Starting pfsense for New Users

[TanKianW]

Got Wireguard test?

On my pfsense VM with 4 cores allocated(i7 4770), I get about 380Mbps up and 470Mbps down over wireguard.

Seem to be limited by my connection speed, at least for the upload since my limiter tops out at 470Mbps.


Test ran on my 5900X machine over LAN.

 

[xiaofan]

1) Try untag VLAN10, "not member" VLAN30, PVID 10,
Assumption: you want to achieve AP with VLAN10 IP address, client connect also with VLAN10 IP address

2) Try "not member" VLAN10 and 30, PVID 1.
Assumption: you want to achieve AP in default VLAN, client connect also on default VLAN.

3) Try tag VLAN10, "not member" VLAN30, try PVID 10 or 1? This one I am unsure coz I have no idea how the router mode work. Only trial and error.

Not sure if it will work since I am clueless with the ST Mesh router. Worth a try.

Thanks for the help. Now the second point is clear now. I am still fuzzy about Point 1 and 3. For Point 3 I think I need to understand more about PVID. For Point 1 I have no idea why I got inconsistent resultst with Singtel Mesh Router.

1) That is the setting of Port 2/3 now and it somes gives inconsistent result for the Singtel Mesh Router as mentioned before. This is strange. Huawei AX3 quad core router works as expected as mentioned before.
Port 2/3 -- untag VLAN 10, not a member of VLAN30, PVID 10

2) Thanks, this is good. I have changed Port 6/7 to this settings and it works fine. The Singtel Mesh Router will get 192.168.28.x default LAN segment IP address, same for wireless clients. It also works fine with Huawei AX3 Quad Core router will no VLAN settings.

3) I changed Port 2/3 to the one you suggested.
Port 2 -- tag VLAN 10, not a member of VLAN30, PVID 10
Port 3 -- tag VLAN 10, not a member of VLAN30, PVID 1

3a) Port 2 test result -- Sometimes it is working in router mode and it can get an IP address 192.168.10.x (for VLAN10) from pfSense. Wireless clients get 192.168.1.x address from Singtel Mesh router. Sometimes Singtel mesh router is working in router mode but can not get an IP address from pfSense.

I was thinking Huawei AX3 quad core router should not be working if connected to Port 2, but it actually works and get a WAN IP of 192.168.10.x IP address., and strangely wireless clients get 192.168.28.x IP address. This is strange.

3b) Port 3 test result -- This one seems to be consistently working. Singtel mesh router is working in router mode and it can get an IP address 192.168.10.x (for VLAN10) from pfSense. Wireless clients get 192.168.1.x address from Singtel Mesh router.

I was also thinking Huawei AX3 quad core router should not be working in this case, but it actually works and get a WAN IP of 192.168.28.x IP address, and wireless clients also get 192.168.28.x IP address. This is a bit less strange than 3a) though.

4. The settings for Point 2 and 3 Testing are as followed. I think Port 3/4/5/6 are now working as expected. Testing results of Port 1/2 are still strange to me.

 

[xiaofan]

Now that behavior of VLAN 30 is clear and the results are consistent, I have removed VLAN 30 and just try all 4 combinations of VLAN 10 tagged/untagged and PVID 10/1 for Port 2/3/4/5. I have set up the static IP address of the TL-SG108E to be in the LAN segment 192.168.28.2 so I can easily access from my laptop.

pfSense (with public IP) -- TP-Link TL-SG105E smart switch -- wireless APs
pfSense LAN (vtnet1) -- 192.168.28.1
pfSense VLAN10 (vtnet1.10) -- 192.168.10.1

Port 2: Untagged VLAN ID 10, PVID =10
Port 3: Untagged VLAN ID 10, PVID =1
Port 4: tagged VLAN ID 10, PVID =10
Port 5: tagged VLAN ID 10, PVID =1

 

[xiaofan]

Huawei AX3 Quad Core (AP mode, no VLAN settings) Test Results. It seems to work as expected.

1) Port 2: Untagged VLAN ID 10, PVID =10
Expected: 192.168.10.x IP address for both the router and wireless client
Results -- as expected

2) Port 3: Untagged VLAN ID 10, PVID =1
Expected: 192.168.28.x IP address for both the router and wireless client, because of the PVID 1.
Results -- as expected

3) Port 4: tagged VLAN ID 10, PVID =10
Expected: no internet access for the wireless client
Results -- wireless clients can not go to the internet, as expected. They are not able to get an IP address from pfSense.
The router itself gets an 192.168.10.x IP address and seems to be able to have internet access (green LED)

4) Port 5: tagged VLAN ID 10, PVID =1
Expected: 192.168.28.x IP address for both the router and wireless client, because of the PVID 1.
Results -- as expected

 

[xiaofan]

Singtel Mesh Router Test Results -- no power cycle of the router this time to see how it goes. Client side will disconnect and then connect the Wifi to refresh the DHCP process.

Testing sequence: initially connect to Port 6 and working as expected. Then move to the next 4 tests in sequence.

1) Port 2: Untagged VLAN ID 10, PVID =10
Expected: 192.168.10.x IP address for both the router and wireless client
Results -- initally RED LED but later recovered and work as expected.

2) Port 3: Untagged VLAN ID 10, PVID =1
Expected: 192.168.28.x IP address for both the router and wireless client
Results -- as expected

3) Port 4: tagged VLAN ID 10, PVID =10
Expected: no internet access for the wireless client
Results -- initially as expected, RED LED on the router and client can not connect to the netwok but later recovered. It is working in router mode and it can get an IP address 192.168.10.x (for VLAN10) from pfSense. Wireless clients get 192.168.1.x address from Singtel Mesh router.

4) Port 5: tagged VLAN ID 10, PVID =1
Expected: working in router mode and WAN address of 192.168.10.x IP, wireless clients will get 192.168.1.x address from the router.
Results -- as expected

5) Going back to Port 6 -- I need to power cycle to get it work again: AP mode, 192.168.28.x IP address for both the router and wireless client.

I will try the next test -- power cycle the router after changing the port connection, to see if the results are different or not.

 

[TanKianW]

Singtel Mesh Router Test Results -- no power cycle of the router this time to see how it goes. Client side will disconnect and then connect the Wifi to refresh the DHCP process.

Testing sequence: initially connect to Port 6 and working as expected. Then move to the next 4 tests in sequence.

1) Port 2: Untagged VLAN ID 10, PVID =10
Expected: 192.168.10.x IP address for both the router and wireless client
Results -- initally RED LED but later recovered and work as expected.

2) Port 3: Untagged VLAN ID 10, PVID =1
Expected: 192.168.28.x IP address for both the router and wireless client
Results -- as expected

3) Port 4: tagged VLAN ID 10, PVID =10
Expected: no internet access for the wireless client
Results -- initially as expected, RED LED on the router and client can not connect to the netwok but later recovered. It is working in router mode and it can get an IP address 192.168.10.x (for VLAN10) from pfSense. Wireless clients get 192.168.1.x address from Singtel Mesh router.

4) Port 5: tagged VLAN ID 10, PVID =1
Expected: working in router mode and WAN address of 192.168.10.x IP, wireless clients will get 192.168.1.x address from the router.
Results -- as expected

5) Going back to Port 6 -- I need to power cycle to get it work again: AP mode, 192.168.28.x IP address for both the router and wireless client.

I will try the next test -- power cycle the router after changing the port connection, to see if the results are different or not.

Between (3) and (4), you should use (3).

(4) is applicable in situation where you have an AP which has VLAN management capability, when you set the PVID at default [1], the AP admin page (on DHCP) will stay in on the default [1] VLAN but you could connect your devices on that AP tag to another VLAN.

A working example:
Ruckus AP 1 & 2: Tag VLAN20, both PVID1.

Under Ruckus VLAN setting, I set Ruckus5G SSID as VLAN 20.

So now my APs will be on the Admin VLAN (default), but connecting wireless on SSID Ruckus5G will be on VLAN20. In this way, I can segregate the mobile devices from my admin infrastructure VLAN.

 

[xiaofan]

Between (3) and (4), you should use (3).

(4) is applicable in situation where you have an AP which has VLAN management capability, when you set the PVID at default [1], the AP admin page (on DHCP) will stay in on the default [1] VLAN but you could connect your devices on that AP tag to another VLAN.

Thanks for the advice.

Actually you can consider Singtel Mesh Router to be an Router/AP with VLAN management capability (but as a black box which you can not change). I think this becomes more as an exercise to reverse engineering the behavior of Singtel Mesh router VLAN behavior.

Probably I should concentrate more on the testing with the Huawei AX3 Quad Core version in AP mode to understand better the usage of VLAN ID and PVID. Huawei AX3 Quad Core global version also has VLAN settings for both router mode and AP mode (VLAN ID and PVID). I will test it as well. It is a surprise to me that this cheap AX router has this capability. The China version Huawei AX3 Pro (more expensive) does not have this capability.

Then I have the MikroTik hAP ac2, which has VLAN management capability as well.

I have also OpenWRT capable wireless APs like the Linksys EA7500 v2 and WRT1900AC V1. They also have VLAN capability.

You can see I have many "cheap" networking stuff and I am trying to utilize them for my learning of Networking related subjects.

But I guess this TP-Link is a good one to start before I move to higher end stuff. I am still hoping to use the MikroTik hAP ac2 as a managed switch. I do not care too much about performance as of now.

 

[TanKianW]

Thanks for the advice.

Actually you can consider Singtel Mesh Router to be an Router/AP with VLAN management capability (but as a black box which you can not change). I think this becomes more as an exercise to reverse engineering the behavior of Singtel Mesh router VLAN behavior.

Probably I should concentrate more on the testing with the Huawei AX3 Quad Core version in AP mode to understand better the usage of VLAN ID and PVID. Huawei AX3 Quad Core global version also has VLAN settings for both router mode and AP mode (VLAN ID and PVID). I will test it as well. It is a surprise to me that this cheap AX router has this capability. The China version Huawei AX3 Pro (more expensive) does not have this capability.

Then I have the MikroTik hAP ac2, which has VLAN management capability as well.

I have also OpenWRT capable wireless APs like the Linksys EA7500 v2 and WRT1900AC V1. They also have VLAN capability.

You can see I have many "cheap" networking stuff and I am trying to utilize them for my learning of Networking related subjects.

Or maybe I should buy a proper managed switch like those from Unifi or MikroTik (budget is below S$200). But I guess this TP-Link is a good one to start before I move to higher end stuff. I am still hoping to use the MikroTik hAP ac2 as a managed switch. I do not care too much about performance as of now.

For VLAN functions, you do not need a complicated managed switch (like MikroTik RouterOS), the TP-link switch should suffice, without diving into the nitty-gritty. It will achieve what a home consumer need 99% of the time. Even for the application I describe above.

Recently I also just set up an 8 port TP-link switch (connecting to 2x 2nd hand APs I gotten from TB) for one of my family member's new place. Managed to keep the cost low and serve its purpose really well without hiccups.​

 

[xiaofan]

For VLAN functions, you do not need a complicated managed switch (like MikroTik RouterOS), the TP-link switch should suffice, without diving into the nitty-gritty. It will achieve what a home consumer need 99% of the time. Even for the application I describe above.

Recently I also just set up an 8 port TP-link switch (connecting to 2x 2nd hand APs I gotten from TB) for one of my family member new place. It is serve its purpose really well without hiccups.​

Thanks. I will stick to what I have now then.

 

[xiaofan]

Read some of the articles about VLAN and PVID, I decided to treat Singtel Mesh Router and Huawei AX3 Quad Core version as dumb AP. In that case, I have moved to the following simpler settings and then both will work as expected. Singtel Mesh Router may know VLAN ID 10, 20, 30 and 40, so I move the VLAN IDs to 60 and 80, and use the simpler PVID=VLAN ID settings for the untagged ports.

When the APs connect to Port 2/3: 192.168.60.x IP address for VLAN60
When the APs connect to Port 4/5: 192.168.80.x IP address for VLAN80
When the APs connect to Port 6/7: 192.168.28.x IP address for LAN
When the APs connect to Port 8: 192.168.28.x IP address for LAN
TL-SG108E static IP: 192.168.28.2, so I can access the web GUI from wireless AP connected to Port 6/7/8.

I will learn more about Firewall rules from this base settings.

 

[xiaofan]

Some data:
1) pve Speedtest is normal
2) pve to pfSense VM iperf3 degrades a bit (pfSense slower Rx)
3) pve to pfSense VM LAN client degrades further (pfSense slower Rx)

pve host -- 192.168.28.216
pfSense LAN -- 192.168.28.1 (iperf3 server)
Debian 11 pve VM -- 192.168.28.133
Windows laptop physical client -- 192.168.28.132

Tried a slightly different test and it seems to me only the WAN side is slow now, I can not explain any more using iperf3 (LAN side is kind of normal) and only can see it from Ookla Speedtest.

1) pve Speedtest is normal
2) pve to pfSense VM iperf3 is kind of normal
3) pve to pfSense VM LAN client is kind of normal as well
4) LAN client and pfSense VM Speedtest are slow

pve host -- 192.168.28.121, iperf3 server
pfSense LAN -- 192.168.28.1
Windows laptop physical client -- 192.168.28.132

root@pve:~# ./speedtest -s 25960

   Speedtest by Ookla

     Server: Singtel - Singapore (id = 25960)
        ISP: Singtel Fiber
    Latency:     1.11 ms   (0.12 ms jitter)
   Download:   945.10 Mbps (data used: 449.6 MB )
     Upload:   946.37 Mbps (data used: 1.1 GB )
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/1052bfe1-dfde-4df7-addc-9f2767be1cbe

[2.5.2-RELEASE][root@pfSense.home.arpa]/root: speedtest -s 25960

   Speedtest by Ookla

     Server: Singtel - Singapore (id = 25960)
        ISP: Singtel Fiber
    Latency:     1.41 ms   (0.08 ms jitter)
   Download:   751.51 Mbps (data used: 1.3 GB )
     Upload:   741.85 Mbps (data used: 739.9 MB )
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/0ed17548-b31a-4df6-9263-a0a7ebb34ce7
 
 
PS C:\work\speedtest\ookla-speedtest-1.1.1-win64> .\speedtest.exe -s 25960

   Speedtest by Ookla

     Server: Singtel - Singapore (id = 25960)
        ISP: Singtel Fiber
    Latency:     2.15 ms   (0.22 ms jitter)
   Download:   748.45 Mbps (data used: 526.2 MB )
     Upload:   858.19 Mbps (data used: 1.0 GB )
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/4dcc01f7-daea-4576-928d-b68dbd09ea4b

[2.5.2-RELEASE][root@pfSense.home.arpa]/root: iperf3 -c 192.168.28.121
Connecting to host 192.168.28.121, port 5201
[  5] local 192.168.28.1 port 21978 connected to 192.168.28.121 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   133 MBytes  1.12 Gbits/sec    5   3.00 MBytes
[  5]   1.00-2.00   sec   134 MBytes  1.13 Gbits/sec    0   3.00 MBytes
[  5]   2.00-3.00   sec   119 MBytes   994 Mbits/sec    0   3.00 MBytes
[  5]   3.00-4.00   sec  92.1 MBytes   772 Mbits/sec    5   3.00 MBytes
[  5]   4.00-5.00   sec   105 MBytes   883 Mbits/sec    1   3.00 MBytes
[  5]   5.00-6.00   sec   127 MBytes  1.06 Gbits/sec    1   3.00 MBytes
[  5]   6.00-7.00   sec   129 MBytes  1.08 Gbits/sec    0   3.00 MBytes
[  5]   7.00-8.00   sec   129 MBytes  1.09 Gbits/sec    0   3.00 MBytes
[  5]   8.00-9.00   sec   132 MBytes  1.11 Gbits/sec    0   3.00 MBytes
[  5]   9.00-10.00  sec   138 MBytes  1.16 Gbits/sec    1   3.00 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.21 GBytes  1.04 Gbits/sec   13             sender
[  5]   0.00-10.36  sec  1.21 GBytes  1.00 Gbits/sec                  receiver

iperf Done.

[2.5.2-RELEASE][root@pfSense.home.arpa]/root: iperf3 -c 192.168.28.121 -R
Connecting to host 192.168.28.121, port 5201
Reverse mode, remote host 192.168.28.121 is sending
[  5] local 192.168.28.1 port 58539 connected to 192.168.28.121 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   115 MBytes   961 Mbits/sec
[  5]   1.00-2.00   sec   120 MBytes  1.01 Gbits/sec
[  5]   2.00-3.00   sec   119 MBytes   999 Mbits/sec
[  5]   3.00-4.00   sec   125 MBytes  1.05 Gbits/sec
[  5]   4.00-5.00   sec   120 MBytes  1.00 Gbits/sec
[  5]   5.00-6.00   sec   125 MBytes  1.05 Gbits/sec
[  5]   6.00-7.00   sec   120 MBytes  1.01 Gbits/sec
[  5]   7.00-8.00   sec   120 MBytes  1.01 Gbits/sec
[  5]   8.00-9.00   sec   119 MBytes  1.00 Gbits/sec
[  5]   9.00-10.00  sec   117 MBytes   984 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.36  sec  1.17 GBytes   974 Mbits/sec   12             sender
[  5]   0.00-10.00  sec  1.17 GBytes  1.01 Gbits/sec                  receiver

iperf Done.

PS C:\work\speedtest\iperf3.10.1_64bit> .\iperf3.exe -c 192.168.28.121
Connecting to host 192.168.28.121, port 5201
[  5] local 192.168.28.132 port 53578 connected to 192.168.28.121 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   115 MBytes   965 Mbits/sec
[  5]   1.00-2.00   sec   113 MBytes   949 Mbits/sec
[  5]   2.00-3.00   sec   113 MBytes   949 Mbits/sec
[  5]   3.00-4.00   sec   113 MBytes   949 Mbits/sec
[  5]   4.00-5.00   sec   113 MBytes   949 Mbits/sec
[  5]   5.00-6.00   sec   113 MBytes   949 Mbits/sec
[  5]   6.00-7.00   sec   113 MBytes   949 Mbits/sec
[  5]   7.00-8.00   sec   113 MBytes   949 Mbits/sec
[  5]   8.00-9.00   sec   113 MBytes   949 Mbits/sec
[  5]   9.00-10.00  sec   113 MBytes   949 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  1.11 GBytes   951 Mbits/sec                  sender
[  5]   0.00-10.05  sec  1.11 GBytes   946 Mbits/sec                  receiver

iperf Done.

PS C:\work\speedtest\iperf3.10.1_64bit> .\iperf3.exe -c 192.168.28.121 -R
Connecting to host 192.168.28.121, port 5201
Reverse mode, remote host 192.168.28.121 is sending
[  5] local 192.168.28.132 port 53583 connected to 192.168.28.121 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   113 MBytes   952 Mbits/sec
[  5]   1.00-2.00   sec   113 MBytes   949 Mbits/sec
[  5]   2.00-3.00   sec   113 MBytes   949 Mbits/sec
[  5]   3.00-4.00   sec   113 MBytes   949 Mbits/sec
[  5]   4.00-5.00   sec   113 MBytes   949 Mbits/sec
[  5]   5.00-6.00   sec   113 MBytes   949 Mbits/sec
[  5]   6.00-7.00   sec   113 MBytes   949 Mbits/sec
[  5]   7.00-8.00   sec   113 MBytes   949 Mbits/sec
[  5]   8.00-9.00   sec   113 MBytes   949 Mbits/sec
[  5]   9.00-10.00  sec   113 MBytes   949 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.05  sec  1.11 GBytes   946 Mbits/sec    0             sender
[  5]   0.00-10.00  sec  1.11 GBytes   950 Mbits/sec                  receiver

iperf Done.

 

[xiaofan]

pfSense + Unifi switch + Unifi AP seem to be a popular combination.

Simple tutorial:

He actually moved from UDM Pro to pfSense.

 

[firesong]

pfSense + Unifi switch + Unifi AP seem to be a popular combination.

Simple tutorial:

He actually moved from UDM Pro to pfSense.

Probably the most popular, since it's cheap enough, compared to Ruckus.

Says a lot about the Unifi gateways.

Also says a lot about Omada, since many Americans are particular about their tech - and the adoption for Omada remains low despite being in the market long enough. My personal experience with it concurs - okay to try, but not stay with the platform. To be blunt, it might just work for the typical Singaporean who does not care for security and all; those who depend on ISP supplied hardware and then not bother about it once set up. I think it'll make a decent AP network to pair with the ONR.

 

[Mach3.2]

Probably the most popular, since it's cheap enough, compared to Ruckus.

Says a lot about the Unifi gateways.

Also says a lot about Omada, since many Americans are particular about their tech - and the adoption for Omada remains low despite being in the market long enough. My personal experience with it concurs - okay to try, but not stay with the platform. To be blunt, it might just work for the typical Singaporean who does not care for security and all; those who depend on ISP supplied hardware and then not bother about it once set up. I think it'll make a decent AP network to pair with the ONR.

Unifi routing products are sorely lacking for what they charge...

Heck, as a power user I don't think I will buy their routing products even for $100 in it's current state.

 

[firesong]

Unifi routing products are sorely lacking for what they charge...

Heck, as a power user I don't think I will buy their routing products even for $100 in it's current state.

That's true. But I'm comparing against consumer gear, the likes of Asus' top end models.

Objectively in terms of overall performance and management of multiple APs/units, Unifi is still a decent step up fron the top of the line Asus stuff, to say nothing about the rest like Dlink, TPlink, Huawei, etc...

 

[xiaofan]

Unifi routing products are sorely lacking for what they charge...
Heck, as a power user I don't think I will buy their routing products even for $100 in it's current state.

Haha, I will be happy to pay double that amount for a UDM or UDM Pro.

 

[TanKianW]

**SHARING: Not just VLANs, but "VXLAN"**

Sometimes, I received queries on VXLAN instead of VLAN during work/talks. Yes, you heard me right, not VLAN, but "VXLAN". Was kind of surprised when someone ask about this since such encapsulation protocols are more applicable in a Data-center to Data-center (DC-to-DC) environment, which stretches L2 tunneling over a L3 network. Anyway, providing some basic read to those who has interest in it. If you want to practice or try out the concept, you could actually do it on your MikroTik hardware running latest RouterOS (over CLI). Feel free to try it out. VXLAN your way to the DC world!​

Introduction to VXLAN:
https://www.juniper.net/us/en/research-topics/what-is-vxlan.html

VXLAN interface configuration over Netgate TNSR:
https://docs.netgate.com/tnsr/en/latest/interfaces/types-vxlan.html

VXLAN configuration using MikroTik RouterOS tutorial:

**GOOD WATCH: Network Segmentation: VLANs and Subnetting**
For those considering of network segmentation in their home network/lab, can spend some time to listen in to tech/security gurus Tom and Jay. Feel free to check out their channel too.

"You will only be as good as you are, until you learn from others!"
​

 

[fastcar]

Does anyone face a memory leak issue? My J4125 with 8Gb memory.
On booting up typically only 18% memory usage. After 4 days of usage, with lots of openVPN involved, memory usage has crept up to 65%!!!

 

[xiaofan]

Does anyone face a memory leak issue? My J4125 with 8Gb memory.
On booting up typically only 18% memory usage. After 4 days of usage, with lots of openVPN involved, memory usage has crept up to 65%!!!

I do not see this myself but Reddit seems to say this is a known problem and you may have to apply a patch to disable pcscd (which is not used by OpenVPN but rather IPSec).

I can see that pcscd is running (I got two openvpn server instances running but no clients connected now) and it uses 1.1% of memory (4GB total).

https://redmine.pfsense.org/issues/11933

 

[TanKianW]

Does anyone face a memory leak issue? My J4125 with 8Gb memory.
On booting up typically only 18% memory usage. After 4 days of usage, with lots of openVPN involved, memory usage has crept up to 65%!!!

I did not encounter this on my pfSense. You can check under Diagnostics -> System Activity to verify.

Not sure if your case is due to pcscd service (stated above by xiaofan). You can try to stop the services if you are not using IPSec or smart card. I think this is an isolated case since my system is also not affected when pcscd was enabled.

Reports can also be found here: https://forums.lawrencesystems.com/t/pfsense-memory-leak/11306

Are you using ZFS? If you are, it is normal. If you are worried, you can reduce the memory cache too.​