Have tried disabling every offload feature (or variations of) "ifconfig ixl0 -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso -vlanhwtag" via shellcmd (either as shellcmd or earlyshellcmd). No difference whatsoever. If I reroot the firewall (rather than reboot), the errors do not appear when everything comes back up. No idea if that's helpful to know. It seems the same thing happens irrespective of what switch is on the other end - MikroTik and Ubiquiti both do the same. It looks purely cosmetic though so not too bothered. I do have another X710-DA4 somewhere which I'll play around with and see if I can figure out what's causing this. Can't keep screwing with the actual firewall as it takes every internet connected thing down if I do!

Ah, OK. acpi_call is not included in pfSense or the default repo. You can try adding it directly from FreeBSD like: [22.01-RELEASE][admin@5100.stevew.lan]/root: pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/acpi_call-1.0.1_1.txz Fetching acpi_call-1.0.1_1.txz: 100% 6 KiB 6.3kB/s 00:01 Installing acpi_call-1.0.1_1... Extracting acpi_call-1.0.1_1: 100% [22.01-RELEASE][admin@5100.stevew.lan]/root: rehash [22.01-RELEASE][admin@5100.stevew.lan]/root: acpi_call Please specify path to method with -p flag But you need to understand the possible consequences of doing that: https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings Steve

Great, thanks!

I didn't see the use case for that machine... maybe I missed it. I had gone down this road twice, a mini ITX box. No, scratch that, 3 times. The first was real budget, an AMD AM1 setup with the 5350 chip and MSI AM1M board. 300watt PSU (way overkill) 4 port intel server pull NIC from Amazon, 8 gigs ram. old laptop hard drive. Worked fine, but a bit slow saving changes in the GUI- anything actually that wrote to disk because of the disk. An SSD fixed that. Should have stopped there. But I ditched the little AMD that could, for a Kaby Lake I3 and Gigabyte board (H270N WIFI). It was snappier in the GUI but network wise, no difference. Not stopping there, I made that computer into my little kitchen computer as an excuse for a Pentium G 6400/Asrock B460M-ITX. Well, my mother's computer died so I repurposed that Asrock to her new desktop, and made a smart move. I got one of those Qotom-Q555G6, i5 7200, added 8 gigs ram and a 64 gig MSATA. Probably cheaper than what you are thinking about, would work as well, and with the money saved, buy a real WAP like a Ubiquity. In the end, you have a better setup- between the better WIFI and the low power silent mini PC with a very capable i5. They even have an i7 one if you need to service a small office full of people or have symmetrical gigabit that you will be maxing out constantly. So I had fallen down the rabbit hole, managed to recover, and am now in recovery and resisting the urge to waste money. Oh, put that NIC in your gaming rig or server in the home lab. Mine is in a box; I have a better one in my ESXI host... and that is another story...

@stephenw10 Yes it is indeed. I hate to do something like double NAT with static routes. The next time a provider tries to force me to use a FritzBox I won't sign a contract with them :-)

@p-dang Thank you it worked!

You shouldn't need to. You might try connecting it thought a powered hub a test.

@stephenw10 Had to put this to the side for a bit, but I'll return to troubleshooting at a later date.

If you are connecting to 1G devices you may well have to set the link speed manually. That is done in the interface config in pfSense. It's common to need to do that on any 10G NIC. You can't have more than one interface in the same subnet, it would break routing between them. If you really need them in the same subnet you would need to bridge them: https://docs.netgate.com/pfsense/en/latest/bridges/index.html Steve

@stephenw10 Nice!! i look later tonight Regards

@ck42 No, not PPPOE. Was just intending to show the relative single-thread performance of a low-end desktop processor vs an embedded one, since that directly affects PPPOE performance. The Geekbench browser will let you compare scores of different processors if you don't already have one to test.

@rcoleman-netgate Thank you but i see that there are still problems, it happens to me too.

@pete Yes it works very well now.

Ah, good result then! Yeah you almost certainly don't need all those rules. Also those are rulesets and you probably don't have all the rules in them loaded because that would be a lot of rules! Steve

@stephenw10 Bingo! I rebooted just to see, and you are correct, it now shows AES-NI as available but inactive. Thanks..

@p-dang That's good news. I didn't see it in their release notes. I happened to come across what I read here on the "can I use my own hardware" https://www.netgate.com/support/frequently-asked-questions-pfsense-plus

I'm on 2100. I'll try to reboot it again. It was pulsing before the upgrade. cheers, M. Edit: it needs one more boot after the upgrade. I have a pulsar again! thanks

Per forum user @w0w, you can download a newer Realtek driver package from freebsd.org per the commands below. I've gone ahead and done this "newer" driver version for my current 2.5.2 install, and it worked well...it is a "test" for me prior to upgrading to 2.6.0 to make sure the drivers worked under load. You still have to edit the /boot.loader.conf.local file after installation, and it will say so on install of the package. (well, it will say to edit /boot/loader.conf, but you may want to do the /boot/loader.conf.local so these settings will persist on doing a future upgrade, per the instructions from @stephenw10 ) fetch -v https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/realtek-re-kmod-196.04.txz pkg install -f -y realtek-re-kmod-196.04.txz

Ok, that's fair. You won't see 1Gbps OpenVPN through the 7100. Not yet at least. Steve

@stephenw10 So, moved back to the Intel card and I am seeing the results I expect to see now. So, the major issue was that I had a hard gateway defined for the LAN interface, which started asymmetric routing issues. While supported, the bce based card was the second issue. I'm seeing ~230/~110 on a 250/125 circuit, which matches the old firewall almost perfectly, so I think I can put this one to bed. Now, to get BGP and all the other stuff moved to the new firewall, probably gonna setup HA between the old and new and use that to make the switch between the firewalls. Thanks everyone for the input, it got me in the right direction and hopefully it will help others who come across it.