@dzmnetworks Swap a known good working cable and see whether you get the same response. Be sure to reboot the modem when you swap cable.

Yes, or roll back that last config change. https://docs.netgate.com/pfsense/en/latest/config/console-menu.html#restore-recent-configuration Steve

Yeah, you don't need any sort of bridge there. The pfSense router will connect out as an OpenVPN client to remote servers without needing anything special. Steve

@stephenw10 Good advice. I just used my generated pfsense LDAP CA to issue another cert for the second DC and imported the CA cert and generated server cert into the certificate store on that domain controller. Totally forgot you could choose more that one auth server in the OpenVPN server config. Thanks for reminding me!

@claferriere No, I didn't have to spoof the HH3K MAC address for the internet to work. I tried it using the real MAC and the HH3K MAC and was able to get internet access in both cases.

Thanks everyone for your suggestions. I haven't had much opportunity yet to dig into this, but will be this weekend. As a first step, I'm going to try moving the WAN connection from an output on the router to the output from the cable modem. Then, I'm going to connect my laptop to the LAN port, and confirm that I can log onto the local web portal. I'll check out DNS settings and attempt to access external sites. If that works, then I'll swap the LAN connection over to the input on the router, and see what happens. :-)

That is usually some page that tried to display more data than php allows. So if you tried to run something in Diag > Command Prompt with a very large output for example. It's not a system crash. Steve

@andyrh said in Download at full speed then got packet loss: why is the general theme that the HW pfSense is running on is the problem and not the ISP with what looks to be a full link? It isn't, not here at least. As I said there I would expect that CPU to pass 300Mbps with ease and the output from top showed that to be true. I would always expect to see some increase in latency when you use more WAN bandwidth but not packet loss as we're seeing here. I would not expect to see either when loading the CPU with traffic between other interfaces. Unless you are maxing at least one core completely. Steve

If you only have two gateways (no internal gateways) you can set the default to 'auto' there. The system will failover to the second WAN and if the first goes down but will not switch back unless the second goes down. But yeah you can just the second WAN as the default manually there. Steve

It could be two things statically set with the same IP. That's unlikely when either of them is a phone though. Rogue dhcp server is what I'd look at. If you have access to an affected device you can chesk what it's using as as it's gateway. Steve

@stephenw10 said in LACP not working: You may well have to re-deploy it on the switches to have it use the new settings. I can only make an educated guess at this point. What exactly did you do before then when you said that was fixed? And what was it that was fixed? Steve I have deleted and created the LAG over. but long time but it still blocking it. lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=800008<VLAN_MTU> ether e8:39:35:11:fa:ab inet6 fe80::ea39:35ff:fe11:faab%lagg0 prefixlen 64 scopeid 0xb inet 192.168.77.1 netmask 0xffffff00 broadcast 192.168.77.255 laggproto lacp lagghash l2,l3,l4 laggport: em2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> laggport: em3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> in the firewall or switch I don't see any logs about the LACP. what are we missing? === LAG "LAN" ID 1 (dynamic Deployed) === LAG Configuration: Ports: e 1/1/2 e 2/1/2 Port Count: 2 Primary Port: 1/1/2 Trunk Type: hash-based LACP Key: 20001 LACP Timeout: long Deployment: HW Trunk ID 1 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/2 Up Blocked Full 1G 1 Yes N/A 0 609c.9f4b.808d LAN1 2/1/2 Up Blocked Full 1G 1 Yes N/A 0 609c.9f4b.808d LAN2 Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 1/1/2 1 1 20001 Yes L Agg Syn Col Dis Def No Err 2/1/2 1 1 20001 Yes L Agg Syn Col Dis Def No Err Partner Info and PDU Statistics Port Partner Partner LACP LACP System ID Key Rx Count Tx Count 1/1/2 32768-e839.3511.faab 363 0 61 2/1/2 32768-e839.3511.faab 363 0 61

@johnpoz said in Pfsense and Unifi controller/AP on different subnets: I wanted it because my son's devices at his house so there is nat between, etc. That problem could be avoided, if the gear supported IPv6. As far as I can tell, my AP configuration only supports IPv4. On the other hand, the controller supports IPv6, if it's available on the host system. My cell phone is IPv6 only, using 464XLAT for IPv4 sites, so if I had my controller on it, it would have to use that on the phone and NAT at the remote site, when IPv6 would eliminate the need for both.

@james-0 said in Disk usage keeps building: Thank you all. Before your updated comment I went to Services/Suricata/logs Mgmt and made sure Remove Suricata Logs On Package Uninstall was check. I then uninstalled Suricata and after, reinstalled it. It looks like all my settings came back and the large file logs were gone which now puts me to 19%. I will keep an eye on this for a while. Thank you again for all your help. I am learning a few things. Glad you solved your issue. But please keep an eye on the log usage in that directory and post back here if the usage gets beyond the limits you configured on the LOGS MGMT tab. There are settings for how large the files can get before being rotated, and a setting for retention time that determines how long rotated files are kept on disk before they are deleted. The other limit available on that tab up at the top sets a limit on the overall logging directory size (including the interface sub-directories contained within). That limit is configurable as a specific value set by the user, or it will automatically default to a percentage (20% or so I think it is) of disk space. However, no log file management of any type happens until the Enable checkbox is clicked on the LOGS MGMT tab and the change saved.

Glad you have it working now. -Rico

Yes, you can see it was blocking IGMP traffic on the IPTV interface so adding that floating rule will pass it. You don't need to pass all IGMP traffic on every interface though. I wouldn't expect to need it on WAN at all. You don't need 'any' destination there either. It's always better to pass only the traffic you need. Still seems odd that it appears to be using the source IP of the interface it's arriving at.... Steve

@jknott i prefer to do this way [image: 1607514887517-immagine.jpg] you can't use host override for IOT device with embedded 2001:4860:4860::8888 i don't use dns of pfsense and i don't use ntp from pfsense i need to redirect to a bind9 dns server and it was only an example

Well, over 24 hours, and rock solid since replacing RAM. Even restored the config file from newer pfSense, not skipped a beat. Thanks for the help guys.

@bob-dig Thanks for support!

Does it always fail for that cert? You have something unresolvable set there? Failing after 60s seems reasonable I doubt increasing that value will help. Steve