After creating the nat rule,  you do not need a firewall rules to wan on high port.

You can also listen only on loopback and then nat it from wan 80 .

@BBcan177:

If you are only using the country blocking features of pfBlocker then those lists do not require conversion as they are already in cidr format.

I would disable pfBlocker. Then confirm if /var/db/aliastables is clear of all pfBlocker files. If not, delete any remaining files.

Then enable pfBlocker and reboot to see if it's still slow.

I have developed a new package called pfBlockerNG which is currently being reviewed by the devs.

BBcan177 - Any timeline from the devs on pfBlockerNG making it into the packages?  I have been waiting for this to hit mainstream since last year when talking to you.  Looks as if it may be the best fix for us PFblocker user folks. Thanks again for your hard work on it.

Ash,

@Accounts:

Traffic Shaper: Limiter…I had both an In and Out set under this. I had them both set via a Firewall rule. I had no traffic going via that rule after the upgrade to 2.2. I removed the In limiter and just set the Out and it started passing traffic and limiting correct.

Hmm.  The UI doesn't seem to allow an Out limiter without an In limiter set …

See some interesting behavior with the Queues however… after the primary crashed and restarted, it appears traffic shaping isn't either being reported correctly or it's not working. Normally about 50% of our traffic is VOIP:


Is this a full install to a HD or Nano? Is it 64bit?

Steve

WTF.  Someone should seriously disable the http version of that page, especially when it has anything to do with entering a password - always enforce/encourage good security practices guys!  Despite the fact of it simply being a mailing list, people (sadly) tend to reuse legit passwords and usernames all the time.

https://lists.pfsense.org/mailman/listinfo/announce

Answering my own post here…

It seems that the synchronization of limiter rules are causing the problem in version 2.2. I haven't tested it yet but it sounds reasonable. The topic has also been discussed here:

https://forum.pfsense.org/index.php?topic=87541.0

…and a bug report has been filed here:

https://redmine.pfsense.org/issues/4310

Please note i am using transparent proxy

It only occurred initially after installation.  After enabling it through the web gui it then showed up in the console correctly as an option to disable.  Didn't try it but believe it would probably work now.

The web gui would give the standard message about creating keys and delaying ssh start up.  But never did get the success message until enable ssh in via the web gui.

Think it was probably some part of the system seeing it as enable and another as disabled.  So out of sync.

No not really concerned about it.

@lowprofile:

Are you running raid? Software or hardware?

RAID mirror : why ?

The root issue is what I added to the 2.2 upgrade guide here.

Either enable active LACP on your switch, or disable strict mode as noted there. We'll change the default back to its previous setting for 2.2.1.
https://redmine.pfsense.org/issues/4308

Steve - thanks for saving me some time searching by finding that first. :)

Yeah having a broken manually-edited config will do that. :) Glad you found the issue, thanks for the follow up.

"give 3 cores and 12gb to pfsense and 1 core and 4gb to the cloud."

You have that switched I think..  What is the speed of the connection??  How many vpn connections?  Pfsense sure and the hell does not need 3 cores and 12GG of ram ;)

From my limited experience with playing with custom options with 2.2 and the integrated unbound you have to add

server:
option
option

to get them to work, or unbound fails to start without that server: at first line.

Hmm, I believe the correct type is ufs2. However the fact that it seems to be reporting a filesystem that's bigger than the drive isn't good. Re-flashing and restoring the config was the way to go.  :)

Steve