@mer I imagine it could depend on the brand of modem, but it's be a fixed IP in the Netgears and Motorolas I've had. Or if the modem even offers DHCP in the first place.

@ezhawk out of curiosity have you checked with ecobee ? "ecobee has determined that a very small percentage of Smart Thermostats may experience difficulty connecting to our servers, leading to disconnection issues. If your thermostat has exhibited this problem, please use the serial number checker below to see if your device qualifies for our Connectivity Support Program." maybe you have and I just missed the reference or mention in this thread here is the link to check your serial number https://support.ecobee.com/s/esp/smart-thermostat-connectivity-issues

@marchand.guy what we need is a better understanding of what pfsense actually means when it gives a reason of "short" - I assume it has to do with the scrubbing functionality.. Is something not working? You could try disable scrub to see if those log messages go away. [image: 1756567524421-scrub.jpg] I don't recall ever seeing such a block ever.. Since that is udp to 443, I would assume a quic connection.. That IP is a china telecom IP.. inetnum: 101.224.0.0 - 101.231.255.255 netname: CHINANET-SH descr: CHINANET SHANGHAI PROVINCE NETWORK descr: China Telecom what is trying to talk to that IP? I would look in your state table to see what client is talking to that.. I don't see you ever connecting to the forums with a IPv4 address, only IPv6 and not a china telecom IPv6 address

@stephenw10 Sorry for the delayed reply - I have just got back from a business trip. Anyway, this is the output from the CLI [2.8.1-RC][root@pfSense.mymain.local]/root: ls /var/run check_reload_status cron.pid daemon_sshguard.pid devd.pid devd.pipe devd.seqpacket.pipe dhclient.igb0.pid dmesg.boot dnsbl.pid dpinger_VPNUNLIMITED_L2TP~10.240.0.2~10.240.0.1.pid dpinger_VPNUNLIMITED_L2TP~10.240.0.2~10.240.0.1.sock dpinger_WANV6_TUNNELV6~2001:470:1f08:84a::2~2001:470:1f08:84a::1.pid dpinger_WANV6_TUNNELV6~2001:470:1f08:84a::2~2001:470:1f08:84a::1.sock dpinger_WAN_DHCP~82.13.203.142~82.13.202.1.pid dpinger_WAN_DHCP~82.13.203.142~82.13.202.1.sock dpinger_wg1GW~10.102.1.114~10.102.1.114.pid dpinger_wg1GW~10.102.1.114~10.102.1.114.sock dpinger_wg2GW~10.102.100.206~10.102.100.206.pid dpinger_wg2GW~10.102.100.206~10.102.100.206.sock expire_accounts.pid filter_reload_status filterlog.pid ipsec_keepalive.pid kea kea2fib6.cache kea4-ctrl-socket kea4-ctrl-socket.lock kea6-ctrl-socket kea6-ctrl-socket.lock l2tp_opt9.pid ld-elf.so.hints ld-elf32.so.hints log logpriv mdns-bridge.pid miniupnpd.pid nginx-webConfigurator.pid ntpd.pid pfSense_version pfSense_version.rc php-fpm.pid php-fpm.socket ping_hosts.pid radvd.pid sshd.pid sshguard.pid syslog.pid unbound.pid update_alias_url_data.pid updaterrd.sh.pid utmp utx.active wireguardd.pid [2.8.1-RC][root@pfSense.mymain.local]/root: [2.8.1-RC][root@pfSense.mymain.local]/root: ls /var/run kea4-ctrl-socket.lock kea6-ctrl-socket kea6-ctrl-socket.lock l2tp_opt9.pid [2.8.1-RC][root@pfSense.mymain.local]/root:: Too many arguments. [2.8.1-RC][root@pfSense.mymain.local]/root: check_reload_status ld-elf.so.hints ld-elf32.so.hints log logpriv mdns-bridge.pid miniupnpd.pid nginx-webConfigurator.pid ntpd.pid pfSense_version pfSense_version.rc php-fpm.pid php-fpm.socket ping_hosts.pid radvd.pid sshd.pid sshguard.pid syslog.pid unbound.pid update_alias_url_data.pid updaterrd.sh.pid utmp utx.active wireguardd.pid

ZFS is also a lot more resilient to filesystem issues than UFS. So if you see frequent power outages it's a much better choice. But, yes, it does write more to the drive. Though the default values in 25.07 reduce that significantly. You can mitigate it almost entirely by running RAM disks too.

Yup so check the routing and arp table on a client when it's unable to browse.

@ChrisJenk said in Netgate 6100 / 25.07 - any recipes / guidelines for optimising high speed LAN and WAN connections?: Speedtest program on the router itself No, I ran it on a Windows computer connected at 2.5Gb. I got full line speed up and down. I have since changed my internet to 1Gb so I only get 1.2Gb up and down now. A while back a friend and I were building and testing a VPN tunnel between us, a 7100 and a 6100, we found a noticeable speed difference if we used iperf on pfSense vs a computer on each end. We only get in the 700Mb/s range and still iperf on pfSense really added a load and skewed the results at least 10%.

guess back to testing... after a reboot of pfsense i can search again on the HD site with that disabled.. will test more to see if it comes back.. havent solved how the isp dns or cloudflare dns show up on the vpn side as it says you maybe leaking i gave up trying for now jsut working on this pfblocker

If it's a paid subscription and you had to replace the hardware you should open a TAC ticket. We are not completely inflexible. Yes, it's tied to the hardware but if you are forced to change that we have options.

^^ yes - this. - and the syslogd fix in the works should resolve this.

@chudak said in Why do we need to pay for pfS + ????: How do you connect monitor to it? See for example https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/#how-to-guides In general Netgate makes sure new releases work on old Netgate hardware until it can’t.

@johnpoz Yep, that's the setup I've got in place. It's been working for quite a few years for me when I was on a cable modem. @Bob.Dig My SG2100 does get a public IP, it is pingable from the outside world but still get no tunnel. In the Gateways widget the tunnel just shows "Offline, Packetloss"

@stephenw10 thanks for the feedback!

Mmm, you'll probably have to wait for it to fail and check what states are still there. I'd expect it to just re-connect if the states timed out and start to fail.

Sounds like they are getting redirected locally if they see a cert error. Check what cert they are being offered. The details there may indicate what is intercepting the traffic.

@akhuyna It's like I already said that. :)