Thank you for your response. I will try and keep notes on when it occurs throughout the day tomorrow and see if anything odd is in the system logs.

@viragomann:

ping and traceroute maybe do well. ICMP is a stateless protocol. The problems with that come if you establish a stateful connection.

So I'd try one of the suggestions.

OK, thanks for bearing with me! That one got through, I can just about picture how that makes a difference with how things are flying around.

@muppet:

I would check with your ISP and see if they have hard-set your port to 100/Full
Maybe the pfSense is trying auto and, seeing nothing, not bringing up the port.
And the switch, not seeing auto frame either, might be defaulting to 100M half-duplex, thus causing all the frame drops/problems.

This really sounds like an Ethrnet problem, nothing to do with pfsense itself.

PfSense works just fine, so it's not the problem.  The problem will be your Ethernet card, the drivers or similar.
Try and do some diagnosis to see what speed and duplex the port is coming up at, especially when connected to your laptop (is auto-neg being used or not?)

Thank you!
It really was something wrong with ISP's port. It was set to auto, but still didn't work correctly, so my connection was regularly jumping through different modes-speeds and getting big error rate. They just changed the port, and now everyhing is perfect.

They would never do anything if I said them it's pfSense or any incompatible router, but they couldn't reject the issue with just switch.

@stephenw10:

At layer 3, yes (probably). At layer 2, maybe. At layer 1, nope.

The reason it's a good test to put an unmanaged switch between your WAN interface and modem is because it can show up issues exactly like this.

If your modem is set to 100Mb full duplex rather than auto the switch will likely connect to that fine and will also connect to the WAN interface that is set top auto negotiation fine. But without it you get a default connection which is often 10Mb half duplex, horrible speeds and huge error rate.

Ethernet hardware should all conform to the specs and be compatible but that is not 100% true. Some cards will refuse to establish a link or continually flap up and down for no good reason. I have a Realtek card here that behaves exactly like that but only when connected to one switch I have.  ::)

What is the NIC in the Win7 PC?

Can you see the link speed/duplex on the switch in each of these cases?

Steve

Thanks for the info. Yes, they seem to implement things a bit differently. My Realtek NIC refused to see that broken connection at all, while Broadcom's one somehow worked fine on that… Also that Realtek only accepts it's hw mac, while Broadcom don't care.

Can't be done. There is no way to obtain a list of IP addresses for a wildcard domain. You would have to resolve every possible hostname which would be infeasible if not impossible.

One of the other packages, such as pfblockerng might have a pre-compiled list you can use. Not sure.

Yes, but it would send everything to the NAS.  I use that hostname with other ports to do other things…....  :-\

(edit) If NAT Reflection doesn't work, might have to get another hostname just for the calendars.

@viragomann:

Have you also added the vpn tunnel networks to the site-to-site settings as suggested?

This was the key. Users are able to access all branch offices now through the Remote Access VPN.

Thank you for the help!

with mssfix 1400, 20MB/sec was stable. A few errors but no loss of connection.

22MB/sec gave a couple of errors but did not disconnect me

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #10253565 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

24MB/sec started to spam errors and I lowered speed before it broke.

I guess it must just be latancy related when at high speeds over UDP, but my connection to the server and ping are solid outside of the tunnel from what I can tell.

Solved by… cheated really
Anyway, switched to TCP and reached 36MB/sec which isn't to far from my max without VPN.

The other issue with the routing table and the pppoe connection that shouldnt of been caused by openvpn failing shouldnt happen now as openvpn is stable.

Hi,

Start to collect easy facts :
Stop using a VM, use a dedicated device.
Swap LAN and WAN.
What kind of brands, your NIC's ?
When you put in place another router/firewall, the problem disappears  ?

ESXI 4.1?

Why?  Dude freebsd 10.x not support until esxi 6.0u2 at min..

Also where is your lan side of psfsense.. You running vlan top of the vnic you installed in pfsense?  Why add another vnic on your pfsense vm and connect to proper vswitch or portgroup on vswitch to connect it to your lan network?

There are zero legal problems with what you're doing now, the objections from the seasoned users here are only practical in nature. It is counterproductive to produce yet another set of documentation that is going to be riddled with errors and inconsistencies and will lag behind the existing better quality official documentation.

No probably not. The overhead from running virtual should not be that large if the hypervisor is setup correctly. And on your hardware you shouldn't be getting even close to any limit at 180Mbps. Assuming you meant bps.

Steve

It is only 5 devices :D

As impossible as it should be, I've seen 2 NICs with the same MAC.

While supposedly unique, some manufactures have been known to recycle MAC addresses.  There's also the possibility of locally assigned MACs and many consumer routers can clone a MAC.  However, as long as they're not on the same local network, duplicate MACs are not a problem.

Though, for the home user, the time spent installing, configuring, tuning, and maintaining snort would probably be better spent educating the family on what not to do. That will benefit them for life on every network they encounter.

Thanks everyone this now works  :) :) :)

http://forums.kali.org/