@magikmark said in pfSense 2.5.2 periodic HUGE lag spikes: https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4/770 Ah, OK. That's not a bug it's a feature. I've never hit that but it looks like you would only ever hit it if trying to re-configure an existing pipe that is actively in use. Steve

@stephenw10 Thank you Steve. I will apply the patch.

Do the packet captures show the traffic following the expected rules? Is there any reason you're still running 2.4.5? Not that I'm aware of anything in 2.5 that would make any difference though. Steve

@stephenw10 Thank you for clearing things up!

Nice result!

@elmo1943 said in vpn router on 2.5.2 pfsense: The modem (pppoe provided) and both pfsense (192.168.20.1) and wrt3200 (192.168.132.1) are connected to tp108 switch (dumb switch) that allows pfsense and wrt3200 to 'share' connection. Ok those are different subnets (probably) so are those the LAN side subnets of each device? What is the pfSense WAN IP address? What is the WRT3200 WAN IP address? I expect those to be in the same subnet and it will be a private subnet because I do not expect your ISP to allow 2 PPPoE connections. Can we see a diagram? Steve

@cxcmax said in Openreach GPON, BT Infinty FTTP moden: will try and not break it now :) Ha. Don't do that. Backup your config that works then try to break it. Learn what breaks it and what works. (and how to restore your config!) Steve

I always used separate interfaces in the past, I'm not sure why I didn't think of doing that with pfsense and that's what I'll be doing. Then I can allow only the ports I want and if someone ever gets in via wifi, they won't get access to much.

Oh, sorry I should have seen that. Yeah .0 is the network address in that subnet, you can't use it directly. Steve

What exactly is the cronjob you see? Is it: 0,15,30,45 * * * * root /etc/rc.filter_configure_sync That is added by have firewall rules with a schedule configured. If it's killing connections every time it loads it may be doing exactly what it's configured to do. Steve

If it's really a hot spare you could configure HA sync to copy the config across whenever there are changes. It would be better to use a fully configured HA pair to avoid any downtime. The SG-1100 is not well suited to that however because of it's switched interfaces. It could still be done though and it would failover in some situations, including manually failing over. Steve

Just did mine (SG-1100). Zero issues, fast restart.

Indeed. Check the rules on LAN for a rule named that. Also check the floating rules tab for anything that might apply to LAN. Steve

It's not the syslog process that is the problem, you can see that reports 'done'. It's whatever is next causing the issue. It's more likely the package reinstall process if you are restoring onto a box that doesn't have a valid WAN connection. There were a number of things put in to improve that situation though, what pfSense version are you restoring into? Are you in fact doing that without a WAN connected? Steve

Aha! That would do it. They will be applied via a firewall rules on the DMZ interface. You will see it gas advanced options set. Though your floating rule should have applied before that so check for other floating rules that might apply. Steve

I mean I've hardware never tested that but I would expect it to.

@nogbadthebad You're right, I'd delete this if I could. Windows doesn't normally do that but on this build it's acting up. Thank you

That output looks fine for the igb NICs. You might want to disable hardware checksum offloading in Sys > Adv > Networking. That will apply it globally. It should be fine on the Intel NICs but has been known to give problems on other hardware, like the Realtek. You appear to have bridged igb2 and igb3 they have IP addresses in different subnets which looks wrong. Steve

@gertjan yes that is so