But basically the LAGG algorithm is sending/receiving the file transfer on the same port on pfSense, so it's doing full duplex transfer. I am not really sure but all depends on the configuration you made! You can also configure that one LAN port is "doing" RX and the other is "doing" the TX part! And then you will be getting out; 1 GBit/s > TX 1 GBit/s > RX And this might be then even 1 GBit/s and not 2 GBit/s! But for sure the entire LAG (LACP) is building a aggregated 2 GBit/s fat pipe! Now theoretically, the gigabit ethernet can handle 2000mbps total. That is the exactly point where you are failing or made a so called thinking false in my eyes! 1 GBit/s line (cable) is able to send and receive 1 GBit/s over 4 adders of the cable in each direction and this is then 1 GBit/s in each direction and not 2 GBit/s in one direction. But I ran iperf between 2 machines using the simultaneous option, and the max I was about to get was about 450mbps both ways the same time.  So not sure why? If the technical and theoretical max throughput of a 1 GBit/s line is 125 MBit/s and with your LAG (LACP) you will get out then in normal and as a max. 500 MBit/s (4 x 125 MBit/s) but you got 450 MBit/s + the TCP/IP overhead that must be count on this on top you will be getting also nearly the macimum, or am I wrong with this? Anyhow  when I transfer a file the other direction, the algorithm uses 2 ports on pfSense, so then I'm getting closer to 1Gb in that direction. Then perhaps the network load you were producing with iPerf was not high enough perhaps I mean? Either way, I think I will upgrade to 10Gbe with the Chelsio card, that should solve any Gb bottlenecks. It is the best option as today in my eyes!!! The Chelsio card is fully offloading tasks such as VLANs based on using an ASIC/FPGA on its NIC and it is better driver supported in pfSense! So you will be able to fully unload from your pfSense box many TCP/IP based tasks and on top you will saving ports and getting more throughput then now.

Do what you did, just keep in mind you need to restart that OpenVPN instance after assigning it.

@BlueKobold: Create one or more rules pending on this. Or make the Servers be a member of the allowed other VLANs. I'm feeling like an idiot, I dont understand how to do that. :( You are able to store each config from the lowest bottom (easy) to the highest top (difficult) and then you might be swapping over the config to another pfSense firewall by using this xml file Thanks! My thought was to have a batch file to run and the type in DNS, passoword, ip-address etc after given questions. Maybe I've to reconsider that. Thanks for your answers!

CNTRL F5 did the trick.  Thanks so much!

Thank you so much for your help. I tried with a live CD running FSCK on the drive but it ended up being beyond help. It'll be way more easy to redo the settings than actually put way too much energy in saving broken data. I've learned something.

please don't double post. https://forum.pfsense.org/index.php?topic=108336.0

Still got packet loss despite all software tweaking so this morning I replaced the LAN card. So far so good - 0 packets lost during a few hours so hardware problem was the diagnosis for this one. Thanks for all your input!

Yup +1. If there's line-of-sight Ubiquiti can probably do this for US$500 including ready spares for each end on the shelf. Likely won't be gigabit, or 10G as if the right fiber and optics were employed, but probably good enough.

NetFlowd was the only thing what I was finding its way into pfSense as today. ADI Engineering is assembling and building the hardware for the Netgate and pfSense store and they are now selling one Switch that will be called Pica8 P-3297 TCAM 48 x 1G OpenFlow Switch and is for sale. That must be meaning anything in any direction or could be a hidden statement to the point your are right for. But, and this should also be said, it could be a try out, a start and/or a point where pfSense will be jumping in at one day.

+2 on leave everything at default. I run more than one Asterisk box behind pfSense and normally let the SIP protocol deal with the behind NAT issues. Haven't needed sipproxd yet. Things have definitely progressed from the "bad-ol" days of needing to open ports willy nilly and still having flakey conx. More important to see what your Voip provider is expecting/can handle.

is it possible to look at the logs in pfsense that show me which connections were made at an earlier time? From the WLAN & LAN to the WAN I would imagine you could install Squid with user authentication and SARG for reporting then. It all depends on the traffic it selfs and the amount of log files that will be produced. But if all is going through the Squid proxy w/ user authentication you will exactly knowing who was doing what and at which time. for example, i am looking at the rrd graphs and see that my connection was heavily used between 4-5am, but i don't know how i can see who was using the connection at that time. That is more then a real time monitoring but you was asking for a longer time ago usage first. What you want exactly now? Or both? i am not looking for it to tell me someone was streaming youtube (although, that would be nice), i would want to see the LAN IP and what IP it was connected to, or something along those lines. It would be able to realize but then the WLAN should be secured by a radius server and for guests over a Captive Portal otherwise or if this be an open WLAN as a HotSpot you will never be ale to see who was it, if the whole street is surfing over your AP or pfSense. do i need to implement a syslog server and log everything to that? A small RaspBerry PI 2.0 with the new WD 314 GB HDD one will be sufficient to realize many more things  together with; syslog-ng, MRTG & CACTI ELK (ElasticSearch, Logstash, Kibana) on pfSense directly w/ Squid & SquidGuard & SARG is there a place to set how much storage can be used by ntop? will it recycle storage when it needs more space? i want to make sure i don't crash my box by letting the hard drive pfsense runs on fill up. Then add a bigger HDD/SSD or set up a small Intel NUC connected to a monitor where you can install or run the following things. PRTG Network Monitor Scrutinizer WireShark F.l.a.v.i.o. Splunk I would more have a look for the following two thinks Squid & SquidGuard + SARG plus PRTG on an Intel NUC or ELK syslog-ng & MRTG & CACTI on a RAPI

I've been thinking about open VPN but Isn't this going to low down my speed. After all the hotspot's speed is low enough. Yes BlueKobold I am using Kali linux but It came the time that I am sorry that I never get deep into Linux this stupid windows each year become more more privacy nightmare specially now windows 10. I will probably keep using Kali for a time been I just waned to see if it is a good idea to setup virtual box with PFSENSE Thanks to all

That something can be technically done might be not even the best to realize it really. So if I had to be true fully to you I would aware of such a set up like yours. In service networks from TIER1,2,3 or smaller or locally homed ISPs this could be done and is often offered as a service but based on totally other hardware devices and on top of this surely based on faster and more stable connections or uplinks. You as a company are using a customer network but this named above carriers or ISPs are driving this through their service network and then it is more stable and on this stage it makes sense. I want when the QinQ connection is established,computer2  get the ip from the DHCP Pool on PF1.How can i do this? QinQ VLANs are Layer2 based and the entire WAN through the Internet will be a routet way so it could really be, that you will be having success with a L2TP/IPSec VPN connection or a BGP connection betwenn this two points, but I personally would recommend the following. Let the QinQ VLANs end at there WAN end point that might be the border firewall, border router or a gateway at a network edge or node and than connect the both networks over one or more VPN or BGP connections and thats it.

Why could you not just fire up a 2nd instance of vsftp have it listen on the IP your sending your want/internet users to with the passive setup to use your public ip.  And a second instance listen on different rfc1918 address where your local clients go. Or as hinted upon just use a secure method of file transfer like sftp that only uses 1 port and there you go no issues, and now your secure!!  And all you have to do is forward 1 port on pfsense. ftp has been antiquated for YEARS, anyone still using it just nuts or lazy… There are FREE sftp clients for any user of any OS to use, there is FREE servers, shit any linux distro out there comes with it.  You can do it on windows now for free as well. So what could be the excuse of still trying to use a unsecure antiquated protocol like ftp?

I had the same problem before, but I solve it here's how i solve it. make sure you're on the same network with all of your unifi AP then run the unifi controller try to adopt all of the AP it it not work, hard reset all your AP and try to adopt them again if still not work, try unifi discover (you can download it from ubnt.com) to adopt it if some of your AP is isolated, use the wireless uplink from the nearest/strongest signal