Categories

  • 458 Topics
    1k Posts
    D

    Hi @Tyronejackson839,
    Thanks for the awesome advice! Your ACL tips worked perfectly—enabling fragment-checking and lean rules secured my nginx webserver without sacrificing performance. Really appreciate your detailed help!

    Best,
    David James | Founder of The Yes No Button!

  • 120k Topics
    763k Posts
    N

    @stephenw10
    I have a nearly step-by-step, from a fresh install, how I duplicated the issue in my original post. I wiped out my lab, I recreated from that post (hopefully accurately). The testing & results should be pretty close. LMK if you're looking for something different.

    2.7.2
    Rules:

    # User-defined rules follow anchor "userrules/*" pass out quick on { vtnet0 } $GWWAN_DHCP inet from <WAN IP> to any ridentifier 1752945005 keep state dnqueue( 1,2) label "USER_RULE: Bufferbloat" label "id:1752945005" label "gw:WAN_DHCP" pass in quick on $LAN inet from $LAN__NETWORK to any ridentifier 0100000101 keep state dnpipe ( 3,4) label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" #

    Limiter Info:

    Limiters: 00001: 20.000 Mbit/s 0 ms burst 0 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN sched 65537 type FIFO flags 0x0 0 buckets 0 active 00002: 100.000 Mbit/s 0 ms burst 0 q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN sched 65538 type FIFO flags 0x0 0 buckets 0 active 00003: 2.000 Mbit/s 0 ms burst 0 q131075 50 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0 droptail sched 65539 type FIFO flags 0x0 0 buckets 0 active 00004: 5.000 Mbit/s 0 ms burst 0 q131076 50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail sched 65540 type FIFO flags 0x0 0 buckets 0 active Schedulers: 00001: 20.000 Mbit/s 0 ms burst 0 q65537 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 1us interval 1us quantum 1514 limit 10240 flows 1024 ECN Children flowsets: 1 00002: 100.000 Mbit/s 0 ms burst 0 q65538 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail sched 2 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 1us interval 1us quantum 1514 limit 10240 flows 1024 ECN Children flowsets: 2 00003: 2.000 Mbit/s 0 ms burst 0 q65539 50 sl. 0 flows (1 buckets) sched 3 weight 0 lmax 0 pri 0 droptail sched 3 type FIFO flags 0x0 0 buckets 0 active 00004: 5.000 Mbit/s 0 ms burst 0 q65540 50 sl. 0 flows (1 buckets) sched 4 weight 0 lmax 0 pri 0 droptail sched 4 type FIFO flags 0x0 0 buckets 0 active Queues: q00001 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN q00002 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN

    Interpreted Rules:

    @84 anchor "userrules/*" all [ Evaluations: 73 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9606 State Creations: 0 ] [ Last Active Time: N/A ] @85 pass out quick on vtnet0 route-to (vtnet0 <WAN Gateway>) inet from <WAN IP> to any flags S/SA keep state label "USER_RULE: Bufferbloat" label "id:1752945005" label "gw:WAN_DHCP" ridentifier 1752945005 dnqueue(1, 2) [ Evaluations: 73 Packets: 14677 Bytes: 15410930 States: 20 ] [ Inserted: uid 0 pid 9606 State Creations: 51 ] [ Last Active Time: Sat Jul 19 18:14:14 2025 ] @86 pass in quick on vtnet1 inet from <LAN__NETWORK:1> to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101 dnpipe(3, 4) [ Evaluations: 22 Packets: 14738 Bytes: 15555983 States: 15 ] [ Inserted: uid 0 pid 9606 State Creations: 22 ] [ Last Active Time: Sat Jul 19 18:14:14 2025 ]

    Example states:

    all tcp 23.239.29.5:443 <- 192.168.1.100:41090 ESTABLISHED:ESTABLISHED [3531538492 + 2147156224] wscale 7 [440337916 + 2147025152] wscale 7 age 00:00:34, expires in 23:59:27, 15:18 pkts, 2254:10378 bytes, rule 86, dummynet pipe (3 4), log id: 09f07b6800000000 creatorid: ae2f1b15 origif: vtnet1 all tcp <WAN IP>:1291 (192.168.1.100:41090) -> 23.239.29.5:443 ESTABLISHED:ESTABLISHED [440337916 + 2147025152] wscale 7 [3531538492 + 2147156224] wscale 7 age 00:00:34, expires in 23:59:27, 15:18 pkts, 2254:10378 bytes, rule 85, log id: 0af07b6800000000 creatorid: ae2f1b15 route-to: <WAN Gateway>@vtnet0 origif: vtnet0

    2.8.0
    Rules:

    # User-defined rules follow anchor "userrules/*" pass out quick on { vtnet0 } $GWWAN_DHCP inet from <WAN IP> to any ridentifier 1752945012 keep state dnqueue( 1,2) label "USER_RULE: Bufferbloat" label "id:1752945012" label "gw:WAN_DHCP" pass in quick on $LAN inet from $LAN__NETWORK to any ridentifier 0100000101 keep state dnpipe ( 3,4) label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" #

    Limiter Info:

    Limiters: 00001: 20.000 Mbit/s 0 ms burst 0 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN sched 65537 type FIFO flags 0x0 0 buckets 0 active 00002: 100.000 Mbit/s 0 ms burst 0 q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN sched 65538 type FIFO flags 0x0 0 buckets 0 active 00003: 2.000 Mbit/s 0 ms burst 0 q131075 50 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0 droptail sched 65539 type FIFO flags 0x0 0 buckets 0 active 00004: 5.000 Mbit/s 0 ms burst 0 q131076 50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail sched 65540 type FIFO flags 0x0 0 buckets 0 active Schedulers: 00001: 20.000 Mbit/s 0 ms burst 0 q65537 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 1us interval 1us quantum 1514 limit 10240 flows 1024 ECN Children flowsets: 1 00002: 100.000 Mbit/s 0 ms burst 0 q65538 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail sched 2 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 1us interval 1us quantum 1514 limit 10240 flows 1024 ECN Children flowsets: 2 00003: 2.000 Mbit/s 0 ms burst 0 q65539 50 sl. 0 flows (1 buckets) sched 3 weight 0 lmax 0 pri 0 droptail sched 3 type FIFO flags 0x0 0 buckets 0 active 00004: 5.000 Mbit/s 0 ms burst 0 q65540 50 sl. 0 flows (1 buckets) sched 4 weight 0 lmax 0 pri 0 droptail sched 4 type FIFO flags 0x0 0 buckets 0 active Queues: q00001 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN q00002 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 AQM CoDel target 1us interval 1us ECN

    Interpreted Rules:

    @85 anchor "userrules/*" all [ Evaluations: 66 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 0 State Creations: 0 ] [ Last Active Time: N/A ] @86 pass out quick on vtnet0 route-to (vtnet0 <WAN Gateway>) inet from <WAN IP> to any flags S/SA keep state (if-bound) label "USER_RULE: Bufferbloat" label "id:1752945012" label "gw:WAN_DHCP" ridentifier 1752945012 dnqueue(1, 2) [ Evaluations: 66 Packets: 163790 Bytes: 206160499 States: 21 ] [ Inserted: uid 0 pid 0 State Creations: 41 ] [ Last Active Time: Sat Jul 19 18:15:26 2025 ] @87 pass in quick on vtnet1 inet from <LAN__NETWORK:1> to any flags S/SA keep state (if-bound) label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101 dnpipe(3, 4) [ Evaluations: 25 Packets: 154598 Bytes: 192395490 States: 14 ] [ Inserted: uid 0 pid 0 State Creations: 23 ] [ Last Active Time: Sat Jul 19 18:15:26 2025 ]

    Example states:

    vtnet1 tcp 23.239.29.5:443 <- 192.168.1.100:41256 ESTABLISHED:ESTABLISHED [4281932605 + 64128] wscale 7 [3565815079 + 63872] wscale 7 age 00:00:34, expires in 23:59:27, 15:18 pkts, 2255:10378 bytes, rule 87, dummynet pipe (3 4) id: d9f57b6800000000 creatorid: 9d03805d vtnet0 tcp <WAN IP>:42673 (192.168.1.100:41256) -> 23.239.29.5:443 ESTABLISHED:ESTABLISHED [3565815079 + 63872] wscale 7 [4281932605 + 64128] wscale 7 age 00:00:34, expires in 23:59:27, 15:18 pkts, 2255:10378 bytes, rule 86 id: daf57b6800000000 creatorid: 9d03805d route-to: <WAN Gateway>@vtnet0
  • 20k Topics
    127k Posts
    A

    I used Lawrence forum video example to setup a WG site to site VPN - from Site A to Site B (both with pfsense running WG) [of note : both are also running Tailscale so I can have full access to 4 differnt sites at the same time basically form anywhere -- mentioned in case it might be affecting routing]

    With my Site to Site WG I can access Site B from Site A ping , web interface, NAS , etc -- BUT if I try to access a camera on one of Site B network it hits the webpage but then just hangs up (I can even ping the web address of the camera)

    However if I make a direct client (laptop on Site A network) to server (Site B) WG vpn connection the camera connects just fine.

    Any suggestions on what to troubleshoot or look for that prevent the Site to Site from allowing full functionality?? If I had to guess the problem is that Site A can reach Site B but something is affecting the return info from Site B's camera

  • 43k Topics
    267k Posts
    D

    @werter
    Благодарю за ссылки!
    Поток негатива на netinstaller уже пошёл.
    Задушат pf CE походу...

  • Information about hardware available from Netgate

    3k Topics
    20k Posts
    JonathanLeeJ

    @tariqali I have some Kingspecs they have taken a beating on my system and keep working.

  • Information about hardware available from Netgate

    44 Topics
    211 Posts
    AriKellyA

    It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

  • Feel free to talk about anything and everything here

    3k Topics
    19k Posts
    C

    @Gertjan I think your point was that pfSense is not a complete freeBSD implementation so not all FreeBSD apps will work in it. If so, it's a good one. After that I got a little confused with your explanation.

    I'm nowhere near skilled enough to build a fork of pfSense. Figuring out the dns interactions between pfSense and Adguard Home was my limit.

    Adguard Home works fine in freeBSD because they offer a freeBSD implementation and I possibly lucked out when it worked in pfSense. Although the internet said it would work because others were successful in loading it.

    Adguard Home doesn't need a gui. It uses html like pihole uses when pihole is installed in ubuntu server, my old ad blocker.

    Windows made Hyper-V / ubuntu server - pihole unstable when Microsoft was still pushing upgrades to Windows 11. Unattended restarts on my home servers would halt for an ad before Hyper-V loaded and having no dns brought down my whole network. I went back to pfBlockerNG after that but found the interface too difficult to work with when I'm on the hunt to block or unblock a new site. Adguard Home on OPNsense works good but I disliked learning a new router. They put everything in different places. Hence my efforts with pfSense and Adguard Home.

    I was thinking along the lines of apps that also did not need a gui. Sorry to be unclear about that.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.