Did you see anything similar on other VMs? Are you running pfSense 2.6? The system time is determined by whatever the hypervisor is sending for the system clock. If if was using a much earlier time, like 1970/1/1, pfSense will see that and set the clock at boot to the most recent known time source but not if it's ahead already. Steve

@ghost-0 said in thinking about 2.5Gbps Switch upgrade, any issues with pfsense?: Is this instability due to loops or a poorly configured pfSense? Almost certainly not. If you get a flood created by a loop you will not be able to access anything. Since merely restarting OpenVPN corrects it, and it sounds like that is a WAB connection, my first guess here would be that the default gateway is still set as automatic and is switching to something invalid. But STP loop prevention should only be to prevent loops in the event something is mis-wired IMO. If your switches are connected correctly you should not have any loops. Should I upgrade to 2.6.0? It depends but probably. It will do nothing for STP though. Steve

@dinu Issue resolved, I have moved all my VM's to Hyper-V and I am getting 100% band with of 145Mbps download and upload. Thanks for the support guys... Dinu

pfblocker with Dnsbl is your weapon of choice here Python mode and everything is fine and good to go... Block Br np

@stephenw10 thank you again!

Ah, yes I've seen a few users hit that with different things. Nice catch!

@stephenw10 I think you were right, I change the pfsense for another old one identical but I changed the SD Card and no problem since 4-5 days ... a record since the beginning! Thanks again!

@netnerdy said in Performance issue on vmware esxi 7: Btw, You have to disable hardware large receive offload from advanced settings. Depending on the model of your physical network adapter the vmx adapter may or may not be able to handle hardware checksum offload and tcp segmentation offload. I've been chasing random drops in upload speeds with pfsense 2.6 installed on a esxi VM and this fixed it. Thankyou.

@steveits Listing recommended Patches via the the System Patches package is a great enchantment. Meanwhile I've rolled back to 2.5. The 2.6 enchantment, which I wanted to get from that Release (IP Fragmentation over IPsec) isn't working in my configuration. Probably I'll have to change the IPsec Filter Mode to "VTI only" to get this work. This means also, I'll have to migrate a bunch of Rules (~900) from the IPsec section to each VTI Interface and spend some thoughts on how I design rules for encrypted traffic between sites when a firewall has to do a transit role. I've encountered another Issue with HAProxy on 2.6 - The process started to consume permanent 100% CPU Time (one core) randomly. After a restart of the service, all went back to normal, at least for a while. I didn't look further into this, maybe it has something to do with ocsp preload enabled on some front-ends. For now I'm back on 2.5.x., all in all it's running more stable in my configuration, even if 2.6 has some great updates in the IPSec code what makes overall configuration more smooth and reduce boot time about 50%.

@mrsunfire https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html If you do not have a spare interface to use to shuffle, then you would have to leverage your wan interface. Or via a vlan on your wan interface, etc. And come in that way.

@scorpoin said in can not allocate memory error latest firmware: arp: writing to routing socket: Cannot allocate memory could this be related https://forum.netgate.com/topic/152998/arp-writing-to-routing-socket-cannot-allocate-memory or here https://forum.netgate.com/post/976491 You see that error though because it cannot allocate memory in the ARP table for an IP in a subnet the firewall doesn't have an interface in. Which is probably because the re NIC has gone AWOL.

@deanfourie Here's a good reference for TCP/IP: TCP/IP Tutorial and Technical Overview

@nollipfsense said in L2TP/IPsec VS OpenVPN on pfSense: My use case is both personal, and business (home office) so I'll emulate yours. Hello, a little bit late but for the records it is also pending on what hardware is in usage and for what you need it. pfSense to pfSense I would prefer IPsec with QAT on (if available on both sides) pfSense to other I would prefer IPSec with AES-NI on|-left aligned paragraph Mobile device to pfSense IPSec is your hero OpenVPN became or is the hidden defacto industrial standard WireGuard the future hope IPSec war proofed and spread out widely

So I am also interested in this as I have a HA firewall and can only do CARP on the LAN networks. My provider, AT&T, gives me the option of PASS-THROUGH providing "real" WAN IP via DHCP and I lock it down to a single MAC on the Router/Gateway (RG). So my primary firewall has a spoofed MAC on the WAN that matches the one the RG has configured to hand out leases. My standby HA firewall has the hardware MAC on the WAN interface. The primary gets the "real" WAN IP, publicly routable, and the secondary firewall gets a 192.168.5.X IP from the RG. If I spoofed the MAC on the secondary WAN and shutdown the primary then released/renewed on the secondary it would get the "real" IP on the secondary. Now I say it is "real" since AT&T does some type of bridge NAT but the NAT table on the RG is still in play. I am interested in what @chansiuming was looking to do based on my ISP quirks. I could write a simple script to check CARP status and when it becomes MASTER do the down of WAN, spoof MAC, bring up WAN and boom it should work.

Do you have general connectivity? Have you tried hitting the refresh button there? That pull the status from ews.netgate.com. That service is functioning normally right now. Steve

@stephenw10 Oh I see. Yep PCAP was on the VM (172.16.0.202). Yep I don't get it. I see what you're saying and all just can't wrap my head around what is going on here.

Those are the changes you made? Can't you just set a static IP to regain access and revert that? Steve

@stephenw10 that worked, thank you so much!

Never used VSCode but it's just xml. What changes do you need to make though? Usually a config move between hardware should only require re-assigning the interfaces (renaming them in the config). I assume this is a more extensive network change? Steve