled in relayd as a proxy and not as a NAT relay as the other modes do. You'll also notice that all queries appear to originate from the firewall when using it for DNS.

~$1k is a pretty nice budget.. You could buy a actual pfsense box from pfsense and prebuilt nas with that.. Why does it need to be 1 piece of hardware?  As you stated your going to have a RACK.. What is the point of a rack if your only going to have 1 thing on it? How much storage do you need/want? But sure that would buy a pretty decent VM host, and then use whatever hypervisor you want, esxi, hyper-v, xen..  If you are really thinking of getting away from off the shelf user grade stuff then really should do some research on visualization..