What do you have limiting the bandwidth? How are you applying that? Can we see screenshots? Do you see blocked traffic in the firewall log? If you are able to connect at all through that port then it must no longer be showing as 'no carrier' I assume? Steve

Yup those later P4s were hungry hungry beasts!

Yes, those values you're seeing are small, 8 queued, 4 occurrences. Often if you hit a problem like that you will see far higher numbers there. If you are not seeing any actual connectivity issues you might choose to ignore it. You should not be seeing it though. Steve

@valepe69 Have a look at the Netgear GS350 Series of Smart Managed Pro switches. I've used the GS308T, GS310TP and the GS324T. All solid. And the price is right. I have some spare GS308T's (I consolidated several switches) if that's all you need and are interested.

Hmm, that absolutely shouldn't happen. As long as the assigned interfaces in the config are still present at boot pfSense should not care about other interfaces that may or may not exist on the firewall. Commonly an interface may be removed that changes the ordering of other interfaces, if they are all igb NICs for example. If you don't have any other 10G NICs in the system and have unassigned it I would not expect an issue. Steve

@dzmnetworks Swap a known good working cable and see whether you get the same response. Be sure to reboot the modem when you swap cable.

Yes, or roll back that last config change. https://docs.netgate.com/pfsense/en/latest/config/console-menu.html#restore-recent-configuration Steve

Yeah, you don't need any sort of bridge there. The pfSense router will connect out as an OpenVPN client to remote servers without needing anything special. Steve

@stephenw10 Good advice. I just used my generated pfsense LDAP CA to issue another cert for the second DC and imported the CA cert and generated server cert into the certificate store on that domain controller. Totally forgot you could choose more that one auth server in the OpenVPN server config. Thanks for reminding me!

@claferriere No, I didn't have to spoof the HH3K MAC address for the internet to work. I tried it using the real MAC and the HH3K MAC and was able to get internet access in both cases.

Thanks everyone for your suggestions. I haven't had much opportunity yet to dig into this, but will be this weekend. As a first step, I'm going to try moving the WAN connection from an output on the router to the output from the cable modem. Then, I'm going to connect my laptop to the LAN port, and confirm that I can log onto the local web portal. I'll check out DNS settings and attempt to access external sites. If that works, then I'll swap the LAN connection over to the input on the router, and see what happens. :-)

That is usually some page that tried to display more data than php allows. So if you tried to run something in Diag > Command Prompt with a very large output for example. It's not a system crash. Steve

@andyrh said in Download at full speed then got packet loss: why is the general theme that the HW pfSense is running on is the problem and not the ISP with what looks to be a full link? It isn't, not here at least. As I said there I would expect that CPU to pass 300Mbps with ease and the output from top showed that to be true. I would always expect to see some increase in latency when you use more WAN bandwidth but not packet loss as we're seeing here. I would not expect to see either when loading the CPU with traffic between other interfaces. Unless you are maxing at least one core completely. Steve

If you only have two gateways (no internal gateways) you can set the default to 'auto' there. The system will failover to the second WAN and if the first goes down but will not switch back unless the second goes down. But yeah you can just the second WAN as the default manually there. Steve

It could be two things statically set with the same IP. That's unlikely when either of them is a phone though. Rogue dhcp server is what I'd look at. If you have access to an affected device you can chesk what it's using as as it's gateway. Steve

@stephenw10 said in LACP not working: You may well have to re-deploy it on the switches to have it use the new settings. I can only make an educated guess at this point. What exactly did you do before then when you said that was fixed? And what was it that was fixed? Steve I have deleted and created the LAG over. but long time but it still blocking it. lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=800008<VLAN_MTU> ether e8:39:35:11:fa:ab inet6 fe80::ea39:35ff:fe11:faab%lagg0 prefixlen 64 scopeid 0xb inet 192.168.77.1 netmask 0xffffff00 broadcast 192.168.77.255 laggproto lacp lagghash l2,l3,l4 laggport: em2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> laggport: em3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> in the firewall or switch I don't see any logs about the LACP. what are we missing? === LAG "LAN" ID 1 (dynamic Deployed) === LAG Configuration: Ports: e 1/1/2 e 2/1/2 Port Count: 2 Primary Port: 1/1/2 Trunk Type: hash-based LACP Key: 20001 LACP Timeout: long Deployment: HW Trunk ID 1 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/2 Up Blocked Full 1G 1 Yes N/A 0 609c.9f4b.808d LAN1 2/1/2 Up Blocked Full 1G 1 Yes N/A 0 609c.9f4b.808d LAN2 Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 1/1/2 1 1 20001 Yes L Agg Syn Col Dis Def No Err 2/1/2 1 1 20001 Yes L Agg Syn Col Dis Def No Err Partner Info and PDU Statistics Port Partner Partner LACP LACP System ID Key Rx Count Tx Count 1/1/2 32768-e839.3511.faab 363 0 61 2/1/2 32768-e839.3511.faab 363 0 61

@johnpoz said in Pfsense and Unifi controller/AP on different subnets: I wanted it because my son's devices at his house so there is nat between, etc. That problem could be avoided, if the gear supported IPv6. As far as I can tell, my AP configuration only supports IPv4. On the other hand, the controller supports IPv6, if it's available on the host system. My cell phone is IPv6 only, using 464XLAT for IPv4 sites, so if I had my controller on it, it would have to use that on the phone and NAT at the remote site, when IPv6 would eliminate the need for both.

@james-0 said in Disk usage keeps building: Thank you all. Before your updated comment I went to Services/Suricata/logs Mgmt and made sure Remove Suricata Logs On Package Uninstall was check. I then uninstalled Suricata and after, reinstalled it. It looks like all my settings came back and the large file logs were gone which now puts me to 19%. I will keep an eye on this for a while. Thank you again for all your help. I am learning a few things. Glad you solved your issue. But please keep an eye on the log usage in that directory and post back here if the usage gets beyond the limits you configured on the LOGS MGMT tab. There are settings for how large the files can get before being rotated, and a setting for retention time that determines how long rotated files are kept on disk before they are deleted. The other limit available on that tab up at the top sets a limit on the overall logging directory size (including the interface sub-directories contained within). That limit is configurable as a specific value set by the user, or it will automatically default to a percentage (20% or so I think it is) of disk space. However, no log file management of any type happens until the Enable checkbox is clicked on the LOGS MGMT tab and the change saved.