Looks like buffer bloat. I would recommend the Traffic Shaping forum. You could try enabling FairQ on your WAN interface and check the box on the child queue to enable Codel. This works well enough for most people. For now it gets more complicated quickly beyond this, but soon™ it may be as easy as a few check boxes to fix buffer bloat.

i would at least unplug the cable modem for a few minutes or so.  You might need to call your ISP to make sure it is in bridge mode, sometimes they need to flag your account that it is in bridge mode.  You have to make sure your internet is working correctly before you go any further or you are just wasting your time.

You can just save (backup) the config. Then you can play/test changes and restore the saved config afterwards if your changes do not work out/are not required. The rules (and all other settings) are stored there.

What are you wanting to achieve?

I reset your last name to "99" (sans quotes). Try it now.

Yeah I do not think there is a RFC stating you can not sign certs long - there are scenarios when you would for sure need to be able to do that..

Lets say you need to issue certs for 3 years, but your CA expires in 2.. so now you have to redo your CA 2 years before it expires.. That would suck ;)  So you just make sure that you create your NEW ca with the same private key before the 2 year expires.

Thanks, I appreciate it. If I get time to dig into it further, I'll do so.

I actually solved it!

I did plenty of steps, but in the end it worked out, I order them by relevance to this topic:

Added a static routing into my TP LINK archer c7, for others http://forum.tp-link.com/showthread.php?79872-Can-t-ping-access-TL-WDR4300-from-other-subnet

Changed the Proxmox bridges to be Intel E1000 instead of Virtio

Changed the start up order of the pfSense VM

Passed the CPU as host to the pfSense VM

Now I will start playing around with the Firewalls  :)

that appears to have done it, awesome!  THank you so much!  I would have never looked at that.

Thanks @Marvosa…

I am going to try this idea.

Your switch is causing slow traffic?  Yeah never seen such a thing other than duplex mismatch or lower speed..  You sure your not limiting traffic on the switch?  That is something you could do.. But then say iperf between pfsense and client through the switch gives you 850?

Did you do that iperf test udp or tcp?

I have been working with cisco switches and routers for years and years and years… Never seen such a thing.. What is the config you have on the ports?  Just post show run interface.. Then again we don't use EOL hardware that got off ebay ;)  But if your saying you are seeing full speed between the devices across the switch, but not to the internet that makes zero sense.

Hi,

I am revisiting this post as I am back to my home location after being away for nearly 2 months.  ok, so I have swapped the draytek 2860 for the PFsense box again (with the draytek 130 vdsl modem).

Again, draytek 2860 works fine, but pfsense has the same errors even with IPv6 disabled.

I will contact the ISP again to see if I can make them work

Odd. Perhaps now would be a good time for you to take a full backup, and reinstall from scratch, then restore from your backup. Cos something sounds a little messed up..!

Pulse Secure is a proprietary ssl based vpn, no pfsense would not connect to it…

@jimp:

It looks in the PPP log and finds the connect time and then calculates.

https://github.com/pfsense/pfsense/blob/master/src/etc/inc/pfsense-utils.inc#L1472

That's a clever way to do it!
Thanks for the pointer.