Ok. Found my miracle. One firewall rules block this.

i would stop trying to measure from/to the firewall. This is pointless & incorrect. try this & report back: iperf-server<->routerWAN | routerLAN <–> iperf-client

Thank you very much hda!

@johnpoz: You do not need to put anything in there if you just want to have the dhcp clients point to IP the dhcp server is running on for dns..  Its right there in the text below the dns boxes.. Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page. Thanks, apparently I've read way too much in the past few days and my brain is melted. Thank you for your patience, I got it :D

The wan is a 10.0.x.x /16 and the LAN side is the default 192.168.1.x /24.

Try the WAN NIC.  They might be swapped.

@vitoreiter: …and for security purposes I can't really give exact IP's. For example lets say that WSUS is on x.x.x.45 and other systems are on the same subnet ... Do you use public IPs internally? Then use RFC5737 Test-Net addresses for documentation, that's what they are there for. But usually RFC1918 are misunderstood. I'm currently dealing with a university that does just that, use public IPv4 addresses internally. And only internally…

So, driver issue, who`s responsible for that ;)

2x32A power cables (top of rack) were going very near the cable, which was unshielded btw. Changed to shielded cable, and also different path to switch, to make sure. Since then it's been on 1000 mbit not falling back to 100 mbit. So not a fault of pfsense! :-)

https://forum.<other project="">.org/index.php?topic=4191.msg15344#msg15344</other>

Not enough information to help you. What do your rules look like for OPT1?  Does anything show up in the firewall logs reference blocked traffic from the Android devices?

I've been inspired by the board to investigate alternate ideas, particularly based on the feedback about Soekris reliability.  I had always considered the devices to be highly reliable, but am now seeing quite a few issues, particularly around the thermal package.  I have the device in a large closet on a high shelf, which should be OK, but got me to dig.  Well, it appears that the stock case and heat sink are NOT up to the job, as the CPU core is currently running around 79C with little / no load. I now expect the printer IS causing the issue, due to heating the closet, not some strange broadcast packets!!! Incidentally, does anyone know how to override the Tj Max setting - the coretemp module is unable to read the CPU ID and sets the Tj Max to 100; for the net6501-50 it should be 90. Tom

As per subject are there any plans to make the PPPOE process use multiple cores ? The ibg driver it self is using multiple cpu cores, but PPPoE is only single threaded. Or is it better to use a modem -> router then pfSense ? Not really, because of double NAT. Currently I'm using modem -> pfSense PPPOE Stay with it.

I am a little bit further. Just enabling spanning tree portfast did the trick as far as the switches concerned. I could enable both interfaces without killing my switched network. I am now migrating the vlans to the LACP interface. I think I have 2 options: Create new tagged vlan, assign interface and re-tag on all devices with the vlan tag (with this option I need to change the vlan tag on several devices) or…. Create new tagged vlan, delete interface, delete vlan, change vlan tag on newly created vlan to old one, and assign interface, but then I need to re-configure all the firewall rules and the interface, dhcp etc again. I have one vlan which I would not like to re-tag on al my hypervisors etc. But I also would not like to create all firewall rules etc all over again. What is the smartest way to migrate a vlan, with a lot of rules to the new LAGG interface, without changing the vlan id? Thanks, Mark