@johnpoz i think this is the best way.. tq sir

@Manguu said in pfSense + Catalyst 3750G: Now I need to figure out how to NAT on pfSense all my vlans behind the 3750G If your using auto outbound nat, it will auto do it for you once you create the gateway and the routes to the downstream router (your 3750).. All you will have to do is make sure the rules on your transit interface (the interface that gets to the 3750) allows the downstream networks in its rules.

You can see the mbuf usage on the dashboard in the sys info widget or from the command line: [2.5.0-DEVELOPMENT][root@apu.stevew.lan]/root: netstat -m 4983/1092/6075 mbufs in use (current/cache/total) 4501/565/5066/1000000 mbuf clusters in use (current/cache/total/max) 4501/559 mbuf+clusters out of packet secondary zone in use (current/cache) 0/6/6/524288 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/524288 9k jumbo clusters in use (current/cache/total/max) 0/0/0/20840 16k jumbo clusters in use (current/cache/total/max) 10247K/1427K/11674K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for mbufs delayed (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters delayed (4k/9k/16k) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0 sendfile syscalls 0 sendfile syscalls completed without I/O request 0 requests for I/O initiated by sendfile 0 pages read by sendfile as part of a request 0 pages were valid at time of a sendfile request 0 pages were valid and substituted to bogus page 0 pages were requested for read ahead by applications 0 pages were read ahead by sendfile 0 times sendfile encountered an already busy page 0 requests for sfbufs denied 0 requests for sfbufs delayed You can also check the mbuf usage history in Status > Monitoring. Steve

https://redmine.pfsense.org/issues/8987 https://redmine.pfsense.org/issues/9677

Why would you not just use the fqdn for your time machine? What needs to talk to the sonos devices - just put them on the same L2.

@xenicle said in Can't access machine connected on my isp router from pfsense LAN: from it I can ping the WAN network IP 192.168.1.1 Do you mean the LAN IP there? Because then you said the WAN subnet is 192.168.2.0/24. I would not expect a client in the WAN subnet to be able to ping a client in the LAN subnet unless you have added firewall rules to allow it and a static route to the WAN side client. Without that it will just send traffic to it's gateway rather than via pfSense. Steve

Confirmed. https://redmine.pfsense.org/issues/9807

Yeah, you might consider using gateway groups there instead so that if you do get a failure clients using that gateway failover to another one. Steve

@stephenw10 Gmail limit is something around 500 emails a day. I was using single email accounts for all my sites. Service Watchdog was also monitoring dpinger for sites having multiple WAN. Due to heavy rains WAN connections were quite unstable. So it generated lot of mails. Anyway the real issue is neither Service Watchdog nor FreeRadius, the problem seems to be created by squid (as pointed by @stephenw10 in previous thread) . I am using transparent https filtering. Read about it https://forum.netgate.com/topic/112247/squid-use-all-memory-ram/43 https://forum.netgate.com/topic/136907/problem-with-squid-https-ssl-interception-consuming-all-memory/8 When I manually restart squid it stablises. As a workround, I am planing to use php script provided by @remzej , till something better comes up. Regards, Ashima

A lot of ISPs do that. Usually the modem locks to one MAC address and resetting it will allow a new MAC to be used. Some ISPs log that upstream though and you have to call and get it reset. Check the dhcp and system logs when that is happening. Something will be logged there. Steve

Erm no, that won't do a time limit. That's just time based rules. You need to use Captive Portal and radius accounting to achieve this sort of setup. Steve

10$ dif for 200 vs gig - yeah that is a no brainer.. What I would go for gig as well at that sort of price point and difference.. What I really want is the up.. But if I went gig from my 500/50 it only goes to 1000/100 - and its like 20+ more a month.. And I really can not justify the download side.. I have no real use for it, and the up is only for my friends and family to share my plex.. And 50 is handling the current load without any issues. But if I could get 1000/1000 I would jump on it for sure if only 20 more, for 10 = no brianer.. So if your going to do gig/gig - 1100 prob bit under powered.. 3100 would be what you would want. Just ordered 4th 3100 for work ;) pretty happy.. Just wish they would let me use them for some other devices with more umph... Its been a slow process.. But out of the blue my team lead said today - hey order another one of those firewalls ;)

Can you test in a 2.5 snapshot? Or against a more recent FreeBSD directly? Steve

@inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): Do I understand it correctly that the default Gateway is for using Internet and talking to the "main" Almost. pfSense sends any traffic which has a destination address outside of the subnets defined on its own interfaces to the default gateway. So yes, packets to the internet are sent to the default gateway, however, packets to any other subnet which are not known by pfSense as well. @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): Another Gateway would be the 30.1 for the internal LAN connections in the Lab-Network? You must not set a gateway on the LAN interface. You have to remove this again. Additionally you have to set the "FritzBoxGateway" as default to get upstream traffic work. @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): And the static route i can just delete in the FB? As stated above, you have to decide if you want to set up a routing a NAT network environment. If you prefer routing you have to add NAT rules for incoming traffic for the 30.0 subnet on the FB directly by using the device IP addresses out of 30.0. In this environment you will still need that route on the FB and you should turn off NAT on the pfSense. If you use NAT you don't need that route, you have to forward any traffic for the 30.0 subnet to pfSense and on pfSense you have to add further NAT rules to forward the traffic to the destination devices. However, all that is not necessary to get internet access to work.

is that "changing the name on a Gateway is not allowed" the same as me renaming "Interfaces/assignments" but I guess so as that's where the internet for what you want is going.. as im allowed to change it.. but thank you jimp for your input too (:

@stephenw10 Yes, bce1 statistics are not correct with pfctl (interfaces status page). Others statistics for bce0 (LAN) or bce2 (WAN 200Mb/s) are correct. pfctl -vvsI -i bce1 bce1 Cleared: Mon Sep 30 17:39:08 2019 References: 83 In4/Pass: [ Packets: 1580 Bytes: 451707 ] In4/Block: [ Packets: 331 Bytes: 23142 ] Out4/Pass: [ Packets: 37376681 Bytes: 6059122661 ] Out4/Block: [ Packets: 0 Bytes: 0 ] In6/Pass: [ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 0 Bytes: 0 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 1 Bytes: 116 ] netstat -bh -I bce1 Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll bce1 1.5K <Link#2> XXX 2.0k 0 0 492K 3.0k 0 326K 0 bce1 - XXbce1/6 XX 0 - - 0 0 - 0 - bce1 - XX XX 1.6k - - 441K 0 - 0 - sysctl dev.bce.1 dev.bce.1.com_no_buffers: 0 dev.bce.1.stat_CatchupInRuleCheckerP4Hit: 0 dev.bce.1.stat_CatchupInMBUFDiscards: 0 dev.bce.1.stat_CatchupInFTQDiscards: 0 dev.bce.1.stat_CatchupInRuleCheckerDiscards: 0 dev.bce.1.stat_IfInRuleCheckerP4Hit: 1 dev.bce.1.stat_IfInMBUFDiscards: 0 dev.bce.1.stat_IfInFTQDiscards: 0 dev.bce.1.stat_IfInRuleCheckerDiscards: 0 dev.bce.1.stat_IfInFramesL2FilterDiscards: 0 dev.bce.1.stat_XoffStateEntered: 0 dev.bce.1.stat_MacControlFramesReceived: 0 dev.bce.1.stat_FlowControlDone: 0 dev.bce.1.stat_OutXoffSent: 0 dev.bce.1.stat_OutXonSent: 0 dev.bce.1.stat_XoffPauseFramesReceived: 0 dev.bce.1.stat_XonPauseFramesReceived: 0 dev.bce.1.stat_EtherStatsPktsTx1523Octetsto9022Octets: 0 dev.bce.1.stat_EtherStatsPktsTx1024Octetsto1522Octets: 2 dev.bce.1.stat_EtherStatsPktsTx512Octetsto1023Octets: 23 dev.bce.1.stat_EtherStatsPktsTx256Octetsto511Octets: 5 dev.bce.1.stat_EtherStatsPktsTx128Octetsto255Octets: 1347 dev.bce.1.stat_EtherStatsPktsTx65Octetsto127Octets: 1624 dev.bce.1.stat_EtherStatsPktsTx64Octets: 43 dev.bce.1.stat_EtherStatsPktsRx1523Octetsto9022Octets: 0 dev.bce.1.stat_EtherStatsPktsRx1024Octetsto1522Octets: 226 dev.bce.1.stat_EtherStatsPktsRx512Octetsto1023Octets: 16 dev.bce.1.stat_EtherStatsPktsRx256Octetsto511Octets: 1 dev.bce.1.stat_EtherStatsPktsRx128Octetsto255Octets: 21 dev.bce.1.stat_EtherStatsPktsRx65Octetsto127Octets: 1630 dev.bce.1.stat_EtherStatsPktsRx64Octets: 60 dev.bce.1.stat_EtherStatsOversizePkts: 0 dev.bce.1.stat_EtherStatsUndersizePkts: 0 dev.bce.1.stat_EtherStatsJabbers: 0 dev.bce.1.stat_EtherStatsFragments: 0 dev.bce.1.stat_EtherStatsCollisions: 0 dev.bce.1.stat_Dot3StatsLateCollisions: 0 dev.bce.1.stat_Dot3StatsExcessiveCollisions: 0 dev.bce.1.stat_Dot3StatsDeferredTransmissions: 0 dev.bce.1.stat_Dot3StatsMultipleCollisionFrames: 0 dev.bce.1.stat_Dot3StatsSingleCollisionFrames: 0 dev.bce.1.stat_Dot3StatsAlignmentErrors: 0 dev.bce.1.stat_Dot3StatsFCSErrors: 0 dev.bce.1.stat_Dot3StatsCarrierSenseErrors: 0 dev.bce.1.stat_emac_tx_stat_dot3statsinternalmactransmiterrors: 0 dev.bce.1.stat_IfHCOutBroadcastPkts: 43 dev.bce.1.stat_IfHCOutMulticastPkts: 2 dev.bce.1.stat_IfHCOutUcastPkts: 2999 dev.bce.1.stat_IfHCInBroadcastPkts: 1 dev.bce.1.stat_IfHCInMulticastPkts: 0 dev.bce.1.stat_IfHCInUcastPkts: 1953 dev.bce.1.stat_IfHCOutBadOctets: 0 dev.bce.1.stat_IfHCOutOctets: 346999 dev.bce.1.stat_IfHCInBadOctets: 0 dev.bce.1.stat_IfHcInOctets: 512099 dev.bce.1.unexpected_attention_count: 0 dev.bce.1.dma_map_addr_tx_failed_count: 0 dev.bce.1.dma_map_addr_rx_failed_count: 0 dev.bce.1.mbuf_frag_count: 0 dev.bce.1.mbuf_alloc_failed_count: 0 dev.bce.1.l2fhdr_error_count: 0 dev.bce.1.%parent: pci1 dev.bce.1.%pnpinfo: vendor=0x14e4 device=0x1639 subvendor=0x1028 subdevice=0x0235 class=0x020000 dev.bce.1.%location: slot=0 function=1 dbsf=pci0:1:0:1 dev.bce.1.%driver: bce dev.bce.1.%desc: QLogic NetXtreme II BCM5709 1000Base-T (C0) pfctl -vvsI -i bce0 bce0 Cleared: Mon Sep 30 17:39:08 2019 References: 30 In4/Pass: [ Packets: 11072294 Bytes: 2460981815 ] In4/Block: [ Packets: 8457 Bytes: 160657 ] Out4/Pass: [ Packets: 13905940 Bytes: 9512430255 ] Out4/Block: [ Packets: 0 Bytes: 0 ] In6/Pass: [ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 124349 Bytes: 16424984 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 3 Bytes: 268 ] netstat -bh -I bce0 Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll bce0 1.5K <Link#1> XXX 12M 0 0 2.5G 15M 0 9.1G 0 bce0 - XX%bce0/6 XXX 0 - - 0 0 - 0 - bce0 - XX XX 296k - - 18M 261k - 15M - Thanks

That is their reply packets being dropped because the TCP state outbound to them had already been closed. That's quite common and usually nothing to be concerned about: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html Steve

In the Custom Options Before Auth field in the Squid general settings. [image: 1569848769553-selection_700.png] You can only specify an IP there, you can't use a gateway group. If you need Squid to use a gateway group you can leave it as default where it will use the system default route and then set that as gateway group in System > Routing. Steve

OVH do weird things. Like that might be the actual gateway they are using completely outside the WAN subnet. If pfSense can connect out, ping arbitrary fqdns, but clients behind it cannot it's probably a NAT problem. The default outbound NAT setting, auto, should work though. The default dhcp settings should give reasonable values to clients. The default LAN subnet should also work. If any of that has been changed from the defaults the clients might have bad subnet or route. Check that. Steve