@argonaut how would that be? Why would a tunnel to a docker running behind pfsense access pfsense gui?

When you resolve say something.domain.tld that is hosted on clouldflare, and then pushed down the tunnel when you access it, that would not access your pfsense wan IP and then gui port.

Now sure if something.domain.tld resolved to your pfsense wan IP, and you were running the gui on pfsense wan port, and you had that open sure they would hit your gui. But why would the gui port (443? or 80?) be open on your wan in the first place?

But none of that would have anything to do with a tunnel between a docker and clouldflare.

If your gui is exposed on your wan, they don't have to "guess" any domain, they could just hit your IP with random scan.. You understand there is going to be countless things scanning the internet, and sure on 443 and 80.. And lots of other ports - you shouldn't really ever expose pfsense gui to the public internet. If you want to access your pfsense gui while remote, it would be best to vpn to pfsense, and access the gui over the vpn.

@diyhouse I've tried the 4.2.7_MDM6 firmware with my Vigor 166. The connection has been up for ~10 hours without dropping so I'll stick with it and see how it goes. I would have expected the *_BT firmware to have dropped a few times already based on what's happened in the past.

@ahole4sure said in ATT Internet AIr:

The current trouble I am having is that my identical ATT device, when connected to port 2 of the switch, is not passing through the IP address when I created or setup the interface as DHCP -- the other ATT device when connected directly to one of the pfsense interfaces pushed through ATT static publc IP address. And if I try to set the IP address manually it doesn't behave correctly- says offline

Looking at your picture, I see WAN, LAN and WAN2. So what is it that you are trying to do with the ATT modem now, connecting it to the fourth port? Are you trying to add a third WAN?

I don't understand the direction... If your VLAN is set up on pfsense, you make port 1 a TRUNK port as you said, but that means TAGGED 10. And the ports for any devices that should only belong to VLAN 10 need to be untagged and only members of VLAN 10. Currently all ports are also members of VLAN 1...

If you are trying to get an IP on port 4 on pfsense (igb3) from the ATT modem, you can simply make both ports 1 and 2 VLAN 10 UNTAGGED on the switch. Remove them from any other VLAN memberships.
This way you have created a "switch within the switch", where port 1 and 2 are connected but separate from the other ports. Pfsense doesn't need to know of any VLAN on igb3 for this to work...

I really think you're wasting your time with it... It can probably be made to work, but why? I don't think any time will be saved that way and the result will certainly not be any better (maybe not different at all).

A fresh build in the new system and a restore of the config from pfSense is all that's needed.

All packages are reinstalled with the config if you select that in the backup (which you should take right before the cutover).

There are a few small things that can be missing on the new side depending on the packages you have and how old they are/how they go there, but while you still have access to the old VM, those can be had easily.

@Antibiotic get rid of that torrent client eventually it’s gonna break stuff if you keep using it. Trust me. Stop using it, think about how many ports you need open. It just takes one bad download

@stephenw10 I'm also noticing this behavior. I'm on pfSense version 24.03-RELEASE.

We've worked it out, root cause identified and a fix proposed. Unsure yet how this will impact the 24.11-RELEASE.

If you are impacted by this, make sure to uninstall any packages that you are not actively using.

@stephenw10

Both really.

My infrastructure segment is inaccessible unless you can either get on that vlan through a physical port on the switch, or via a VPN that the FW originates as the server to get on an administrative network.

There are also client mode VPN connections to a commercial provider.

Regardless of if the traffic is coming in via the admin VPN and then out WAN, or on the local segment and then routed over the client VPN out to the web it takes a big hit to throughput. It would be difficult to pin down if it affects traffic both ways given the huge imbalance in the down/up speeds.

It does seem to be limited to traffic routed externally that has the issue though. Running a speed test from the admin net to a local server works as expected despite going through a vpn tunnel to get to that network. But anything either from the admin vpn or going over the external commercial vpn to an external site is heavily limited.

Hmm, so like some process uses all the CPU cycles until it's rebooted. Yet nothing is logged.... 🤔

Thank you very much for your help. It works now! I have just reinstalled the pfsense.

Mmm, I'm not sure we can anything about that. The webgui handles that formatting fine.

I believe that's actually the syslog version, which i9s part of the expected format.

If you created the VM in ESXi 8.0 then it's probably OK. But the VM version is separate to the ESXi version.

Yes it should do that anyway. If you renew the cert for example.

Are you able to trigger this reliably at all?

The biggest issue we have fixing it is that we haven't been able to replicate it locally and users who are seeing it do so only sporadically. So getting data is difficult.

@jriofrio
Just to corroborate your statement about (in my case) not need it to disable the hardware checksum with the intel x540.

You are correct, I enable it back and reboot the firewall, tested the connection of OPT1 (2nd LAN) and all works good, no problems accessing websites.
Also, I deleted the DoT rule for the 2nd LAN.

All good.. I'm please with the results.

PS: couldn't sleep , so i decided to do the changes now that no one is using the internet....

@kprovost Though my eye is untrained, I would agree that mine looks very similar. It has happened only once, so I will keep an eye on it and watch for when 24.11 goes GA. Thanks.

--Larry

They will not give you even a carrier grade NAT IPv4 address?

You should be able to access IPv6 sites from LAN OK as long as the ISP are sending you a fix delegation to use on internal interfaces?

Are LAN clients receiving a routable IPv6 address?

Steve