@mtis This issue might also be caused by the ISP requiring DHCP renew requests to be QOS marked or VLAN Priority tagged. I have a french ISP that requires all DHCP frames to Priority 6 vlan tagged - otherwise they just don’t reply to the frames.
Do you have any chance of doing a packet capture of the ISP’s CPE doing DHCP discover and renew? Then you could see what they might be doing (if not just requiring renews to be broadcasted).

That's not a wireless problem. It sounds like you have misconfiguration in the VLANs somewhere. Probably in the switch.

Steve

Sorry typo'd that; it shouldn't be under TNSR!

Also IIMB is already present in 23.09. You can just enable it.

Great. Yes there are a bunch of improvements there coming in 24.03.

Edit the entry then you will see that.

@stephenw10 Thanks for those suggestions. I will give it a shot.

@stephenw10 @Gertjan around 24 hours after switching off all of the power saving modes, and everything is chugging along perfectly with zero errors or logs on the console.
I thought I had configured something wrong and would have to do a fresh reinstall and reconfig. Thank you so much!

@MakOwner
I concur with @stephenw10 's recommendation to set up an IP-alias VIP (under Firewall/Virtual IPs) for each additional public IP address. I got my multi-address configuration set up in an hour or two using that approach, despite being a complete newbie with pfSense. Once the VIPs are in place you can either use 1:1 NAT to map one of those addresses to an internal server, or use individual port forward rules. If you do 1:1 NAT you'll still want firewall rules to block all server ports you don't want exposed, so it ends up about the same number of firewall rules either way --- which way you do it depends on how you'd rather think about the setup.

Probably because internal users are trying to use an FQDN to access it that resolves to the pfSense public IP address.

See: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Steve

Branch naming issue. The beta should be available to anyone who wants to test but should only show on the System > Updates screen when you navigate to it.

Steve

@bmeeks Thank you sir, should allow for much more streamline of upgrades for anyone running Suricata, especially remote updating. Hour away leaving the gas station took seconds from a cell phone to update and load 90,773 signatures/rules successfully without the need to be logged into the console ready on standby. PfSense updates for me at least should now be just as streamlined and fast from this one update alone. Gracias!!!

@JKnott

@JKnott said in 10gigabit routing performance, jumbo frames, intel x710 observations:

@PixieDust said in 10gigabit routing performance, jumbo frames, intel x710 observations:

As another tidbit, it looks like loop interface can be built with 131072 MTU support, but other parts of the network stack don't allow that to work. (MTU 49152 doesn't exceed 10Gb/sec either).

Everything on the LAN has to support the same MTU. You can't use different MTU unless there's a router in between.

I'm not referring to different network elements having incompatible MTU values.

I'll expand the loopback scenario listed above:

Loopback test
on pfSense node, run test at 48K MTU:
ifconfig lo0 127.0.0.1 netmask 255.0.0.0 mtu 49152
iperf3 -s -D -B 127.0.0.1
iperf3 -c 127.0.0.1 -B 127.0.0.1
Performance appears capped at about 9Gb/sec. Expected?
Same test on Ubuntu 22.04, I see > 30Gb/sec.

on pfSense node, run test at 1500B MTU
ifconfig lo0 127.0.0.1 netmask 255.0.0.0 mtu 1500
iperf3 -s -D -B 127.0.0.1
iperf3 -c 127.0.0.1 -B 127.0.0.1
Performance is about 3gb/sec, expected?
Same test on Ubuntu 22.04, I see > 30Gb/sec.

You cannot set the loopback (lo0) mtu to 131072, nor 65536.

I assume your LAN is using the 192.168.1.X subnet?

That config all looks good. But make sure the native VLAN is also a non-member on ports 2-4. Most switches will prevent you setting more than on VLAN unatgged (including native) on one port. But not all!

If that is the case make sure your switch doesn't have a separate PVID setting. If it does that would need to be set to 20 on ports 2-4.

@stephenw10 Not sure I missed it. Updated to 2.7.2. Packages are showing now. Thanks!

Ok, I'll wait to hear. This could be a confusing error caused by trying to access something that doesn't exist in DCO mode. Though I don't see that here on any instances so it would probably have to be some combination of settings.

Thank you both very much.

@ldl said in Newbie questions:

@Gblenn Replacing my asus router with something newer, as the Asus one is outdated (the main reason), sure still works but yeah.

Another reason as to why I want to replace it, is that if I'm going to use my own router, then other people in my house will obviously be on the same line, so I want to accommodate them as well, because currently, they're not on my router as that's in another room, they're on the ISP router,

I get that the it's outdated, and of course you should try to do 2.5G on the WAN. That all makes sense, but you should only have one router in use.
And it seems to me like you are using your routers as a way to connect peoples devices so they can get out on the internet. But that's what switches are for, and they are way cheaper per port.

I will be considering upgrading the NICs and switches in the future however if I feel the need for more than 1Gb

What's the cost of these routers you are looking at?
I'm guessing you could get a 2.5Gbit dual NIC card (to upgrade pfsense with) plus one or two managed Netgear or TPLink switches for the same price.

And if you want to segment your network to separate users from each other, use VLANs. You have your Cisco switch, and if you add more VLAN capable switches you have full control. And your dumb Netgear can still be used for extra ports towards users or devices that all belong to the same VLAN.

But you do all of this having pfsense as your one and only router, connected to the ISP ONT. And you can still use the Asus and even the old ISP router as wifi AP's. But then they are no longer routers they are just semi smart switches with wifi.

Either can work though if you want to address buffer bloat specifically I would use Limiters as shown here:
https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html

I doubt this is a config issue. However if you back it up you easily restore it so testing a default config would at least rule that out.