@pwood999 said in Cannot Achieve 10g pfsense bottleneck: Maybe share your PfSense config, with any public IP's, Certs, etc. obfuscated ? Or just screenshots of the VLAN firewall rules & any Limiter/Shaper queue settings ? Check this post or an XML Redactor that might be helpful. link redactor I will check what I can do about sharing the config. I think I saw some github repo for anonymizing the config. Edit: Yep found it Github pfsense-redactor @Averlon said in Cannot Achieve 10g pfsense bottleneck: Did you configure the NIC queues down to 4 as well and tested SpeedShift at Package Level? The hwpstate_intel driver works quite well with Broadwell CPUs and does shown improvements (according to your post) towards 6Gbps on your Skylake CPUs. Compared to your previous posted results, this is an improvement of almost 1Gbps. Yeah, I did all that. But 6G is not consistent, I am still getting mostly 5G. I still think some configuration issue on the pfsense side of things. I am considering making a fresh install and testing things out then reloading my config. @Averlon said in Cannot Achieve 10g pfsense bottleneck: What about the interface counter on that Ubiquiti switch, especially the ones for the 25gbps Uplinks - are there any error counter / drops shown? I see no errors. @louis2 said in Cannot Achieve 10g pfsense bottleneck: I am almost sure the PC is the speed limiting factor. The PC performance when transferring small files is 'dramatic'Intel i5 6600K systeem (kaby lake Q1 2017). 4 core not similar to my case since I can achieve 10g on L2 with the same devices I test so I've ruled out the clients as the limiting factor. I will try to adjust my settings as close to defaults as possible to see if it makes any difference.

is there any good reason to do so?

I set MTU 1472 and MSS to 1432 on both links. I have tried a range of mtu-tun for wireguard down to 1320. everything causes SSL error An error occurred during a connection to thermalright.com. PR_END_OF_FILE_ERROR Error code: PR_END_OF_FILE_ERROR The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. just started about 2 weeks ago. have tried switching to configs from different countries, routing through different wans. nothing works

@ayansaari Check your ACL configuration to see what IP Ranges are allowed to use the resolver service [image: 1762934081170-8c991ce8-5581-4d2f-9fa3-a9b88e14c490-image.png]

It will be fixed in the next public build.

It will be available when the product is launched (including the correct link in the docs).

@shellbr I know the docs say "It does not care about bandwidth on interfaces, only the priority" but in my experience the limits on WAN and LAN are enforced.

I'm facing a similar problem; after authenticating on the captive portal, the user is redirected to another gateway, and after that, the upload speed drops to 0.5. The download works normally, but the upload doesn't.

@HyperactiveSloth Hmm, my VTI tunnels status shows 0.0.0.0/0 as the network in both ends in order for me to assign what traffic goes down the tunnel (by assigning routes to the VTI Gateway created when the IPsec interface sis assigned). Your IPsec status looks like a tunnelmode Phase 2, where the local/remote subnets are assigned in the Phase 2 settings. Strange…. If it was tunnelmode I’m quite sure your issue is the “missing” split connections setting…. Guess I’m out of ideas :-(

@mcfly9 said in ipv6 compatible checkip service?: I traced the code further, then I found the problem: dyndnsCheckIP returns false if the gateway is marked as down. My gateways don't respond to pings, hence pfsense marked them as down. As soon as I disabled gateway monitoring, it all started working. @Gertjan, @WN1X, thanks for the help! Change your gateway monitoring to something further upstream that pfSense can ping. Problem solved!

@marcosm Thanks. What licenses would I need if I want to test this in a lab?

You might try a different PSU. If that has a fault it could have killed that diode and be cause issues during high load.

I hadn't heard of uptime kuma so I'm glad I read this thread. I installed it on Home Assistant in just a couple of minutes and have it running. Seems to be a nice add-on.

@helviojr said in Can pfSense's DHCP server update Microsoft DNS?: I miss the custom DHCP options that would be very helpful. I could do it hard-coded in the config generation script, but I'm sure it will be available in GUI soon enough. Which DHCP option ? Read again the page where ISC announced they stopped the famous 'dhcp' project, and restarted form scratch, rebuilding the DHCP server again. On the non-official page you'll find the reason : over the years, options were added. thousands of them. Some were written, debugged, and stable since. Some were changing all the time. Hardware vendors didn't stop adding and modifying them .... It had became a software-maintenance hell. ( a bit like the openvpn project, or have a look at the absolute champion : postfix - or the black angel, freeradius : that one is just frighting). So, they created a framework and a manual, and left it up to 'us' the user (a very special user : it's us, the admin users, so we need to admin stuff ones in a while, and this includes type in stuff) to know what option data is needed, and place it in a nice JSON format (yet another text file format with a very precis syntax, probably more strict as XML), test it ... and forget it. Believe me : it isn't that hard .... A (pfSense) GUI facility for every option would be best, of course, but I don't think Netgate will fall in this rabbit hole. Writing a GUI (pfSense or not) that handles all the DHCP option ? (and does all the verification and checking of consistency etc ..) ... you might be waiting a long time. Right now, imho, the kea v4 and v6 pfSense implementation is rock solid. Some support for DNS registration, static leases and even HA is possible. The option I needed were - surprise - asked in pfSense redmine, and examples were proposed. From there on, as I sa working examples, I made some of my own. Anyway, I know, I'm rambling a bit. Just saying : you can do it ^^

How did you complete the initial setup on this box? Via the WAN?

@dennypage Tried first option, did not fix. Then tried second which has fixed the problem, thanks for your help. I have a second unit on 25.07.1 found that had identical problem, again option two fixed.

The widget shows that all three tunnels are up. However the Sophos side still says that there is no connection on the third tunnel. Also cannot ping across. [image: 1762831782639-snag_233c72.png]

Agree That bug really does make alias much less useful. Two example I currently use aliases for which will fail with this bug White list for remote access to work server from periheral sites. The laptops will roam between sites Peripheral site DDNS FQDN Peripheral site relatively static IPv4 addresses Laptop 1 DDNS FQDN Laptop 1 DDNS FQDN White list from a VoIP supplier with redundant servers in multiple cities. During fault conditions the supplier redirects traffic to better functioning servers in another city city1.Voipsuppler.com city2.Voipsuppler.com city3.Voipsuppler.com city4.Voipsuppler.com city5.Voipsuppler.com city6.Voipsuppler.com city7.Voipsuppler.com city8.Voipsuppler.com Imo The variable FQDN component of an alias should be completely recalculated from scratch then combined with the constant (explicitly specified) IPs each time. After which only changes from the current IP addressees written to filterdns to update the firewall filtering.