They generally perform worse for two reasons, they offload all of the work to the CPU, and they have crap driver support. No matter how good your hardware is, no driver support will kill it. And depending on several thing, 2ms is really really bad. I get a 0.2ms ping average, and a min ping of 0.008ms. Even my 8 year old Dells with an Integrated Intel NIC that Intel claims costs about $0.01 to add to the chipset, averaged about 0.3ms. But lets not get sidetracked with hardware knocking before the issue gets narrowed down a bit. One thing you may want to do while trying to make the firewall shuffle packets around is to look at the System Activity and see if CPU usage is abnormally high an what is using it. When doing this kind of test, best to do a load test through the firewall and not to it, it makes a difference since firewall stuff is done in the kernel while iperf is done in userland.

Okay, so the random shutdowns were not because of… 0x0ahd1: Address or Write Phase Parity Error Detected in TARG. Yesterday in the evening we had a power supply failure. We replaced the power supply and the system has yet to go down since. However we still get the "0x0ahd1: Address or Write Phase Parity Error Detected in TARG." errors in the logs. Are we looking at a HDD failure in the works?

@jimp: To make it stay across upgrades, use a <menu>tag inside the packages section of your config.xml. Install a package and then look at its <menu>tag and follow the same general syntax. </menu> </menu> agreed! This is the best way to add a menu link that stays across upgrades and updates!

Hi, Thanks, I changed the hosts files to point locally to our proxy server (e.g. wiki.domain.com points to the local ip of the proxy) and this is working great now, the COMODO certificates are returned and the application works. Thanks for the help. Kind Regards, Gary

Install the sudo package and use it. Then you can grant access to users or groups from the GUI.

Do not use an obsolete 2.0.x version, use a current version (2.3.2). The patch is no longer necessary and packages for 2.0.x have been removed, which is why you can't find it. If you post on the OpenVPN board here asking for help with what you're trying to accomplish using 2.3.2, you're more likely to get accurate and relevant help.

thanks I'm an idiot for not looking there first…

@jimp: Difficult to say without more detail, but on smaller hardware, just watching the dashboard on its own will cause a spike in CPU usage because it takes a fair amount of CPU time to process all of the data required to draw the dashboard. In other words, the act of measuring can change the results. Even on my i5 quad-core, viewing the web front-end bumps the CPU from 300mhz to 800mhz-1600mhz due to increased CPU load.

I wonder if a nic can manage certain amount of users because I have about 50-60 users on my network.

Noted I can't seem to understand clearly what your saying in the second sentence of your paragraph though. Can you put it in more of a layman's term.

I can't find the checkbox you mention, but I don't think that is the issue. Very, very little of our traffic goes down the tunnel (tunnel A), plus I'm seeing the following: Tunnel A - terminates on the pfSense box. External IP is on WAN1. Tunnel B - terminates on a device on the LAN. External IP is on WAN2. This is the one we're having trouble with. Both Tunnel A and B terminate their other end on the same remote device. The setup traffic for tunnel B isn't being routed down tunnel A. Instead, it seems to be using the routing table for the tunnel A setup packets (IKE/ISAKMP - port 500) to route the setup packets for tunnel B (they should go down a different interface). I'm actually seeing packets with WAN2's address being sent out on WAN1.

Nevermind I think I found it is a Chrome issue.  Will try another browser and see if that fixes it.

ItIt's a pico psu with 6.6amp 12v external supply 100-240v 50-60Hz:  using UK 230v running about 50c no fan pretty much this with 60Gb ssd https://www.amazon.com/Supermicro-A1SRi-2558F-Intel-Fanless-Server/dp/B016VHBA7C/ref=sr_1_fkmr0_1?ie=UTF8&qid=1473252480&sr=8-1-fkmr0&keywords=supermicro+c2558#productDetails

There is a ticket open and PR with a fix, but the problem is Chrome didn't properly code their regex parser. Use another browser or apply this patch with the System Patches package: https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/3127.patch

what?? Where did you hear what?  If your using the resolver the only thing that should be listed as your dns would be loopback.

Yeah you still have to hit the "+" icons to resolve them, on the bright side, once the hosts is resolved it updates all entries that have the hosts. pfBlockerNG logs have the option to Auto Resolve IPs.