Yep I got it up and running and did not downgrade the FW. It turned out to be the unifi switches had the Vlans and the IP addressing still entered. So I removed the IP addressing out of the unifi switches and let the pfsense box do the address through its Vlan DHCP servers and all is good.. Thank you for the response.

I tried your steps and YES its OK!!!. Seems now I can connet to internet from webadmin panel. (Show updates and other things) Two things that i needed for help someone as newbie as me: After remember setup rules that allow to access the new bridge interface And of course assing the gateway of your subnet (My IPS router) Thank you very much for real Stephen!!!

I would expect both those cards to be supported by the bxe(4) driver: https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5_2/sys/dev/bxe/bxe.c#L142 The HPE 530SFP+ also appears to be based on the Broadcom 57810S. You may need to modify the card though to get them to link at 2.5G. It sounds like you've already started looking into that. Yes, you should try the LAGG setup since it might work OK and requires no additional hardware. Your ISP probably provides some sort of business grade connection using the same fiber. I would look at what equipment they supply with that. It may be you can just get that and use it. Steve

Hmm, I'm surprised about that since Limiters don't really care what the NICs are. It could have been a CPU limit trying to pass that through a Limiter I guess. Steve

@stephenw10 Very interesting, im going to read up on this some more. I did put the pfsense box on full WAN duty, its just connected to the forti with a /30 private link. Performance is great, without much tweaking I was able to get full speeds up and down, CPU usage was even at 18-19% for both tests. I might just stick to this anyway, maybe ditch my forti until I buy the 60F, id rather just deal directly with the box that holds the WAN address. I appreciate the help Steve.

@maverick_slo said in PFSense notification if large amounts of data downloaded: Well... I use XDR which alerts on behavioral anomaly if large upload is detected (per host). But additionally I also use zabbix which will send alert if upload is larger than 80Mbit/s for at least 10 minutes (configured this way so that "regular" traffic wont trigger alerts, will be different for every company...) But it`s hard and requires deep knowledge of your network and whats OK traffic and whats not. Yes, there are some host-based solutions. And that is really one of the best places to put such tools because there you can generally still see the data BEFORE it's encrypted. I was specifically referring to firewall-based or network-based tools in my earlier reply as that is how I interpreted the OP's question. It's much more difficult at that level due to the encryption and also the magnitude of data flow.

I replicated this and created a bug report: https://redmine.pfsense.org/issues/12498

Ah, probably not then. If all three interfaces are trunked on the same link to the switch that means any traffic at all on LAN2 will reduce the available bandwidth on LAN1/WAN. Steve

No if you just swap the card and those are the only 10G NICs on the firewall it should be fine. If there are other NICs using the same driver the order may change. Steve

@bcruze said in Verizon JetPack: https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html @stephenw10 said in Verizon JetPack: That^ Both WANs will always be active but you can route traffic via one of the other using policy routing. https://docs.netgate.com/pfsense/en/latest/multiwan/strategies.html Steve Thank you both for the information. Setting this up now.

You are going to need some sort of tunnel to do that I would thing. Unless everything is using public routable IPs. It probably should be a VPN tunnel. Steve

@jimp in my opinion, this issue warrants an advisory sent to users, and also a note in Known issues. As an idea, I'd also love if advisories could be checked by internet facing boxes (those that can talk to the Netgate servers) and shown in the GUI and pushed via alerts to whatever is configured as alert system (Telegram for example).

@stephenw10 I use Zabbix , and like it. Note The zabbix DB loves to be on a SSD, especially when doing "cleanup tasks". My install (Debian VM) with around 100 monitor points - takes up 20GB diskspace including OS. Here's linux install guide(s) https://www.tecmint.com/install-and-configure-zabbix-monitoring-on-debian-centos-rhel/ https://www.tecmint.com/configure-zabbix-to-send-email-alerts-to-gmail/ https://www.tecmint.com/install-and-configure-zabbix-agents-on-centos-redhat-and-debian/ https://www.tecmint.com/install-zabbix-agent-and-add-windows-host-to-zabbix-monioring/ I used this one , back in time. https://www.tecmint.com/install-zabbix-on-debian-10/

@stephenw10 Yes those to NICs are in a lag configuration, have been for several years at least. I will try your suggestions and see what I can find.

When you only have one interface defined in pfSense (Appliance Mode) the default allow rule and anti-lockout rules apply on that interface. Those allow you access to the webgui. If you add another interface pfSense go to full routing mode where it drops all traffic on WAN and allows traffic on LAN by default. So if you still need to access the webgui via the WAN after doing that be sure to add a manual pass rule on the WAN before adding the second interface. Steve

@magikmark said in pfSense 2.5.2 periodic HUGE lag spikes: https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4/770 Ah, OK. That's not a bug it's a feature. I've never hit that but it looks like you would only ever hit it if trying to re-configure an existing pipe that is actively in use. Steve

@stephenw10 Thank you Steve. I will apply the patch.

Do the packet captures show the traffic following the expected rules? Is there any reason you're still running 2.4.5? Not that I'm aware of anything in 2.5 that would make any difference though. Steve