Yes, it will use multiple CPU cores. Especially if you have a bunch of packages installed where loads can be spread more evenly. But, also yes, some things are single threaded. If you need to route at or close to 10G and run things like IPS or ntop then almost nothing would be overkill. Steve

Like I said if you just load all the rules and don't tune anything it will alert and block on most Linux pkg updates. You need to suppress the alerts or disable the rules that are triggering it. https://docs.netgate.com/pfsense/en/latest/packages/snort/suppress-list.html We usually recommend running Snort for a least a week in non-blocking mode whilst monitoring the alerts. Only enable blocking once it's no longer alerting on legitimate traffic. Steve

@waldy327 said in FTTH (AON): Fritz!Box 5530 works, pfSense not: Or is it enough to disable "Hardware TCP Segmentation Offloading" "Hardware Large Receive Offloading" Those should be disabled anyway, they are disabled by default so definitely disabled them if you have set them enabled. Hardware offloading requires the driver and hardware to work correctly together. Something that works on an igb NIC might work on ix. It might not even work on a different NIC that also uses the igb driver. They usually do though because those Intels are the best supported. Intel contributes their own driver code to FreeBSD. To disable that as a test you can run at the command line: ifconfig ix0 -vlanhwfilter -vlanmtu -vlanhwtag -vlanhwcsum I had assumed your igb NICs are not SFP? Steve

Well, I somehow resolved it... Sort of, I downloaded the configuration manually edited the XML file, removing the <ntpd>...</ntpd> section. Did a restore of full configuration, after the reboot it works, checked the NTP configuration, all looks the same. Even Debug output is all the same except now both IPv4 127.0.0.1 and IPv6 ::1 query through ntpq work. Only thing I can figure is that there is a hidden or corrupted character in old ntp configuration section.

Yup could be a bad disk. Can we see the actual output leading up to the reboot? Steve

My post yesterday was intended as tongue-in-cheek. Microsoft ran into this same discussion with Windows 10, after switching from three feature updates a year to two, then changing the labeling from "1909" to "20H2" because people kept expecting releases in March and September, per the numbers. It seems the misunderstanding here was that the ".01" release would definitely be out in January, not "when it's ready." Changing versioning to "21Q1" may not work with internal version numbering. I don't know if "21.1" for the first release of the year then "21.2" and "21.3" would still fit the stated goal of dating the release but might be a compromise. If one is even needed...setting the "when it's ready" expectation a bit better would be another method. I do understand the point of view where people may have been waiting for the new version to ship routers, and sympathize.

@jknott said in Complete newbie - set up guidance please: @tymh said in Complete newbie - set up guidance please: Obviously I need to put pfsense in between the modem and the router, Why would you need both pfsense and another router? Now I know more about this, it would be using the Orbi as an AP rather than a router.

Works fine just turning off the service if you don't reboot on a regular basis. I went from really high to 8/9% memory use since yesterday.

@patch said in Trying to use a new 5G modem with pfSense: you will need to not block local networks on your pfsense Wan The setting that pfSense has for this, Block private networks and loopback addresses, only blocks incoming connections sourced from private IPs. All incoming connections on WAN are blocked by default anyway. Having that enabled does not prevent outgoing connections in a double NAT setup like this. The only time you would need to disable that is if you were trying to connect from a client in the WAN side subnet. So for example if you had a WIFI client connected to the Telstra router and were trying to access the pfSense webgui using it's WAN IP. Steve

@steveits _ Thanks! Let's hope so...it drives me nuts!!

So... working as expected for you now?

What error is given? Is this pfSense related? Steve

So only output drops on the switch interface? Any drops or errors on the NIC in pfSense? Flow control mismatch maybe? I wouldn't really expect to see any issues with a 1G test over 10G infrastructure. Steve

Yes, PPPoE has special handling even though it's also a dynamic gateway. That will also appear in the config if you edit and save it though. Steve

@anengelsen said in shutdown -c: shutdown -c Is an incomplete command. Look here : @serbus said in shutdown -c: shutdown The time option is not optional. time Time is the time at which shutdown will bring the system down and may be the case-insensitive word now (indicating an immediate shutdown) This might work : shutdown -c now I didn't try it ;)

It probably isn't worth the time and effort, at least until DCO arrives. There would likely be some development required. I've never seen anyone do that, as far as I'm aware there is no way to have OpenSSL use the existing QAT driver. It's currently IPSec only. Steve

https://www.ntp.org/ntpfaq/NTP-s-trbl-general.htm#AEN5162 NTP will reject a peer that is #roughtly 20 or more minutes off. http://www.ntp.org/ntpfaq/NTP-s-algo.htm And it will consider a 128ms diff enough to be "unsync'ed" @einsdisp said in pfSense NTP server is very unstable.: How to force pfSense to believe remote time of a single server, in case the offset is very large? ntpdate will "step the time" ,but requires the ntp daemon to have released it's binding to the UDP 123 port ... AKA "usually" not running. /Bingo

@areckethennu By "upgrade things to 10GB Ethernet", you mean 10GB internet connection, or running an 10GB intranet? If the latter, then you just need a 10GB switch connected to your pfSense and 10GB NICs in the PC/Servers you want to be connected to it. The switch is a convenience, as you can always direct-connect computers through static IPs as long as they have a proper NIC. Or, as @AndyRH just said: only routed traffic passes through pfSense.

@stephenw10 said in 22.01 - Released or not released?: Mmm, it looks like the Next repo package might be showing that incorrectly. We are looking at it. Ohh no - please don’t let this be yet another delay in the 22.01 release…. :-( I have a bunch of boxes waiting on my desk I would love to start of in a ZFS based install before they are deployed. If 22.01 is delayed yet again, I guess I’ll have to go UFS on them and suffer the risk of consequenses whenever the power goes.

@stephenw10 said in pfSense running slow?: It really depends what change you're making. Some things might seem simple but actually trigger a number of other processes. Fair enough, that is true. One example I find peculiar is just changing the descriptive text of a firewall rule. This is sometimes quick, and at times can take up to 5s to save. I have noticed it is producing really much logs for blocked stuff, in particular for IPv6 which I don't use, perhaps that is what uses the CPU the times I find it a bit slow?