However, the upgraded node (when running as master), shows a clear network performance degradation: While node-1 (the one still running v2.2.3) can easily forward traffic at +250Mb/s, the alternate node (the one running v2.3) tops at +-80Mb/s. Well, how to say it and being friendly any more? If I buy a MS Windows Server 2008 together with hardware and now I want to install MS Server 2012 R2 on it, I will find perhaps out that this hardware is not really good matching the newer software version. But there in MS Windows based fields we know this and life with this. Why not also with FreeBSD and pfSense? As a customer and user of pfSense I can´t say I would be loving to see even newer things, such as Intel QuickAssist, AES-NI support and DPDK or netmap-fwd, but I am no really willing to buy new hardware or plain upgrading this hardware to the nearly latest or an actual stand. Not really nice said, but the true from my point of view on this. While diagnosing the issue we’ve found node running pfSense v2.3 to have a high load under such a ‘low’ traffic (ie. 80Mb/s), and high CPU usage by network drivers, as show below: Perhaps, only perhaps I mean, they are working on newer drivers or make older drivers better matching with the actual new hardware, but then often compared to older hardware it is then not really a gain and playing well together. Perhaps you could think about a newer board, stronger CPU or SoC and/or more or faster RAM? I really don´t know it and I am not a professional likes cmb and others, but often new hardware does the trick for many years, let us say the next 5 or 6 years. Any suggestion? I will be truly to you, I would stay with the 64Bit version 2.2.6, but even this is related to all circumstances and seen affects in each pfSense system. Some are really hard likes your 250Mbs/80Mbs, but also other strange points would let me say wait since pfSense let us say 2.4 or higher. And if this would be not really better going then for you and your company I would really urgent think about a hardware upgrade.

I don't know why but after clicking around some more the hybrid outbound nat automatically created the correct rules. Now there is a source 10.0.8.0/24 destination lan address entry and I'm able to access my lan :) Going to set up a fresh VM tonight on my htpc if I got time. Thanks.

"Interesting, is there no way to move this around between ports?" Huh??  Yes there is.. Just assign your interface to the mac you want.  You can do it via the console cli or even in the gui.. But if your doing it from the web gui your prob going to knock your self off.. You need to know the mac of what port you want to assign the interface too.  As you can see with mine the mac are made up since my pfsense virtual.  I did that on purpose so I know exactly which interface is which in my vm setup. But its the same thing for a multiple port nic, each port on the nic will have its own mac, they normally increment by 1.. As to which port is which.. Normally going to go from 1 side or the other so like eth0 might be the top as you look at it or might be the bottom, but the port next to it should be eth1 and then eth2, etc.. [image: assignports_.jpg_thumb] [image: assignports_.jpg]

Root cause of that is this: https://redmine.pfsense.org/issues/6499 if you're in a situation where you're hitting that routinely, the latest 2.3.2 snapshots are stable and include the fix to properly expire those states. System>Update, Update Settings, switch to Development and click Save. Then back to the System Update tab and upgrade there. Upping the max fragment entries will prolong how long it takes to reach the maximum and may suffice for some people.

Can't go wrong with that.

Thanks everyone. I have successfully blocked the device using a MAC address filter on my wireless APs so that the phone can't even even to the wifi network. This keeps the network stable when the employee comes in the the office and forgets to turn off the wifi or tor orbot app on his phone. The only other options I can think of are to A.) change the IP configuration on the Orbot app or B.) Change my pfSense IP. I will continue looking on Android and Tor forums for more info.

If it has 100Mb ports, maybe it's running half-duplex. Old 100Mb port to to new 1Gb ports duplex mismatch is a common reason for errors.

Managed to test this already - with great success! Thanks for your help.

You had the update URL hard coded to the wrong thing in your config in that case. Yes that's also why your RRD data is gone. Reinstall and restore config is the best thing. It's no longer possible to switch architectures even if you force it, so that can't happen again in the future.

I checked and it is passing decrypted traffic. Has anyone tried to the perform SSL break and inspect with pfsense without using the native SSL MITM capability? Do I need to configure it with ICAP?

Well, there is syslog-ng package, at least in 2.3, so you can try to use it. "syslog-ng  1.1.2_3  Syslog-ng syslog server. This service is not intended to replace the default pfSense syslog server but rather acts as an independent syslog server. Package Dependencies:  logrotate-3.9.2    syslog-ng-3.7.3_1   "

Guessing that's probably while you have something continually loading the dashboard? The dashboard is significantly more CPU-intensive than it used to be especially if you have a lot of widgets, as more things dynamically update.

Some modern SSDs have the same or more writes than mechanical drives. The only difference is the SSD is faster which allows it to reach its limit faster. That said, don't get cheap crap. Look at reviews. If you're concerned about reliability, don't get the latest greatest, look at something that has been out for a year. Or use GEOM RAID1 and get two different types of SSDs, so they shouldn't fail at the same time for the same reason.

@xBlue: I'm having the same issue. How did you solve it? There is a privilege that prevents users from writing changes to the config file…make sure that isn't added. That's how I fixed mine...I guess CTRL+A is the work of the devil just like copy and paste. [image: priv.PNG] [image: priv.PNG_thumb]