New hardware is in place. The backup - restore - reassign interfaces process was completely flawless and painless.

The new Broadcom-based ports are behaving where the previous hardware's Realtek ports were not.

The problem was solved with $200 in hardware. For those reading after 2025-01-20, the price from China may be higher.

Hmm, I'd assumed HAProxy or Reverse Squid if it's hitting that on the firewall. But I could be wrong.

Clearly the correct assumption! I guess I was stuck in my thinking from when I set up NextCloud and all the instructions using Nginx. Which kind of makes sense since it's independent of what firewall is being used...

Yeah, yeah. Hating on Realtek ;-)

Mmm pretty much.

They do seems to be improving though. Their 100M NIC was truly terrible. The 1G chips can be OK, but sometimes not so much! I've yet to see a confirmed issue with their 2.5G NIC.

Actually, I ordered replacement hardware the same day this started to happen. I'll endeavor to come back to this thread when I find what happened through the logs, and when I change the hardware platform.

But still with Realtek NICs in the system they are my prime suspect!

Which proxy are you using? Is anything logged there?

I'm guessing Nginx Proxy Manager in which case logs are under /some mountpoint/data/logs/. And there are logs per Proxy Host numbered in the order they appear in the UI.
Perhaps the error log cold uncover something, if there is anything misconfigured on the NC server for example.

Importantly with Realtek NICs check for watchdog timeout errors in the system log.

You could try split DNS to see if that makes any difference. I just tested it myself and it seems to work with NextCloud...
Go into Services / DNS Resolver (or forwarder if that's what you use) and almost at the bottom you add a new Host override. Enter the fqdn you use to access NextCloud (e.g. nextcloud.dns.org) split up into nextcloud and dns.org on rows 1 and 2. And then the IP for NextCloud without the port (which apparently isn't needed when doing it this way).
[EDIT] I guess since in the NC setup you have specified that it should listen to port 80/443 and it expects e.g. nextcloud.dns.org as host header or whatever it's called.
You will also get a certificate warning that you have to accept since it's no longer going through your proxy.

But you also need to test with an external client so that it doesn't lock up if you are accessing from the internet. You could run a VPN client on the PC that you are testing from to simulate that..

The IP and MAC are unique on the network.

As for checking logs, capturing packets, and analyzing the results, I have not yet explored those rooms of the pfSense mansion.

@stephenw10, I believe the traffic is traversing the firewall because I'm using the public URL - the server is reverse proxied.

Is that traffic going through pfSense?

Is anything logged in pfSense when that happens?

Also check IP and MAC just to make sure there is no conflict...
Check the logs in pfsense of course.. state table overflow?