Nice, enjoy!

@NollipfSense thanks for the reply,, Base on the link,does it mean that we use the pfsense as our isp router for PPPOE?

from: ISP modem/router(PPPOE w/ own public IP) >> Pfsense(WAN) >> LAN.
#as far as I know, they just provide a local IP generated from the ISP router for pfsense to use,if im not mistaken.

to : ISP(physical Lan) >> Pfsense "configured with PPOE"(WAN) >> LAN.
#bypassing the ISP modem/router( with PPPOE config) and configure it directly to pfsense

@Gertjan Fantastic sir. Looks a lot better, I have my second circuit being installed tomorrow and might put a Velo for a 3rd WAN link to be safe.

@Gertjan yeah, I think the issue was the ping_check.sh script. I was having issues a while ago with my WAN interface not renewing my IP. Someone suggested this script to address that. I have removed that cron job.

As for 192.168.1.148, this is my iPhone. What will typically happen is we will be watching our Roku and the video will pause. I will then use my phone or tablet to login to pfSense to see what is happening. Sometimes I can login and then pfSense becomes unresponsive (because it is rebooting), other times it is already in the reboot process and I need to wait 1-2 minutes for it to come back.

Anyways, I will see what happens after removing the ping_check.sh script.

So just to update what I settled on, I have gone with a pair of OpenWRT virtual machines running in a high availability setup with Keepalived and VRRP.

Keepalived works fine without any special settings on the Hypervisor switch/VM - some connections will drop when you power off the active instance, but they come back within five seconds or so - I did a test where I RDP'd from outside the routers to a device on the inside, loaded up a live TV stream on the machine inside the routers, powered off the active router and neither the RDP stream nor the live tv stream were interrupted.

Shame that this isn't available within FreeBSD/PFSense (I understand keepalived on freebsd hasn't been updated since 2011) - or that CARP has the option of running without changing MAC addresses.

Have to say OpenWRT also boots up quicker (in about 10 seconds) and routing performance was better - was getting nearly 5 gigabits in my Iperf3 tests where PFSense under identical conditions would do a smidge over 2 gigabits.

We can't speculate as to what you were doing then -- only you or other admins on that firewall would know.

A guess would be that you've used an accented or other international character in a client-specific override description or common name.

Many thanks for your continued help on this, much appreciated and glad we got to the bottom of it!

It's been running fine for the last few days, which is great news!

They're both running the latest firmware, but, I'm going to provide the feedback to the manufacturer to get their feedback as to why it's happening in the first place.

Many thanks once again!

a self signed cert on a imap 143 port ?
imap 143 is the 'clear text' version. If you want to use TLS for IMAP you would be suing 993.
pop and TLS : 995
Mail clients that send mail should use 587 (TLS possible but now needed) or even better : 465.

Port 25 : should be used only for inter mail server communication. This port was never intend to be used by mail clients. It's so wrong to do so.

Very soon, ports like 80, 110,143 (21) etc will be out of business for good.
Remember : you have a web site on port 80 ? Google won't index you any more.

Btw : Modern 'fat' mail clients like Outlook don't even accept self signed certs any more. Maybe, if you imported the CA ans stamped it as 'trusted' you might get away with it.

@johnpoz

I have an Asus RT-AC88U as my non-Guest WiFi AP - 1G link to the backbone. Next year I am going to go to an AX router in AP mode for non-Guest.

My Synology NAS is on a 2x1G LAGG. And my two older NetGear NAS boxes (for backup) are on 1G links.

Cheers!

Phizix

@stephenw10

They are Juniper ex2200 24 port GbE switches. They are all rack mounted within the same network closet.
They are not stacked as of yet. Juniper uses Virtual Chassis to stack switches, but that has not been configured yet. I am also working on that in tandem with this.

So the problem was I thought you were not natting.. Which prob has something to do with manual nats and all your vpn interfaces...

Provide a network map of your setup and give more details about the pfSense interface settings and rule.

thanks ... !
brNP

That’s what I was thinking. Thanks so much for your answer, Steve!

@Gertjan Thank you! I'll use that for testing the LAN issues. Much appreciated!

The irg entries in top are the queues on the network cards as the OS services them to route traffic. That is also where the actual pf load is shown so that is completely expected.

Yeah with several gateway entries I imagine the system selected bogus default route. I'd be confident that was the cause here.

The only other thing, potentially, that might behave like that would be Suricata in in-line mode if you were running that on the WAN only.

Steve

Have you tried an actual speed test on a local machine?

http://myspeed.etisalat.ae/

See if you get better results.

I would also ask if your graphs are set for "bits" or "bytes"?

So it ended up being Chrome. I can access it on Edge and IE, which is odd.

Cookies and Cache did not resolve it so i guess there is something else going on with Chrome but I can access it now, which is what I needed, thanks!