@stephenw10 After some further reading: [image: 1655374266122-f5106781-8b1e-4268-ab32-3482c0776e37-image.png] I enabled Software flow offloading and hardware flow offloading. Now, I will wait for a while what Zabbix measures …

Oh, you mean you can't even connect to LAN hosts from other LAN hosts? Yeah that never goes through pfSense so definitely a problem at a lower layer somewhere. Steve

@deanfourie Good idea. 1: SG-6100 with BiDi SFP for direct Fiber to the Home attach 2: Two VLANs - Home network and Guest network. 3: Aruba CX-6100 switch and Aruba IAP-315 APs with detailed pr. Device IPv4/IPv6 L2/L3 access lists enabled - based on client MAC address (to much hassle with 802.1x for wired home networking). One SSID and all wired ports are “colorless”. Mac-address defines which VLAN, role (access rights) is assigned to you. Five network roles defined i switch/AP: ADMIN, CLIENT, IOT, SECURE IOT and GUEST. Role gets assigned from Radius based on Client Mac-address. 4: FreeRadius on pfSense with all well known MAC Addresses defined and assigned their apropriate role. Unknown MAC addresses get assigned the Guest Role. The Trick here is that different device types (Not guests) are still in the same VLAN/IP Subnet and can find each other (broadcast/arp) if allowed by the ACL role assigned in the switch/AP. 5: pfBlockerNG for Geo based aliases blocking inbound sessions to whitelisted countries. Russia, Belarus, China and North Korea blocked completely inbound/outbound. 6: pfBlockerNG for IP based blocklists and wellknown offending IPs 7: pfBlockerNG DNSBL with about 12 feeds active to block tracking, adds and phishing - including DOH Blocking. 8: Occationally NTopNG active to spy and monitor traffic, but for unknown reasons, NTopNG adds a 20 - 200 ms latency to occational packets once in a while (noticable), so it’s not running permanently. 9: Destination NAT on ANY outbound DNS, NTP requests from internal interfaces. Rerouted to pfSense NTP and DNS server.

That's correct, there is no run-time patch for the issue. https://redmine.pfsense.org/issues/12954 Steve

@jimp Thanks ... 2FA and App Password solved the problem

Only ports 23 and 24 should be in the LAGG on the switch. Check the output of ifconfig lagg0 in pfSense. If LACP is correctly setup it will show '<ACTIVE,COLLECTING,DISTRIBUTING>' on each port. You are not using a VLAN for the captive portal interface in pfSense so you shouldn't have any VLAN config in the switch for the lagg or port 7. Including VLAN trunk enable. Steve

@enesas Its probably in context of this: Memory Leak Memory Usage As far as I read it should be fixed for CE 2.7.0 and PF+ 22.05 ...

@derelict I had lost webui access entirely... so I didn't have the opportunity to see the capture process still running. I had forgotten about it. Likely because the file being removed is still open by the capture process. Is there a command to see what files have open file descriptors?

Yup, that^. You just need to change the pfSense LAN subnet to something other than what the ISP router is using. The default 192.168.1.1/24 for LAN will work if it's not already in use somewhere on your network. But I suggest you don't use that, especially for a VPN server, because it can easily conflict with remote VPN clients. Use something obscure instead like, for example, 10.100.10.1/24. Steve

@jknott it looks like - thank you.

I have CAT5e jacks throughout the house and get gig speeds on every device. Possibilities I can see... misbehaving NIC on the endpoint, damaged cabling, bent pins (or corrosion) on the jack, bad termination on the jack (or patch panel), misbehaving switchport, misconfigured NIC, could also be running CAT5 instead of CAT5e, amongst other things. You can actually get up to 5 Gbit over CAT5e using mGig ports, so there shouldn't be any issues getting 1 Gbit speeds under normal circumstances. If you're not getting 1 Gbit over CAT5e, then there's an issue with something... somewhere... however subtle it may be. I feel like the CAT6 cable may be masking the underlying issue... but glad it's working.

Mmm, odd. I know of nothing that would do that without a deliberate config to make it do it. Like using Squid with ClamAV perhaps. But the 2GB RAM in the 3100 would restrict that. Steve

Mmm, the name itself should not be an issue but, yeah, I would definitely re-install.

It wasn't that it's unstable in 2.6 it's that the drivers stopped building in our build infrastructure for some reason and the errors were preventing snapshots being built. Since the only thing we've ever sold that has Realtek NICs (apu1) runs just fine with the default driver the easiest thing was to remove it at that point. I can ask about adding it back. Steve

@indiegamesfan said in Can't reach access point on other interface/subnet to configure it.: and block the web interface on the guest network I doubt that would be possible with most AP devices, but probably the best chance is to use an outbound NAT rule as mentioned and on the AP allow access only from that IP (the IP of that NAT rule).

Yeah, the chances of a NIC failing so that it's not seen on the PCI bus is extremely low. It's far more likely to fail on the other side. If hardware failures like that are a concern you should be using an HA pair. Steve

@johnpoz Thanks, yeah I was aware I can see it real time, I was looking for logging. Firewall rules with logging enabled works too but IMO the service itself should do it.

ok so i solved the problem... idk why I didn't do this earlier but I checked the arp table of the computers that were not working and the mac didn't match my router. turns out that my brother's switch killed itself and decided to give itself statically the same IP as the router, arp poisoning the network so the computers could only access devices in the same subnet. idk why this affected only Windows devices

@bob-dig Found it and it expired 120 days ago. I have renewed and it will expire on Dec 3, 2027. tnx