I am glad that you edited and added to your post I was starting to think your name should be salty johnpoz :). I am surprised you have never seen this before. As I stated in my post this is typical of every consumer grade device that I have ever owned and configured, and all the ISP devices that I have ever used for ADSL/Cable/ and now Fiber. There have been a bunch since 1998 until now. I did state the results from the different settings above in my post. I just posted the medium settings. I was wondering why I would need 53 open (not hosting anything) and the ICMP as well, but I am no expert. Yes when I select the different settings nat only, low, medium, high, it changes the allowable settings and checked boxes as referenced above. Thanks for everyone's help. I will keep reading and changing configurations until I feel confident that I can put my test pfSense box into full time operation, with vlans, dhcp, firewall, vpn, etc. As a take away I am glad that from this discussion it seems confirmed that the default configuration of the pfSense firewall is better than my ISP box on it's high. Thanks! Snorf

You probably didn't account for the larger subnet in your firewall rules, outbound NAT rules, IPsec P2s, and other places. You probably need to add more rules or adjust subnet masks to match what you changed.

So, I think I found the source of my issue: my DNS setting. I had shut off and uninstalled SquidGuard, Squid and Snort (in that order) and still had no luck. As soon as I changed my DNS settings to Google (for example), I no longer have any latency issues. Put back Squid and Snort and still no latency. So, it looks like something with OpenDNS is causing my problem. Off to try another DNS to see if it's still running ok.

Well there is a Community Job Board: https://forum.netgate.com/category/63/community-job-board but expect to pay quite a bit for an actual expert to even consider your offer.

@bldr said in LAN loses WAN egress; no other problems: AES-NI CPU Crypto: No - so sad for my future :( But not for a while: https://forum.netgate.com/post/823904 Yes, update to 2.4.4p2 and confirm it still happens there before going further. Steve

The on-board NICs on the C2758 will use up 4 queues/cores. Running that top command will show what's happening. Steve

Just happened today again [2.4.4-RELEASE][Vetal@router.place.somedomain.com]/home/Vetal: pfSsh.php playback svc restart tinc Attempting to issue restart to tinc service... tinc has been restarted. Nothing is added to the syslog, I did tail -f to it. Nothing related in tinc.log Next time I'll check "ps aux | grep tinc", today's while in "stuck state" was not wide enough to fit "/usr/local/sbin/tincd" part. I already UI-restarted it

You can consider this problem solved. Thanks

@farmwald said in 10G NAT/Firewall performance problems: I'm quite serious about being willing to make financial contributions to Wireguard port to PFSense. https://forum.netgate.com/category/30/bounties good luck.

No. ACB and local config backups are separate systems. A checkbox to allow vouchers syncs to be excluded from local backups might be a good idea. I'll look into that once v 2.5 is stable.

That same error keeps looping every minute or so.

Anther way that might make more sense when (possibly someone years from now) is reading the rule set would be to make four rules: pass TCP 25 pass TCP 587 pass TCP/UDP 53 reject any You could combine 25 and 587 into a port alias but not sure it's worth it for just two ports. Anyway, that's what I would do.

https://www.freebsd.org/cgi/man.cgi?rcorder(8) https://serverfault.com/questions/527981/how-to-change-rc-d-startup-order-in-freebsd Note that any changes you make will likely be blown away at every upgrade.

@stephenw10 Thanks for the reply. That completely makes sense. I'll experiment on upload traffic shaping to see if this solves my issue.

@ak-0 said in Internal routing of Vlans: @Derelict Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0. Actually what i want to achieve is if traffic from Vlans goes out first it should reach Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port. Tracert should be 1.Vlan IP (192.168.100.1) 2.Lan IP (192.168.10.1) 3.Gateway IP (1.2.3.4) instead of 1.Vlan IP (192.168.100.1) 2.Gateway IP (1.2.3.4) I`m trying to double NAT for Vlans, first NAT should be internal and then gateway. @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN. I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

You are using a wireless router as an access point so this should still work if it is still routing (and NATing). But it would be much better to configure it as an access point only and put everything in the same subnet. https://docs.netgate.com/pfsense/en/latest/wireless/use-an-existing-wireless-router-with-pfsense.html Steve

Can you show screenshots? Normally you just open the properties of your VPN connection, security tab and set 'Type of VPN' to L2TP. Also check https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html and https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html#troubleshooting -Rico

@grimson RDP is open just for 1 IP... this should be a way to monitor the blocked sessions.