@Grimson I have been stuck with this problem for long time. You make my day. Thanks for the solution.

Ah, sorry, yes I thought you meant a complete re-install of pfSense.

That is probably the fastest way to resolve this.

Steve

Ok got their router and tried it and it wouldn't connect, so they did something on their end to get it to connect. After that and confirming the speed looked good there, switched back to pfsense box and speeds are where they are supposed to be. So looks like it was actually an ISP issue...

Thanks for all the suggestions!

Possibly because Squid is using the IPs directly to open connections to the servers and those certs don't have the internal IPs as SANs. Just a guess really, I've never dug too deep into that.

Steve

Yes pfSense works fine in most hypervisors. There are a number of guides here:
https://docs.netgate.com/pfsense/en/latest/virtualization/index.html

Steve

I am so glad I found this post. I have a very similar setup and could not wrap my head around why my gaming devices were going out through the VPN gateway even though all of my firewall rules looked like the connection should be going through WAN. This fixed the problem right away!

As for DNS leaks, I actually have rules set up so that the only port 53 connection that is allowed are to pfSense and all other requests sent out on port 53 are forwarded to pfSense. It's interesting to see the number of IOT devices with hard coded DNS servers.

@stephenw10

Got it. Will try that, once I get the other stuff sorted.

Yup, the only way I can see loss like that happening just be booting a VM is if it's trying to use the same IP pfSense is.

If that is happening the system log will be full of warnings.

Steve

@stephenw10 Understood. Thanks

@stephenw10

Thanks for the suggestion, I think the ping from the console fails but it's been a while since I tried that. Next time this happens I will definitely give it a try and update the post. Thanks again

@stephenw10
I will do that, thanks for your help :)

@stephenw10

Wow Ok.

Well I never saw those kinds of speeds with the VPN on. I saw them on my WIFI with the VPN off. But via ethernet with the VPN on is new for me. I like though. I would very much like to replicate and make it the standard.

Yes the Tier 1 I created as a proof of Concept to see if it would give me access to some stuff, I am not able to access on my Tier 2. Hence why I want to make it my Tier 1. The only issue is that I suspect I may be limited by the internet speed available to the VPS. I have to contact the vendor to see what speeds should be expected on the VPS. So I don't know if I will get the same speeds as my Tier 2. However, 20Mbps is the minimum of my heaviest bandwidth services so if I can at least get double that at 40Mbps as a standard, I will be content.

I am new to creating your own VPN server, so I will now have to look into things such as throughput etc.

as it relates to the high latency, yes both gateways are over 2,000 Miles from me give or take.

Hmm, that seems more like something on the cable side.

You could try setting at the command line:
sysctl net.link.lagg.lacp.debug=1

That will give you a lot more LACP logs on the pfSense side which might show something.

Steve

^^^^ ---- DERP

i think i just found it...

Diagnostics/Packet Capture
-_-

If you increase the probe interval want to increase the other intervals shown there in proportion. Otherwise they start to be meaningless. The Alert interval must be more than the probe interval for example.

If you're using DNS server as monitoring targets those servers MUST be set to the same gateways in System > General setup. Each of those things sets a static route to that IP and they must agree.

You can check the Status > Monitoring Quality graphs to see what each link has been doing historically.

Steve

Did you get past this?

Seems like an actual DNS based on this and your other post. Are you using the default DNS settings?

Steve

This should already be solved on your other thread. Once you've added the gateways you can route one group via one public IP and the other via the other IP. Then OpenDNS can respond differently to each group if you need that.

But if one groups can be unfiltered you don't even need that. Just pass the OpenDNS IPs as DNS via DCP to the filtered group and allow everyone else to use pfSense (or some other DNS server) to get unfiltered results.

Steve

Oh and by the way, @jimp did a great hangout: https://www.netgate.com/resources/videos/server-load-balancing-on-pfsense-24.html :-)

-Rico