So its been a while but I got an update. It was Telstra. Which today is still unresolved. The lack of internal dashboard tools for their tech support makes it extremely difficult to identify any issues on their network something as simple as to view the current connected devices MAC address connected to the NTD they have to elevate it to NBNCo.

I switched over to Aussie Broadband and was setup in seconds with no issues. I even have framed Route setup and have a pool of static IP addresses I can use for online services. Not to mention the amount of tools at your disposal on the user dashboard portal.

WOW. I didnt even think about suricata blocking it! Thanks mate

Yes, they are really only of much value in a shared environment like if you are running as a VM or hosting VM in pfSense (don't do that!).

When you tried to ping what error was shown?

@hebein What if you just type

and hit Enter?

Yup it should give up more if it does fail. It will show more at the console anyway if the script fails.

@stephenw10 It does, so it’s only a annoying inconvinence. I was just trying to gauge how lt would react if I didn’t, and how long it would take.

@markdudov I dont think freeradius on pfSense supports Chapv2 unless its EAP encapsulated.

If you add it via FRR it can:
https://docs.netgate.com/pfsense/en/latest/routing/multipath.html

It might. I can't comment on those devices specifically but many mesh wifi devices only support those features when the main device is in router mode.

@johnpoz said in Analyze / solve "erros in" on interface and "errors out" on vlan:

@sysadminfromhell while I personally wouldn't be too concerned with such minor amount of errors - unless there was something actually not working how it should and tracked it down to these sorts of errors.

But I would be interested in what you find, etc. Sometimes such little minor things can be fun to track down, but they can also be huge time sucks - hehehe

I can not tell you the amount of time I spent trying to figure out why plex will send out ssdp every freaking 10 seconds, when all the things are disabled for why it might or could have use for doing such a thing.

Posted over on the plex forums - got back crickets.. Couple of users posted that they noticed it too.. But no solution, in the long run I just ended blocking such traffic at the switch port.. Plex can send them out every 10 seconds, it goes no farther than switch port at the end of its wire... Stupid shit!! hehehe

So yeah would be very interested in what you find.. You never know might run into such a thing sometime down the road and what you find could be the solution there.. So good luck! Hope you track it down..

I recall something sim as well, on some cheap smart switch.. It would mark RxBadPkt, and the counter would constantly go up - even though everything was working fine.. It was just a cosmetic error, any packets marked with tags got marked as RxBadPkt, So native untagged wouldn't trigger the stat, but all tags coming in would.. All the vlans actually worked, etc. but they would just increase that counter.. That was a time suck for sure.. Finally just had to let it go ;)

So i reduced the errors with disabling flow control completly, now we still jave errors but a lot less then before:

Uptime 7 Days 03 Hours 18 Minutes 15 Seconds

4e0aabd5-909a-4b66-8438-342142fbec3e-image.png

So I guess this was one source of the problem even I cannot find all of them this looked at least like a good start even the VLAN Interfaces still have errors out. (a minor few packets)

You would need to reinstall to move from Plus to CE as the versioning sees it as a downgrade.

Add the line: debug.acpi.disabled="thermal" to the file /boot/loader.conf.local

That disables the full ACPI thermal system though.

My advise would be, just ignore it!

@JKnott
Thanks so much for the insight!!

@PnetG

To fact check this :

@stephenw10 said in PFBlockerng Filtering Issues:

pfBlocker-ng by itself does not do anything.

do this :

fea78bd9-9465-4d14-96c1-9c9489dafffa-image.png

and Save.
The goto pfSense package de install, and remove it.
Just for the fun, reboot pfSense.

First check : no more issues ? Right ? If wrong, the issue wasn't pfBlockerng, as it isn't there.

Now, install pfBlockerng. Just install - do not activate it.
( I can't remember if it is activated by default, though )

But test now again : no issues what so ever, right ?

Now, start adding changes, add a feed (one at the time / one per day !) to pfBlockerng.
As soon as you have issues, you'll know what to undo : your last step.

@matthewgcampbell I have never experienced a scenario where it passes traffic for a short amount of time then stops, at least not in the context of eapol auth related. It either passes or it doesn't. Then again I've never done any proxy bypasses either, can't really comment on odd behavior as a result.

I assume you're following this - https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html ?

You might want to give a try to one of the proxy scripts here - https://github.com/MonkWho/pfatt/tree/master . This is what we used before vlan0 compliant wpa_supplicant and dhclient.

Edit, one other idea to try is the old dumb switch bypass method.

I can't find a good write up but in essence you connect ethernet from ont and gateway to a dumb switch (preferably not netgear). Wait until the lights on the modem are all green and stop flashing. Disconnect gateway cable while leaving ONT/switch connected. Connect cable from the modem to your pfsense wan port (again, you're not touching the ONT/switch cable). Pfsense should be configured for dhcp on wan.

See if you experience the same disconnect issues after x amount of time. If you do, try a release /renew on the wan. If it doesn't pull an ip, try rebooting pfsense only. This whole time, the link between the ONT and switch should remain connect and as far as ONT concerned, remain authenticated.

If that happened I'd expect a bunch of 'xxxx is using my IP address' logs in pfSense. It's possible they have simply been rotated out though.

@michmoor It’s a package bug from a few pfSense versions ago so no real release notes. Anyone who saved (or changed and saved) the default settings is ok. But it was quite confusing. We changed several things but not that one page.

Upgrading the package triggers it also as I recall.

Ah, well that's a much better solution. Adding NAT in there is always a workaround.

That NAT looks like it should match and be applied though.

https://redmine.pfsense.org/issues/15516