@fireix It seems that Ansible or Puppet is open source applications would work for you since it appears you're not shy to use CLI (like me). Ansible uses SSH whereas Puppet (from OpenStack) uses a user agent installed on client's box. Let's hope more senior members will follow-up.

My opinion is that FreeBSD is one of the best choices for NGFWs, due to the distinctive behavior of the OP system itself. However, you can't run it cleanly on FreeBSD, so like pfSense, sticking to the parent basics (FreeBSD), you need to implement a different philosophy = pfSense. NollipfSense / I agree with you that the future belongs to the VM, but we still have a lot to learn in this area. What is currently worrying is that only mirror solutions can create large stability systems. I currently work for a world-wide insurance company, in the current unfortunate situation (COVID), more than 8,000 employees work from home on a VM basis. It works, but 25 extra mirror servers have been set up in 15 countries to eliminate the any possible problems. Virtualization is a wonderful part of the IT world, flexible and I hope there will be more and more serious availability. (I started with Windows NT servers and Win 3.1 has changed a lot since then :-))

@bmeeks Thanks very much for the answer. I did try and download the patches and test, but, not apply and saw that it wasn't going to work from the patch test. Hence the post asking. 2.4.5-p1 - I shall have to wait. Thanks again.

@firerobin said in pfSense VM latency and WAP performance issues: @bmeeks Thanks again for the info. I'll ask around in neighborhood forums to see if anyone else is having issues with their xfinity connection. Hopefully I can find someone as knowledgeable as the folks in this forum, but then they'd probably already be on top of the issue Would this problem be as noticeable if they have a higher bandwidth service plan? If you have issues with the node you are served from, a higher speed tier is not likely to help. An overloaded or malfunctioning node would be expected to affect all speed tiers. The one exception might be if they moved you to another node for a higher tier, but that is extremely unlikely as the node serving you is usually fixed due to the realities of coax cable routing on the poles. To test and make sure a saturated uplink is not your issue, play your game at a time when you are 100% certain nobody else is using your Internet connection but you and your gaming machine. No streaming or anything else going on. If you have problems then, it is likely to be an upstream ISP problem. If you have no issues, then somebody really loading up on downloads can hurt your gaming and ping times as all the ACKs from the busy downloads can eat up the upload bandwidth.

I think I'll just add a couple more interfaces and do it that way. I got to thinking about how I might be able to use the separate lans anyhow. Thanks to all for the input.

Sure you can apply a schedule to a firewall rule so it only applies at certain times: https://docs.netgate.com/pfsense/en/latest/book/firewall/time-based-rules.html I'm not sure how that would help filtering different groups of users though. Steve

Hello together again, creepy. Two days ago my PFSense wasn't able anymore to connect in anyway to my CG VPN Service. Always "decompression failure" or something like that appeared. The final solution was to change from adaptive LZO Compression to OMIT Preference. Then this connection worked again. And what started to work as well? The VOIP Connections. I don't know how this belongs together, but now i can register like always my softphones and make calls. I think we would have searched years to find this out...But well, fortunately finally now it works again. That is the most important! Thanks again anyway for the interesting information you posted here and the support you gave! Have a nice weekend

@stephenw10 I just tried it again and it works. Looks like they finally updated their certs. Thanks for the help!

Hello.. If someone gets similar issue, please try disabling LACP strict mode. It worked in our case. All the best

Do not post them directly here! There is quite a lot of stuff in the config you probably don't want public. You could use the redacted config from the status_output file. Go to <your firewall IP>/status.php to get that. But even that has your public IP etc. We probably only need the interfaces and dhcp sections as I said. That should show any mismatch if it's happening. Steve

The device must have came from those who has access to your LAN...either household or guest. I even believe your Alexa uses Android. For sure, pfSense has NOTHING to do with this issue.

@stephenw10 PFsense is definitely logging events (within the Firewall log view). Currently, the log is only showing the denied traffic. Based on the timestamps, it looks like I am not encountering a DoS attack. [image: 1588883599779-screen-shot-2020-05-07-at-4.32.04-pm.png]

How are you testing? From Diag > Auth?

That's helpful, thanks. I am recreating the rules on pfSense B, rather than trying to import them. pfSense B currently has two em NICs but I will be adding two vmxnet NICs in the next maintenance window, then two more in a future maintenance window. I will be watching for reordering as they are added.

Yes, I completely agree with that. Having pfBlocker create aliases only and assigning them yourself allows you to see exactly what's happening. That's how I use it. Steve

Try a port test to the site from pfSense. That should work though if other clients behind it can access the site. Run packet captures to see what's happening. Is traffic for the site actually arriving at the internal pfSense interface? Is it leaving the WAN? If not where is it leaving, if anywhere? I assume you do not have Snort or Suricata running? Steve

@WAR10CK said in Intel gigabit ct Desktop not detected: AHCI enclosure management bridge OK, pfsense recognizes the netcard, but why is it saying : AHCI enclosure management bridge under interface em0. There is no link when I plugin the cable to em0. The cable works fine in em1.

If they're set up to sync configurations (HA sync).

Does your WAN have a public IP? miniupnpd cannot open port forwards from private IPs. You should at least see the logs from miniupnpd starting in the system log when you save the config or restart the service. Steve