You need an Apple TV or HomePod, the newer versions act as thread routers. It just works with iPhones on one vlan and IOT devices on another vlan, same as it would if you were away from home. For what it’s worth I had nothing but problems with avahi and removed it after a week.

Ok, so Snort or Squid could both cause this The first thing I would do is try disabling either (or both) and see if that prevents it. Also check the logs of both for blocked traffic when it happens. Steve

Yes, that. Check the log files in /var/log. You will be able to see which one is being frequently rotated, it's usually pretty obvious. Then check that log to see why it's being filled so often and reduce that and/or increase the file size. Usually you also see sshguard spamming the system log: https://redmine.pfsense.org/issues/12747 Steve

Also on an 1100? That's not the same error, no segfault there. It's not the crypto chip stuck in a bad state. Steve

@dobby_ said in "Non secure" pfSense URL: If someone is interested in build their own PKI at home xCA let you create your own certificates with much more abilities under your full control. xCA It is available for MacOS, Windows and Windows portable. It is nothing you must do. Only if you are interested.

@mauro-tridici said in slow pfsense IPSec performance: Sure, I will try to apply your suggestions. Should I activate some other option like "Cryptographic Hardware" in addition to your suggested settings? It all depends on the hardware. If AES_NI is in the game I pfSense since 2.6 CE or Plus version will benefit from that but if there is also QAT in the game I would personally upgrade to the pfSense Plus version and try out using the QAT instead. But both together with IPSec AES-GCM.

I wanted to give an update. My internet has not been interrupted for 25 days using the QNAP card for both WAN and LAN. I have not tested a crash yet by unplugging the WAN port but eventually I'll get around to trying that.

All Linux distros won't connect to the net, internal or external. From internal it could be based on many points here, vlans, firewall rules and and and.... From external it must be over VPN or if you talk about your servers inside of the DMZ it is another point we should now first. It might be sounding strange, but you should be providing us perhaps with some more informations, that we not have to "digging all out of your nose". VLANs, DMZ, LAN or 2 DMZs, who is doing the DCHP job, if more the than one, were all the others set up as a DHCP-Relay or not? What is all installed and activated? pfBlocker-NG Snort & Suricata lightSquid, Squid & SquidGuard Is there another router in front of pfSense? That must be accepting then the private IPs at the WAN, and so on.

Thank you everyone- makes sense but wanted to verify.

@stephenw10 I think you hit the nail on the head, I had recently made NAT changes on the Primary side as part of a setup for testing wireguard and went from automatic to hybrid and broke it by creating a NAT to the CARP address that synced to the Backup. Thanks for pointing me in the right direction.

@stephenw10 Never mind, i gave up the package freeradius and i'll use a freeradius server with my users stored in openldap. Thank for you help. mkal

@stephenw10 The above procedure did the job. It would have been just as quick to backup config, re-install and restore config. In a high availability environment with hot-swap drives, the procedure would be a great solution to avoid any downtime. Thanks for the info. Ted

Sorry I have not updated. I have not been able to get back to the firewall yet, but I am hoping to soon.

@rcoleman-netgate Duely-noted.

Ah, that will do it. I should have pressed that question when I asked it earlier. Lesson for today. Good result. Steve

Probably something in the crypto-routing that is generated by the allowed subnets. Also remember that Wireguard doesn't add any routing for you so you must add that manually if you need it. Though you're probably using policy routing here. Steve