@incith said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs: I disabled pfblocker and suricata. Did you read my post, where did I say it was pfblocker or suricata?? I just stated if was pfblocker it wouldn't work be it you forward in unbound or resolve - so clearly its not that, etc. You can not troubleshoot the problem if you do not know what is failing - period. So did you even look at the status of the resolver, do you see any high RTT or RTO domains? Timeouts? sniff your clients IP when you try and go to netflix or hulu to login - what is failing in the dns queries it sends out? You will see the queries, and pretty easy to tell in the sniff what did and didn't get an answer.. Once you see something that doesn't get an answer, you can look to why your not getting an answer... But until you know that, you can not figure out what the problem is.. If your not going to do that, then you might as well just have unbound forward vs resolve.. My example above was showing how I determined what the problem was, there was as specific fqdn I couldn't resolve - so via a +trace with dig I could tell where it was failing in the resolve process, it wasn't a "unbound" issue.. It was a problem outside of my control in the resolve process. First step is to know what exactly is failing.. Which you do not - you just know netflix isn't logging in..

Mmm, I'm not sure that's possible. Not globally like that at least. TCP_NODELAY looks to be a build option that you would apply to the application when it's compiled that it then applies to TCP sockets as it opens them. I could be wrong though....

Thanks Steve, will make those changes and observe. Ujjwal

Hmm, that's curious. I wonder if it could be a timing issue...

Ouch. Nice catch!

I did solve this issue some time ago.. I solved it by checking the checkbox under System - Advanced - Networking - Disable hardware checksum offload. There was some issue there as I use Realtek nic

@fjmp24 Most welcome

Yeah this likely is the same thing: https://redmine.pfsense.org/issues/14531

That would need to be done at the AP. Nothing beyond that sees the SSID.

Snort is already in legacy mode. I just force updated the rules. Let's see..

Send me your NDI in chat and I'll check it.

To be clear the pkg is installed by default on a clean Plus install since 23.05. In the same way as the ipsec-profile-wizard and aws-wizard packages are. If you upgraded from CE then the same installed package list would be carried across which may or may not include wireguard.

Yeah you could certainly ask in the WG sub. Someone has probably tried that.

@felipefonsecabh said in Access service in device connected via IPSEC trought public IP: I have change local network to Any to carry traffic from any external IP? Yes, if you are using policy based IPSec and need to keep using that. The policy has to match that traffic and the source IP could be any IP. But if you do that it will match traffic at the other end for 'any' destination. All traffic from site1 will go over the IPSec tunnel. Which you probably don't want. A route based VPN tunnel of some sort would give you more options.

@Gertjan yep. Couldn’t watch YouTube any other way.

@throttlenerd well your not sniffing on the correct interface? If your seeing it in the logs that its blocked, then packet capture would capture it. [image: 1693054517446-capture.jpg] You sure the traffic is still being seen when your doing the capture - ie are you still logging those denies?

@Stewart The new BIOS fixed the issue so now all 5 ports run at 2.5Gbe. It also sets much higher default PL1, PL2, and PL4 settings. The temps still stay in normal parameters but isn't the most efficient. I've run 17 different combinations of PL1 and PL2 with the default PL4 of 33W to find the best speed and then started adjusting PL4 to fine tune. Maybe not the best way of doing it but that was my process. Overall I found the best combination of speed and power for iperf over OpenVPN is: PL1=9 PL2=10 PL4=30 Dropping PL1 to 8 impacts performance about 60Mbps but doesn't reduce heat or power. Dropping PL2 to 8 also reduces performance but doesn't reduce heat or power. PL4 default is now 33. Lowering it to 30 reduces temps from 69C to 61-62C and lowers speed from 575Mbps to 550Mbps. Lowering it to 29 reduces speed to 490 and keeps temp at 61C so no real change. Temp was determined by running iperf -P4 -t 300 and seeing what the temp was just before the end of the run. Everything seemed to idle the same no matter what the settings were at around 45C. Skin of the unit is always warm to the touch. I have a thermometer that I've set on top that generally reads 33C-34C (around 95F). It also doesn't seem to change much whether it is idle or under heavy load. The unit idles around 11W no matter the settings and, depending on PL settings, only goes up to 15-18W (most all settings showed 15W as the load limit for the iperf tests). For reference it does spike into the mid-20's in Windows. Speed was determined by the average of the last 10 seconds of the 5 minute test. I felt that I had to do this as the tests generally started out very high, in the 1.2Gbps-1.4Gbps range, and then fell over the course of the first minute to settle around the 5 minute average. Sometimes it would hold that for 5-10 seconds, some times for over 40 seconds. No idea unless it's some kind of TAU setting allowing the assigned core to spike for varying amounts of times.

@stephenw10 Hi Steve, Thanks again! I quickly got the firmware from support! I was able to reinstall it to the appliance and am back up and running! Thanks, Patrick

With the patch, they should always be placed on the bottom when copying/moving to another interface.

See: https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/status.html Yes the patch should have been applied against whatever BE you booted from. Which I assume was 'default'.