yes, i have to try Reset to factory defaults and login web gui now. i dont know why happen this.

@derelict said in I want to use Snort, Squid & Wireshark on my home network but not sure where to place them, or even if they're really needed, plus other questions. Advice?: how much time it would take for someone to answer all that. And then he/she might just delete the whole thread.. if doesn't like the answer or gets what they want.. So sure and the F wouldn't spend more than a few seconds on a response. Posts that are wall of text don't normally get much responses... While responses can sometimes get long.. You prob have better luck in drawing attention with simple to the point questions you might have.. For example start with just snort, or squid, or wireshark asking how best to leverage vs all of it at once.

@jahonix different box, this is 24/7 low power workstation where I run pfSense along with bunch of other program.

@donnyr said in WAN throughput throttling: Thanks. I am running bare-meral so no potential bandwidth issues. The same NICs achieve eve 980 mbps in windows on my other 1 gbps connection so I presume it is a pfsense issue. What bewilders me is that the upload still goes to 250 Mbps so it's not a technical limitation to 100 Mbps. Even USB 2.0 shd achieve more than 90mbs so also probably not driver related. I don't have other NICs available to test at the moment. Will see if I can borrow some. It's not remotely the same. When running as a client, like with Windows, the drivers can offload much of the network stack to the NIC. In short, most of the hardware offload features that allow Windows to be fast are not applicable to pfSense. What you need is a NIC that has advanced interrupt moderation and DMA coalescing, so every network frame doesn't interrupt the CPU. Depending on the situation, upload can be easier because drivers can buffer some amount of data before sending to the NIC. In the case of receiving data, it's cheaper to not have the NIC buffer because buffers cost money and increase complexity.

Start basic, build up. The best way to access to insecure resource like that is to use a VPN to connect to the firewall and then access the DVR over that. Steve

Thanks, will try that. FYI, my DD-WRT is presently pointing to 8.8.8.8, 8.8.4.4 for DNS. However this is behind the China Telecom modem/router and DD-WRT is getting a WAN ip address of 192.168.1.7 (turning that China Telecom box into bridge mode would be nice) (Talking to tech support here in China is a waste of time due to my lack of Chinese language. My Chinese friends are not tech savvy enough to help )

Use something like zabbix, solarwinds, or another network monitoring system maybe? pfSense is not an NMS. It is a firewall.

@jknott Thankfully i bought the TL-SG1016DE V3 so it doesn't have the vlan bug.

Ok guys, I know this is going to kill any credibility I might have ever had but....the interface names, and places on the motherboard did not line up... So I was using igb0 (first port from left) for WAN, igb1 (second port) for LAN, and igb2 (third port) for OPT1. It turns out, port 1 is igb0, port 2 is igb2, and port 3 is igb3. I figured it was 0 1 2 3. I discovered this by using the "auto-assignment" feature, I never thought that the numbers wouldn't be sequential. And thus, I am now able to access the webConfigurator. Lesson of the day: Don't trust random almost no-name Chinese MFGs to make everything sensical. I'm adding this post for posterity to make sure they remember to chickity check themselves before they spend 8 hours troubleshooting what seems like an insane problem. Also I found this document at some point to help me achieve what I want to for my pass-through style: http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf

@artooro is it really true ? I saw it's conflicting with NAT port forward on 443. And it's understandable pfBNG and DNSThingy both need to use it, no ?

@knebb Final solution: Outbound-NAT was misconfigured to always map to the VirtualIP even in backup mode. Switched to automated outbound NAT and now working fine.

It's mostly less then %1 cpu load, but we are running on such an environment that any less latency is an important gain. So I am doing everything to increase the performance. What is the performance gain when I disable it? %10? and the risk that something may go wrong, such as not a successful reboot?

Look under Diagnostics > States and compare what you see for the remote GRE endpoint before and after reloading the filter.

@johnpoz said in SSL Certificates for Local IP address: Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of No, it can't have IP address SANs and must have a valid domain that exists in public DNS. The hostname doesn't need to be public, but the domain has to be registered/have name servers. If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO. Yeah, for that kind of thing it could be a PITA to constantly update them with the ACME cert since it wouldn't be automated. Local CA does win out in that scenario.