@stephenw10 Echo the above comments entirely. Super important you run a CPU that supports Intel aes ni instructions too - it's got a lot work to do with the encryption remember. Without I'd expect about what you're getting. I'm getting well over 400mbs from nordvpn with my i3-5010U setup on a 500mbs line which is fine for me. You're going to need some pretty serious hardware (well above 300 bucks) if you're looking to get anywhere near your line speed with any VPN provider. Prepare to get your wallet out again. All that said - your super fast line is probably costing fairly serious cash so I wouldn't consider say a cost equivalent to a year or two's subscription disproportionate for the router.

If you remove one of the configured interfaces and reboot it will ask you to re-assign the interfaces at the console. That's how pfSense has always worked. Simply removing the Ethernet cable so it has no link obviously does not do that though. If you add new interfaces that use the same driver as existing NICs the interface order may be renumbered but they would still exist so you wouldn't be asked to reassign. Exactly what interfaces are you using here? You have mentioned both wifi and USB interfaces but no specifics. Steve

@stephenw10 Thanks. I will, and I think I've read that host time sync is only for maintaining the VMs time when the VM is off, but conversely it doesn't seem the host should loop with the VMs NTP either. I'll give it a try and delete all the present RRD data since it's corrupt anyway. Thanks again.

@rfinch23 said in Pfsense in front of udm pro: This allows for any external access using port forwarding where required. So this is a vpn on some vps or something you setup somewhere - most vpn services do not provide for port forwarding.

@bingo600 said in Fun with zfs , snapshots and rollback: zpool set listsnapshots=on zroot Just made a snapshot on version 2.5.2 Since Netgate changed the zfs root-name from zroot to pfSense On the new 2.5.2 CE version. And made some other zfs changes. I decided to make a full reinstall of my "boxes", booting from a 2.5.2 USB stick , and reinstalling from scratch. This is the new layout on my boxes root: zfs list NAME USED AVAIL REFER MOUNTPOINT pfSense 1.02G 222G 96K /pfSense pfSense/ROOT 800M 222G 96K none pfSense/ROOT/default 800M 222G 800M / pfSense/cf 5.58M 222G 96K /cf pfSense/cf/conf 5.48M 222G 5.48M /cf/conf pfSense/home 212K 222G 212K /home pfSense/tmp 476K 222G 476K /tmp pfSense/var 228M 222G 3.37M /var pfSense/var/cache 120K 222G 120K /var/cache pfSense/var/db 223M 222G 223M /var/db pfSense/var/empty 96K 222G 96K /var/empty pfSense/var/log 880K 222G 880K /var/log pfSense/var/tmp 136K 222G 136K /var/tmp I just ran the above commands with the new zfs root , names pfSense zfs list zpool set listsnapshots=on pfSense zfs snapshot -r pfSense@2.5.2 Here's the layout after the snapshot. /root: zfs list NAME USED AVAIL REFER MOUNTPOINT pfSense 1.02G 222G 96K /pfSense pfSense@2.5.2 0 - 96K - pfSense/ROOT 800M 222G 96K none pfSense/ROOT@2.5.2 0 - 96K - pfSense/ROOT/default 800M 222G 800M / pfSense/ROOT/default@2.5.2 0 - 800M - pfSense/cf 5.58M 222G 96K /cf pfSense/cf@2.5.2 0 - 96K - pfSense/cf/conf 5.48M 222G 5.48M /cf/conf pfSense/cf/conf@2.5.2 0 - 5.48M - pfSense/home 212K 222G 212K /home pfSense/home@2.5.2 0 - 212K - pfSense/tmp 476K 222G 476K /tmp pfSense/tmp@2.5.2 0 - 476K - pfSense/var 230M 222G 3.37M /var pfSense/var@2.5.2 0 - 3.37M - pfSense/var/cache 120K 222G 120K /var/cache pfSense/var/cache@2.5.2 0 - 120K - pfSense/var/db 225M 222G 223M /var/db pfSense/var/db@2.5.2 1.78M - 223M - pfSense/var/empty 96K 222G 96K /var/empty pfSense/var/empty@2.5.2 0 - 96K - pfSense/var/log 952K 222G 880K /var/log pfSense/var/log@2.5.2 72K - 880K - pfSense/var/tmp 136K 222G 136K /var/tmp pfSense/var/tmp@2.5.2 0 - 136K - I haven't played with restore etc. yet, but expect it to behave as above. We might (will) have to take the new partitions made in 2.5.2 into consideration. /Bingo

@stephenw10 Thank you, you were exactly right. Turns out that router factory defaults to 192.168.1.1 - I really wish it had a sticker on the bottom or something that indicated that, didn't think to search it online yesterday just kept pinging the 192.168.0.0 network assuming it was somewhere there. Fixing the address for the main LAN router also resolved the port issues I was having with Jellyfin, so that's great :) Thank you Stephen and everyone else who's offered help here as I stumble through this. Edit: Also, I'm forgoing my plans for the trash network as far as any type of firewall bypassing. At most I may make it where the VPN isn't active on that interface, but otherwise I think I'm good on that too. Thank you all!!

Hmm, OK then probably time for a pcap showing it connecting correctly we can compare the failure to.

What exactly do you need to see? pfSense already logs traffic volumes on all interfaces in Status > Monitoring. Otherwise see: https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html Steve

@stephenw10 said in Hotplug event detected for WAN(wan) static IP: Hmm, ntop running on WAN (em0)? Can you disable that as a test? I understand, I just uninstalled it.

The filter used by pfSense, pf(4), is a layer 3-4 only component. There are some higher layer functions available via Snort but there is currently no per user filtering beyond something like Captive portal or Squid. Steve

I would expect that to be fine. X520 is quite common.

Yes, you can mask that if you need to as long as you replace it consistently in the logs so we can still see it being used. Steve

@viragomann Thanks, did forgot it was a log to read :) Find the problem, it did look that DHCP was on but it was not.

I doubt you're actually seeing logs identical to that so please post your logs for review. Steve

@silence said in NO INTERNET TRAFFIC ON LAN: create a firewall rule on wan (to allow traffic please) Um, yeah, don't do that! You don't need rules on WAN to allow traffic to reach Google. What speed are you seeing? What do you expect to see? How are you measuring? Steve

Yes, it will use multiple CPU cores. Especially if you have a bunch of packages installed where loads can be spread more evenly. But, also yes, some things are single threaded. If you need to route at or close to 10G and run things like IPS or ntop then almost nothing would be overkill. Steve

Like I said if you just load all the rules and don't tune anything it will alert and block on most Linux pkg updates. You need to suppress the alerts or disable the rules that are triggering it. https://docs.netgate.com/pfsense/en/latest/packages/snort/suppress-list.html We usually recommend running Snort for a least a week in non-blocking mode whilst monitoring the alerts. Only enable blocking once it's no longer alerting on legitimate traffic. Steve

@waldy327 said in FTTH (AON): Fritz!Box 5530 works, pfSense not: Or is it enough to disable "Hardware TCP Segmentation Offloading" "Hardware Large Receive Offloading" Those should be disabled anyway, they are disabled by default so definitely disabled them if you have set them enabled. Hardware offloading requires the driver and hardware to work correctly together. Something that works on an igb NIC might work on ix. It might not even work on a different NIC that also uses the igb driver. They usually do though because those Intels are the best supported. Intel contributes their own driver code to FreeBSD. To disable that as a test you can run at the command line: ifconfig ix0 -vlanhwfilter -vlanmtu -vlanhwtag -vlanhwcsum I had assumed your igb NICs are not SFP? Steve