@stephenw10 Based on the idea you had about why I needed that rule at all, I went ahead and disabled that rule. Everything seems to still be working just fine. Guess that's what happens when you follow some guides on how to do things. The guide I followed was accurate to get the forwarding to work properly, but it was also why I added that NAT rule. If you can, can you update the title of this thread to include [SOLVED] in it, just in case anyone else runs across this. Thanks again for help. :)

It lools like you have either a lot of columns on your dashboard or you're viewing it in a narrow window. Using less columns should make it wider. Steve

4 days uptime. Looks like it was a fault in the ISP router!

Squid is a package you install in pfSense to proxy and log http/s traffic. https://docs.netgate.com/pfsense/en/latest/cache-proxy/index.html#squid If you watch the video I linked above it walks through the entire process. Steve

This could easily be something in your browser filling the credential fields when you switch back to page. I've hit similar things before though not on that page. Steve

That looks like plenty in hand in performance terms. No cpu core is anywhere near 100%. The bxe processes are not at 100%. I would have to guess the limit is somewhere else. You might try running tests from the pfSense box itself. It's not a good way to show absolute values but you have CPU cycles to spare and it will allow you to test the WAN and LAN separately. So you could run iperf on pfSense and test to it from the client to be sure you're getting speeds on the LAN that are above 1Gbps. You won't see 10Gbps but if you see, say, 4Gbps you know that's not limiting. You can run the CLI speedtest client on pfSense to test only the WAN. That might show almost anything! My experience is that it usually shows low speeds on high bandwidth WANs but if it shows closer to 1200Mbps that would prove the WAN is good. Steve

@kiokoman Its a PFsense 2.4.4 P3 running on a Xen hypervisor, so yes it is a virtuel machine.

Based on the service status in his screenshot it's neither of those. But it looks like he went dark on us anyway.

@petreza yes, but we know about this thread. We will get back to you.

@jimp Thanks for the heads up, Im not aware of my /28 addresses yet so I will hold fire on adjusting anything.

Yes, you can bridge a 2nd interface to your WAN and allow them to use a single public IP directly. You should also be able to apply Limiters to that traffic. Whether or not you should is a different question. Steve

Yup, probably. Unless that rule has a restricted source.

This is still in cron 30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables without suricata installed

It's been two weeks now that a new router is in place and everything is working properly. It seems that starting from scratch and manually reconfiguring the router without going through the import/export tool has solved the problem!

thanks it work.

I guess I'd make that call based on how reliable the hardware is, but generally I try to go for just one box no matter the size. Just because it's an easier setup, easier planning, documentation etc. And usually less money. But there's really nothing wrong with doing your setup. If your main concern is uptime, I'd put one box as central router with multi-WAN and put the other one as HA to automatically take over if the first one fails. I would make a LAN network (VLAN1) for devices such as switches, AP's etc, then two or more VLAN's for users. In the past when I've built large networks I have sometimes created a 22-network (255.255.252.0 subnet mask) just to get a few extra IP's, and sometimes I've limited them to about 50 devices per network, depending on the type of traffic. Smartphones and such is good to keep down in numbers as they broadcast a lot of traffic, but if there's *nix devices it doesn't matter as much. The main thing I go for is to try and keep as much as possible with software, since it's easier to replace one box and restore config than to troubleshoot and replace several boxes. Correctly done, you can even replace a router on remote with a novice customer moving a cable or two.

No problem.

Yup change it there and re-export the config. Or edit the config on the client directly to use the real public IP. Steve