Hmm, I was going to recommend disabling the audio hardware in the BIOS:

hdacc0: <Realtek ALC897 HDA CODEC> at cad 0 on hdac0 hdaa0: <Realtek ALC897 Audio Function Group> at nid 1 on hdacc0 pcm0: <Realtek ALC897 (Right Analog)> at nid 20 and 24 on hdaa0 hdacc1: <Intel Kaby Lake HDA CODEC> at cad 2 on hdac0 hdaa1: <Intel Kaby Lake Audio Function Group> at nid 1 on hdacc1 pcm1: <Intel Kaby Lake (HDMI/DP 8ch)> at nid 3 on hdaa1

But you probably can't do that in Coreboot.

You can see in your output though that it is booting with Video as the primary console:
Dual Console: Video Primary, Serial Secondary

If you have a serial connection I recommend setting serial as the primary console if only because it's much easier to log and copy and output from a serial terminal.

Since you changed nothing on pfSense (at least directly), I would go looking for the root cause in the Nutanix Cluster update process. My first guess would be during the move from node to node the Nutanix process changed something about the VNICs (could have been a MAC address, could have been something related to VLAN IDs if used, etc.). Changes to the VNIC could leave pfSense "confused" about which interface is LAN and which is WAN, for example.

@stephenw10
It is too early to tell but my internet fell-over today so multiple disconnects and re-connection attempts...

...and the router didn't crash.

There is hope.

☕️

@stephenw10

Hey there, sorry for the late reply, had some personal issues and I wasn't available. I'm gonna try again and update as soon as I can. ISP is sadly still pretty unresponsive...

Thanks again.

Ah you actually have an interface group for the WANs with the rule on it?

Yes, if you do that reply-to tags cannot works because the rule applies to multiple interfaces. It cannot know which interface (gateway) to reply to.
For reply-to tagging to work incoming traffic must be passed on the interface itself. It's the same reason that OpenVPN traffic must be passed on an assigned interface for repy-to to work. The group openvpn interface will not tags it.

@Sergei_Shablovsky said in [SOLVED] NTP not answering on 2-nd uplink WAN:

And in System / Routing / Gateways this BALANCED group set as “Default Gateway IPv4”

That's still invalid. The system default gateway should only be a specific gateway or a failover group. You cannot load-balance traffic like that.

Steve

@NollipfSense said in Connecting to CloudFlare, surely its possible.:

@deanfourie I think a better question would be what about REST API that was promised for pfSense 2.6 but didn't make it? Has pfSense moved away from implementing that strategy? With REST API, it would be very easy to run containers and other micro-services...

Beside the Netgate promises, the idea to running micro-services and especially containers inside pfSense - very bad idea.

I prefer to look on pfSense as solid system with a fraction of 3-rd packages (but VERY WELL TESTED an bug-free!).

@stephenw10 Thanks sir!

@Gertjan said in Package list is empty:

@Gblenn said in Package list is empty:

Still don't understand why the package list is empty?

The pfSene Plus without license : you need the license to connect to package update system. No license means : no connection, and that can explain the empty package list.
Please take note : I presume it works like this (i'm just a pfSense user like you), and what I make of it while reading this.

The CE 2.7.2 is not the same product, and is free.

I've found "Issue with going from 2.7.0 to 2.7.2" which has probably a solution for you.

You may be right that there is no connection to the package update system without a license. But then I think it needs to be added to the current statement which sais: "the ability to get timely updates with bug fixes and improved features may be limited".
I don't really see that it would be necessary to remove the packages in order to limit updates?

BTW, the solution provided by SteveITS was also in the thread you found... so thanks for finding the link.

@Sergei_Shablovsky said in Speedtest (Ookla) on device? What’s the latest?:

BTW, does anyone actually get 1 Gb on a 1 Gb connection? Seems to me there should be some overhead accounted for. I also get around 920 with iperf over my LAN.

Please read (or look on YouTube) basic of networking, what is tcp/ip, ICMP, VPNs and other protocols, what is levels, datagrams, what is routers/switches, how ISP works etc. ;)

I guess you haven't noticed me on this forum for years providing advice to others. My comment was to point out that if you have a 1 Gb connection, you will not see 1 Gb because of the various overheads. We're also running into hardware limits that we didn't see before, because the bandwidth we received was less than what our hardware was capable of. In my own example, my account is supposed to be 1.5 Gb, but my firewall, switch and computers are only capable of 1 Gb. I also did a comparison on my network, with Speedtest from my computer to my ISPs server and also from my computer to firewall with iperf3 and got similar results, which showed I was being hardware limited, not Internet limited to the Speedtest server.

BTW, I have long worked in the telecom industry, mostly as a technician, going back to 1972, have worked with computers since 1977, first LAN experience in 1978, Cisco CCNA and more. I also had TCP/IP courses at a local college and IBM. I also spent almost 4 years at IBM Canada, providing software support (mostly 3rd level). So, I do have some idea about what happens with networks & the Internet.

You can see the rules in the rules.debug file, for example:

# allow our DHCPv6 client out to the BT pass in quick on $BT proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000005711 label "allow dhcpv6 client in BT" pass in quick on $BT proto udp from any port = 547 to any port = 546 ridentifier 1000005712 label "allow dhcpv6 client in BT" # Add Priority to dhcp6c packets if enabled pass out quick on $BT proto udp from any port = 546 to any port = 547 ridentifier 1000005713 label "allow dhcpv6 client out BT"

That is above the block bogons rule:

# block bogon networks (IPv6) # https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $BT from <bogonsv6> to any ridentifier 11004 label "block bogon IPv6 networks from BT"

Steve

@Malvazar Well, who cares, the important thing is that it works now!

@johnpoz said in Speed Test Panel Under Pfsense 2.7.0 Free BSD14:

@Unoptanio as to your values - I have been saying for years - depending on your hardware (pfsense) which isn't meant as a client running speed tests directly on it or too it can show varying results..

But this give understanding about whole ISP uplink bandwidth. (Of course this measurement must be doing WITHOUT any other “everyday normal work” net flow.
Better to measure at 10-11am, and 4:30-5:30pm daytime and 7:30-10:00pm (when ISP appliances are maximum loaded) WITHOUT any other “normal work” net activity.

While its fine for say a benchmark, he pfsense shows 100, and now its 50 - then something prob not right.. But when you route through pfsense you see your full say 200 speed.

If your going to run speedtest like this or iperf directly on pfsense - you need to understand that. The test of a firewall/router function for routing and firewalling - is through it, not to or from it..

You are right but 8 of 10 questions here on forum are ABOUT UPLINK BANDWIDTH!!! People not interested in “testing pfSense router”, but interested in “how fast my internet”.

Look at this not from router developer position (I understand clearly, pfSense are like Your child), but FROM ORDINARY USERS PERSPECTIVE.

Only 10-15% interested in measuring VPN connect, or how shaping/limiting working well. (And yes traffic generators and iperf3 are kings here).

I wouldn't put much stock in the values don't meet your expectations.. Test from a client through pfsense to see if your getting what you should be getting, etc.

@johnpoz Ok I will try give a second NIC
many thanks

@johnpoz said in Only getting half speed:

@swemattias that is not a valid test to be honest.. Pfsense not meant to be a client/server sending data - its firewall/router - it routes traffic..

Because of this:

in official docs directly point that Speedtest/Fast/Librespeed/iperf3 test need to be done ON SETUP PHASE, not on the top of normal workloads; in official docs put step-by-step instructions how to test with each of above instruments; provide pre-installed tools(in pfSense’s terms “Services” or “Diagnostic tools”) to testing bandwidth of uplinks and site-site connection, VPN connection;

There have been countless threads about this ;)

Not saying such a test might not have some value - but its not a good test for throughput.. Test through pfsense, not from pfsense.

Only knows what is uplink bandwidth, possible to go forward to measure “through pfSense”.
That’s RIGHT logic !

Why fighting with a hundreds of thousands of users?
Much better to give them instruments and instructions and questions about this “why my speed is so slow” on this forum decrease on 30-40%.

@johnpoz said in link-local addresses flooding logs - Plex on Synology:

setup a rule not to log it..

That is what I did.. I have a dummy switch between NAS and pfSense, so that is the only way to go.

31f13245-871f-4166-b30d-70cef63a50dd-image.png

@stephenw10
OK, done at https://redmine.pfsense.org/issues/15326

@santheerdas yes, Prometheus Node Exporter will be the service you need for all machine related stats, including running services etc.

Ok, thanks to all for answering

That sounds like something in the browser or some browser plugin. It's not something pfSense would show.

Yup I see it. Unfortunately the backtrace isn't particularly revealing:

db:0:kdb.enter.default> bt Tracing pid 1 tid 100002 td 0xfffffe0012117ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe00109b4820 vpanic() at vpanic+0x163/frame 0xfffffe00109b4950 panic() at panic+0x43/frame 0xfffffe00109b49b0 vm_fault() at vm_fault+0x15c5/frame 0xfffffe00109b4ac0 vm_fault_trap() at vm_fault_trap+0xb0/frame 0xfffffe00109b4b10 trap_pfault() at trap_pfault+0x1d9/frame 0xfffffe00109b4b70 calltrap() at calltrap+0x8/frame 0xfffffe00109b4b70 --- trap 0xc, rip = 0xffffffff836cd170, rsp = 0xfffffe00109b4c48, rbp = 0xfffffe00109b4db0 --- _end() at 0xffffffff836cd170/frame 0xfffffe00109b4db0 sys_reboot() at sys_reboot+0x29c/frame 0xfffffe00109b4e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe00109b4f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00109b4f30 --- syscall (55, FreeBSD ELF64, reboot), rip = 0x27291a, rsp = 0x820ec2408, rbp = 0x820ec2830 ---

However it looks like it panicked when it tried to make some change after shutdown was initiated:

<118>pfSense is now shutting down ... <118> <118>net.inet.carp.allow: 0 -> 0 <6>pflog0: promiscuous mode disabled Trying to mount root from ufs:/dev/ufsid/65b7583531b4716a [rw,noatime]... panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffff836cd000 cpuid = 2 time = 1706519642 KDB: enter: panic

Unclear why it did that but it you clear the crash report and reboot and it doesn't do that every time it's likely a quirk of having just run the initial setup.

You are still running 2.7.1. You should upgrade to 2.7.2 when you can.

Steve