@scotty562:

I don't ever want to be short again :).

I'm not really proposing a solution for your v4 problem, but, when you have some time, take a look what v6 /64 can do for you  ;D

Ok, thanks for your suggestion will give that a try.

@BLiNX:

Currently the internet served by a standard router with some UAPs, which doesn't have good firewall. As long as the internet connection fast & stable, security is not really important here. Mainly for entertainment/streaming purpose only.

@jahonix:

… Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

I will avoid those SG105E & 108E, although they're support 802.1q. Just want to know why should I?

They leak traffic from the native LAN to the VLAN.  My TP-Link access point does the same thing, which makes it useless for having multiple SSIDs and VLANs.

In case anyone else has this problem the workaround is to run mc -u

https://forums.freebsd.org/threads/misc-mc-problem.55627/

Hi Clint,

Here are some helpful threads and resources on network tuning to get your started.  There are some other parameters you can tweak as well beyond the ones that you have already adjusted:

https://forum.pfsense.org/index.php?topic=113496.0
https://forum.pfsense.org/index.php?topic=132345

https://calomel.org/freebsd_network_tuning.html

For further troubleshooting, please also see the "Where is the bottleneck ?" section here:
https://bsdrp.net/documentation/technical_docs/performance

Hope this helps - please let us know if you have more questions.

@kfkehua:

Is that a general rule? 1 year after the release of the new version?

No

Only in this case because the 2.3.x branch is the last 32Bit version available. Netgate promised to maintain it for roughly a year after the 2.4 branch release.
Usually a version is deprecated with a new version released and users are urged to upgrade. I don't know of any pfSense LTS if that's what you're after.

@Gertjan:

Or check here https://forum.pfsense.org/index.php?board=14.0

Bookmarked.

pfblockerNG has a Sync tab for XMLRPC Sync between hosts

I can't give any better technical over what is applied above but I can give my experiences which, in and of themselves, show why you should do it right.

I use OpenHab and buy a lot of tat from China via AliExpress, BangGood etc - anyone who will post to the UK :)
For the most part I try flash my own or other Open Source firmware on it. There is more of a chance of prying eyes then. I have near-full automation from heating to all lights, presence and motion detection, wifi location tracking etc. All these features require one or many little things which I obtained from China / Ebay / AliExpress etc.

My setup is a VLAN - both on wired and wifi - for IoT stuff. This is blocked to the internet other than specific devices which I allow out. Said devices are the OH controller, Alexa and, urm, nothing else :)
Inter-VLAN routing is managed by pfSense and only specific clients can route between the two.

I bought a cheap tablet as a wall-mount-dashboard from China. £50 for a 10.1 inch Android jobbie recently.
I was looking at the logs a few days ago trying to work something out and noticed a large amount of hits on my deny-all rule. The tablet is constantly trying to phone-home. There are bursts of traffic to an IP in China. The traffic is over https so I cannot - for now - see what it is. I will try using ssl-strip one of these days when I get some time.
A few of the LED controllers also call home constantly.

All in all, you need to separate everything off from your main network.

Use a propper controller such as OpenHAB, HomeAssisant, Domotix etc to controll the smart home. Do not rely on each item because you cannot truly own them

Try, where possible, to use items which you can flash your own firmware on. Often this adds a large feature set and is maintained.

Do think Security-First

Of course, none of the above is as bad as having a Samsung Android table - they're the worse culprits :(

Is that a single firewall or an HA cluster?

Was it working OK and then suddenly stopped?

Is it reachable locally on LAN or a management interface, or completely disconnected?

You could try a completely fresh reinstall with pfSense 2.4.3 rather than 2.4.2. Even if you don't have a backup, the installer can recover the configuration from the hard drive using the recovery option on the first screen of the installer.

keep in mind it does not prefetch everything every queried.  It just renews a record that is queried if the ttl is 10% of life or left.

You prob want to turn on the serve ttl 0 option as well if your having delays with resolving.

Problem found!
The issue turned out to be with the upstream firewall.
It had the 12.x network with DHCP on a vlan that apparently these were aware of, and they were using WAN rules.
Removing the vlan and rebooting fixed it!
Thanks!

@Gertjan thanks for reply!

@Gertjan:

Now, the other part : what comes back ?

That's interesting and how would you check that ?

@Gertjan:

Start be removing things that tend to block things on the incoming side, like …. you have them both : Squid and Snort.

I tried that, wonder after disabling something, would you expect that to take immidiate effect or you need to do something else? (delete stats maybe?)

https://forum.pfsense.org/index.php?topic=145990

Set firewall max table entries to 400000

Here is an example of devd.conf: https://forum.pfsense.org/index.php?topic=86064.msg727823#msg727823

how to automatically run usb_modeswitch either on boot

That was explained in the last example I referred to!
look for "shellcmd" in the post I mentioned earlier: https://forum.pfsense.org/index.php?topic=111787.msg622688#msg622688

Yeah if both sides say full-duplex that should not be an issue.

What happens is the full-duplex side transmits and the half-duplex side logs an error because it can't receive while transmitting. You end up with very low throughput in one direction - from the full- to the half-duplex port. The other way generally works fine because the full-duplex side can always receive without issue. It's possible to drop ACKs but in general it appears to be a one-way problem.

This is generally only an issue when one side is hard-set and the other side is set to autonegotiate.

I think it's "180 no scope". Memories.