Two possibilities come to mind. First I would verify that there are no speed/duplexity mismatches anywhere when the pfSense box is in the loop. For simplicity I would take out the switch for testing:
laptop –> pfSense --> Modem
Check Status: Interfaces under media to see what duplexity pfSense is using on it's interfaces. For the remaining devices (Modem, switch, and laptop) you may have to resort to their indicator lights to verify speed & duplexity.

If that all checks out, then I would watch the CPU during the download to see if it's at 100%. Status: RRD Graphs: System: Processor

If that all checks out, then I would probably trying a local test to what the pfSense does locally. Something like: laptop --> pfSense --> desktop

@Koenig:

@iamkrillin:

I ended up changing net.inet.ip.fastforwarding to 1, its under system tunables, this seemed to fix it right up.  no cron job required.

I'll give this a try.

Thank you!

Unfortunately it didn't work for me…

I have a TV-server (DVB-T2) on my LAN-side, wich streams TV to the clients on the LAN, and I want to be able to watch TV with clients connected through an OpenVPN-tunnel, but I can't get it to work for more than a few minutes.

Anyone who could be nice and patient enough to explain to me how I should set this up?

The only new thing I run now (compared to old versions) is Unbound.

My complete package list:

pfBlocker snort squid Unbound

Well, looks like both physical USB ports are in UHCI-mode (USB 1.1) that's why the 12Mbps up/down limit…..

Nope, it's connected to USB 2.0

ugen4.2: <huawei mobile="" huawei="" technologies=""> at usbus4, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON</huawei>

But still the speeds are about 12Mbps down / 15Mbps up

Hmm, not really sure here.
If you look in the main system logs do you see any apinger entries at the same time? It could be the gateway doesn't respond to pings causing apinger to mark it as down.

Steve

The information available via SNMP depends on what SNMP modules you have enabled and what they are capable of. You can get a list by checking out the SNMP service page on your pfsense. Below is what I currently have. I think probably some of the things you want via SNMP may not be monitored/available without something third party.

The traffic graph shows what IP the generated traffic is coming from. I am not sure where it is looking or with what at the moment but you could have a look at where its getting its data from. After  you can figure out how it could be piped via SNMP

SNMP Modules MibII Netgraph PF Host Resources (Requires MibII) UCD Regex

Where are you putting this rule - why would you not put the rule on the vlan interface?  And the source would be that vlans network.

Why do you think you need to create an alias to contain all your vlans?  To allow them to access the internet?

Can you post pictures of your rules.

Nothing to do with rc.conf gets touched, you can't manually configure lagg or anything else in rc.conf (with or without .local).

WAN can't be deleted. If you want to use its NIC for something else, assign WAN to a different NIC. Or make up a non-existent VLAN if you don't have a spare NIC.

You skipped the important part - what about the fxp sysctls Steve asked about?

Usually such timeouts are a bad NIC, or a poorly-seated NIC, or on occasion with some systems where the NIC is sharing an IRQ with something else and that something else somehow messes up the NIC.

Somehow using the php/develper shell? Or via similar commands? The issue maybe that the password is held as a hash in the config file so you can't operate on it directly like you can with other settings in the file.

https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell

Steve

@txadmin:

Regression 2.1 RC0 -> 2.1.3: Firewall logs don't show names of rules

That is an option in the system log settings. They can be configured to show as their own column, their own row, or not at all. Your old snapshot may have been before it was moved to its own option.

@txadmin:

Bug: Reject rules show up in the logs with the red "block" symbol

That's how pf logs them, nothing we can do about that.

@txadmin:

Feature request: Make the firewall log rule names consistent

We are doing this on 2.2 each rule is getting its own tracking ID that won't change. This is already done in 2.2 and should be working now.

Does this issue still exist?

If you don't use limiter due to the IPV6 issue, how do you ensure fair bandwidth use by users when only using HFSC traffic shaper?

First create an alias of the internal IP address in firewall aliases ie 192.168.1.10 -> Johns PC
Second create an alias of the website you want to allow / block

add a rule  [ABOVE the allow all to all rule] ,  to LAN or OPT1 or however your internal LAN config is in pfsense and you are done…

P.S i use aliases so i can have a clear view of what device goes where..

its easier to understand applied firewall rules if its 
"Allow Johns PC to Google" or "Block Johns PC to Google"  than
"Allow 192.168.1.10 to         
          173.194.113.39
          173.194.113.32
          173.194.113.38
          173.194.113.36
          173.194.113.35
          173.194.113.46
          173.194.113.41
          173.194.113.37
          173.194.113.40
          173.194.113.34

@Harvy66:

Few things

Sender attempts to resend seq 66773 5 times over 9 seconds

I do not see these resends on your WAN capture

Your receiver capture cuts off at 2.7sec and I can't see if any ACKs were actually sent, but from the the perspective of the other two captures, it doesn't look like it.

The sender eventually gave up because of no ACKs and timed-out the TCP connection with a RST, which the WAN capture did show, even though it didn't show the prior resends

Thanks again for your reply,

Sender attempts to resend seq 66773 5 times over 9 seconds I do not see these resends on your WAN capture

Yeah, the receiver has ACK'd up to seq 66773, so sender needs to send it again. But these packets are not reflected in the pfsense WAN capture so I guess pfsense is dropping these retransmission packets for some reason (which I don't really understand and that is the problem here). The second time I run the software it works fine! but after few seconds or rebooting the firewall the first time I ran the software fails.

Your receiver capture cuts off at 2.7sec and I can't see if any ACKs were actually sent, but from the the perspective of the other two captures, it doesn't look like it.

Yeah, the receiver image shows the last ACK message it sends. Because pfsense rejected to send more data to the receiver as is shown in the pfsense capture. After the 20 second the firewall will send the RST to receiver to quit the connection. (which is not reflected on the receiver image cos' I stop capturing before)

The sender eventually gave up because of no ACKs and timed-out the TCP connection with a RST, which the WAN capture did show, even though it didn't show the prior resends

Exactly, that is actually the expected behaviour of a TCP connection of a sender, "try to send few retransmissions but if no ACK release the connection". What is really weird is why pfsense if not accepting these retransmissions packets but it does accept the RST one. That is the key of the problem. I have tried different computers as sender and I always got the same behaviour.

Another thing to consider is the packet 72 from the pfsense capture which is 536 in length (the minimum MTU value I think) and that it takes 2 seconds to be forwarded from WAN to the LAN!!

thanks

Hit a couple snags but it's still coming soon.

You can use OpenVPN if you use a TLS auth key. Also if you update your clients, it's fine. Please read all of the text I quoted earlier in the thread.

Hmm, I'm not sure this is possible in the conventional manner.
This user did it by NATing between the subnets but that's not ideal:
https://forum.pfsense.org/index.php?topic=64700.0
I'm not sure it's necessary either. Check the system routing table, do you have route to both subnets via the LAN connection?
Which virtual IP type are you using?

This user seems to have acheived it using just floating rules which is probably more what you're looking for:
https://forum.pfsense.org/index.php?topic=58943.0

Steve

THANK YOU VERY MUCH!!!! Glad its work great and thanks heaps again mate!!!

More new lessons to learn :)

Cheers

Yes, it's not an issue with CF card space nor, normally, with space in /tmp or /var which are the same size across all Nano installs. That said I had to increase the size of /var on my home box to 80MB to avoid errors a few versions back. Can't remember the details now.  :-\ I have 512MB in the box, and could easily add more, so it's much less of an issue.
Edit: Yes here we go, anything in this thread look familiar:
https://forum.pfsense.org/index.php?topic=66588.0
I was running out of space in /var every time the RRD backup ran at midnight.

No, I'm not sure of anything really.  ;) I haven't investigated the code closely but I seem to remember something reported by one of the devs to that effect. Maybe it's more of an issue when the compressed data is extracted.

Like I said moving data onto a USB stick would be a last ditch solution.

Ah, I see what you're saying about the modem interface. If it doesn't have a gateway on it that there won't be an RRD quality file created for it though.

Steve