@steveits Thanks! I did some more testing and the CoDel rule seems to work fine. Bufferbloat still gives nice scores. So I'll keep it like this and see next week for some real-world tests. Thanks for the fix!

@stephenw10 Thanks for the reply. I forgot to mention I did iPerf tests between 10GB > 1GB nodes and the router - all got full speed. That being said, I think I've found the issue. The MikroTik switch is the problem. I am running it in SwitchOS mode, but when I change to RouterOS everything works as expected. So I'll open a ticket with them. I appreciate the help!

If some client was hard coded to use DoH then and local filtering/redirecting would not apply to it. However if would still be routed the same as any other traffic from that host so it should work OK. Steve

Please leave feedback on that bug report if it works for you.

@dstacey147 said in Slow Speed between subnets in one direction only: I know that explaining an issue to someone else often makes you realize yourself what you haven't checked QFT!!! That is quite often the case for sure!! I see it all the time on troubleshooting calls.. Laying out the details, and having to go through what you have done - quite often pops something into your head, oh shit I didn't check that or this.. Glad you got it sorted..

Directly replacing that file should only be necessary if you're unable to see any repo branch. In most cases you should be able to switch to one of the other branches, an updated pfSense-repos pkg will be pulled, which you will see logged, and that would repopulate the files. Steve

As long as the main gateway has come back up any new states would created via that. So, yes, I would expect it to failback.

I'm not sure we have any specific documentation for that but it should be as simple as configuring the LDAP module, which is included. Steve

@stephenw10 thanks, seems ntopng was heavily spiking a minute ago. I have removed it and will monitor what happens in the next hours.

@cloudless-smart-home said in Status / Services page and Service Status widget not real time?: Feature requests / bug reports should be done on redmine? It's usually better to ask on the forum first and then open an issue on redmine once you have proven a bug or that a feature doesn't exist. Way too many people open bugs on redmine without any real troubleshooting first. Steve

@stephenw10 said in CGNAT UPnP Issue Advice: Part of what UPnP does is return the external IP to internal hosts that request it. If it doesn't have a valid external IP it can't do that. And if it returned the private IP a lot of services using it would fail. But it was an upstream design decision. See: https://redmine.pfsense.org/issues/10398 Steve I'm thinking UPnP is mostly used in home environments, and the largest use case by far, is gaming. A setup with an upstream router (ISP provided or not) does in fact work for gaming with other solutions also involving UPnP, like Ubiquiti and most or all consumer wifi-routers etc. As I mentioned, it works fine with pfsense as well, IF the upstream router hands out an IP which pfsense recognizes as something from a public IP range. Why then can it not simply accept whatever IP is given, as an override alternative? The "old fashioned way" with Hybrid mode (static IP) and port forward of the required ports work fine of course... I made some testing with my public IP as an override WAN. Not sure I did it the right way though, just put the IP directly in the field, no alias etc. But games like MW2 (2009) and MW3 can't even login to Infinity Ward servers, don't even get Strict NAT. The UPnP status page shows me the requested ports though, (like 28960 or 3074). I also tested with Stun but all I get is STUN: ext interface vtnet0 with IP address 192.168.3.15 is now behind restrictive NAT with public IP address NN.NN.NNN.NN: Port forwarding is now impossible That is quite an assumption isn't it, considering that it's a DMZ and clearly works also for pfsense...

Hi, after I removed everything related to the vpn in my settings, both Netfilx and Prime Video had been working for the last few days...

It's just a basic string sort on the column. I don't think that JS sortable code is smart enough to parse the dates there and sort it like a date. If it bugs you, go to Status > System Logs, Settings tab and change the Log Message Format to RFC 5424. That uses ISO date style timestamps that naturally string sort. 2023-01-16 14:42:44.988784-05:00 unbound 65443 [65443:0] info: start of service (unbound 1.17.1). 2023-01-17 08:00:45.787897-05:00 unbound 65443 [65443:0] info: service stopped (unbound 1.17.1).

If you open a ticket with us we can convert your config so it imports to the 1100 directly: https://www.netgate.com/tac-support-request The config needs to include both the VLAN and switch sections required for the 1100. Steve

@stephenw10 i think it can have something todo with traffic. when i enable CP, its might run 15 Min but it also can be Days or Week before the Router crash. Iam 100% sure the Problem is with multiple selected VLAN's in one CP Interface. Also i have bandwidth limitation set there

@flobernd I just did a test but not with pfSense and it was normal, so no problem on CFs side.

@cloudless-smart-home Funny little project :-) It’s always usefull to learn about tech by testing various ideas like that. However, the security gains by disabling the service are not really there as it will be available in large parts of the day. Also: it will cost slightly more battery on your phone because it wakes the wifi every minute when you are home. I think your next project should be pfBlockerNG and retrieving the AS number of your cell service provider. That way you can create a rule so only IP’s belonging to your provider is able to reach the OpenVPN server. That will have a MUCH more relevant impact on security than turning it on and off.