Um, yeah you need VLANs if you can't physically moved the different bits of equipment. Potentially your WAPs might be able to tag traffic directly and your unmanaged switches might pass that tagged traffic which would allow you to isolate that traffic to pfSense. But that still leaves WAN and LAN in the same layer 2 which is all wrong! Steve

It's not the hardware. I have Pentium processor (Skylake family) on a B150 chipset and 3 Intel NIC cards. But your advice in checking to see if some limiter was running was the cause. I don't ever recall setting a limiter up, but I might have inadvertently set one up playing with the settings. Anyway I deleted the limiter in pfSense and now I am getting 150+ Mbps. Last test was 197 Mbps!  ;D Thanks for your suggestion marvosa!

Update.  I have replaced the NIC and all is good again, it was caused by some failed hardware.  Anyways I had to replace it with another realtek because my little box is so small I need super low profile card and I could not find an intel one that was small enough, anyways it I will know what to replace if this happens again.  Thanks for all the help!

Bah, look at the turn this has already taken. We started with a flawed design and lack of information, so taking the OP down rabbit holes at the beginning (which he may or may not even understand) will just get messy, confuse everyone and triple (if not quadruple) the length of this thread. Why go there?  Why not address the flawed design to start with?  You know very well he shouldn't be using VLAN 1 for data, we don't know if his LAN interface is addressed, no network map was provided so we don't' know how things are connected, we don't know what default GW is being used, we don't know if the connection to the switch is trunked, we don't know if the switch is even managed, etc, etc. OP, IMO you should address your design before we go any further or it will add several days (if not weeks) to this thread.

@bobsuruncle: ah yes, good idea.  what's the best way to swap it without re-configuring everything? Download and edit manually your config.xml is the best way, I think. Always use saved copy for backup! Search for interfaces, ex em0 and em1 and swap them everywhere (match whole word only). For my setup it counts only 1 match for every interface assigned. After editing double check everything and restore your edited config on firewall using gui. The other way is just to reassign it via console menu or even gui, but I did not try this way and it could be complicated as you need to re-plug your cables on the fly may be.

If this isent possible, then its ok, but i hope that it works anyone?

Noone?

Check the firewall interfaces for possible stale rules left behind. Also I noticed some things do not work/get applied properly until you do a reboot.

HI Swoody, i have the same issue, did you manage to find a solution? Vuko

I have been using Pfsense for years to protect VoIp. Nothing beats this with Pf8Blocker. I have never had a NAT issue due to PFS since 2.x earlier version did have issue that needed some tunables etc..

Hello, I figured out the speed issue. The tunable for flow control does not load when placed in /boot/loader.conf.local I used cli to do the following "sysctl dev.ix.0.fc=0" the command prompt in GUI works as well by entering the same string. Now if I could only get the DOM readout I will be a happy person.

Hi This is sorted.. Years back I'd setup IPTABLES rules on the servers to block specific traffic. I'd forgotten about that and it was those settings that were causing the issue. I now have 4 SIP trunk from different providers registered and routing to the correct devices. Everything seems to be working fine.. Thanks

The ASUS can be setup and configured as a Wireless Access Point. This is now in and connected to OPT1. The ASUS is doing MAC filtering and is configured to use the 10.10.10.1 as it's default gateway. All devices are being given DHCP addresses and network config from the OPT1 interface. This all appears to be working fine. By default I've blocked all devices from the AP/OPT1 to the LAN but have allowed a small 'approved list' So far so good. Thanks for the help and advice.

Thanks, both. Looks like I saved the cost of an antenna. The wireless card will remain in the spare parts box.