I created a boot usb drive. Once I turned the 5100 on with that in, I was able to re-install with zfs and eventually apply my config xml.

Thanks again!

@gertjan yes, it was pfblockerng-devel v3.1.0_6.

I have blocklists set to prevent traffic coming from "non friendly countries", basically, asia region, russia, some northern countries + africa.

But I agree, it is quite weird.
I've now made several tests with pfblocker-ng enabled/disabled, etc.. and always see the BW drop when pfblocker-ng is enabled.

5c64470f-6054-465d-8153-9428ad13ba7a-image.png

I contacted Netgate support and got the install image, reinstalled the firmware and for now everything looks fine.

Thank you very much for your help and advice on using the program and equipment.

Turns out I need to "sudo" with my dedicated user for the command to work. Like this

sudo easyrule block lan 192.168.1.21

@rj said in Traffic Shaping on SG-5100:

Couldn't all the traffic shaping be done on the WAN interface since that is where the real bottleneck is

Shaping happens when packets leave an interface. (https://docs.netgate.com/pfsense/en/latest/trafficshaper/index.html#traffic-shaping-basics)

You can recover the config from the pfSense install image as long as the partition is not completely destroyed, it gives you option before you install:
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#recover-config-xml-from-existing-installation

Worst case you can cat the recovered config to the console from there and copy it out into a file.

Steve

The OpenVPN option text should probably be renamed. The engine command in OpenVPN isn't required. When it's unset then it automatically selects a device which supports accelerating whatever cipher it's trying to use.

When it's set to a specific engine, it's supposed to prefer that engine but I don't believe it's restricted to only using that engine. Since most things only have 0-1 available usable engine types, that's not so easy to test.

So really the No Hardware Crypto Acceleration line should be Use any available cryptographic hardware device or something along those lines.

File System Check (fsck) fixed the issue.
We hand-edited the .XML and it imported and updated perfectly.
Now backed-up and happy customer. ☺
Thanks for your help!