yes, now you have an idea of what you need to do, maybe wait for someone with a Draytek that can tell you how to configure it. internet---pppoe ----| ............... modem --- pfsense ---lan

@leadwolf31 , Assalamu alaikum, Shalom, Namaste. Yes you can. I use Pfsense CE (free) with IBM Qradar CE (free). I can even tracked the apps that intruders used. IBM QRadar [image: qradarce-dashboard.png] [image: pfsense-logactivity.png]

Normally very difficult to have any unsolicited inbound traffic. Unless your ISP has setup ports to be sent to your 100.64.x.x IP, or allows for you to request them. Its pretty much the same as your IPs behind your nat router not seeing inbound traffic unless you create a port forward on your router. If you have no need for inbound traffic - say you running a plex server, or hosting httpd, or whatever then not you prob won't have any problems. But if your wanting to say host some online games or something... Then yeah it can be a problem. if you would like to say vpn into your home while your on the road with your phone or laptop or something - then yeah problematic for sure. Do you also have IPv6? If you have IPv6 you could leverage that for the services you want to host off your connection. Problem there is not everyone has IPv6, nor all locations.. Say your on some hotspot at a coffee shop or something and want to vpn to your home - the coffee shop might not have ipv6 for you to use. edit: upon looking I do see you connecting a few times with IPv6 to the forum.. So I would assume you have it - but that could of been off your phone (not using wifi) or something? For example t-mobile, atleast in my region has gone full ipv6 on their data connections. Your phone never gets an IPv4 address other than via wifi. When you want to talk to an IPv4 address you use a NAT64 gateway they have setup.

So you're basically saying Chrome is auto-filling hidden password fields creating the input validation error? That should be fixed in 2.4.5p1 by this: https://redmine.pfsense.org/issues/9864 So, yeah, upgrade! Steve

There is a reason that bridging all your interfaces is not a one check-box type setup in pfSense. Doing that is generally a bad idea! Bridging interfaces makes it behave somewhat like a switch but it is not a switch and if what you want there is a switch then you should just use a switch. Most SOHO routers that use that type of setup are in fact using switch internally. Some of our own appliances have an internal switch and can also be used like that. That aside..... if you are going to the dhcp server setup and there is no tab for br0 it's because br0 isn't assigned with a static IPv4 subnet a dhcp server can be added to. I note also that guide does not mention chnaging the sysctls to filter on the bridge interface rather than it's members which most people would want for this sort of setup. See: https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html Steve

Mmm, weird. Thanks for following up though. Yeah it would be good to know what it was but that's probably not possible at this point. Steve

@user2 , I think you are overly worried, but then again that's your right. Anyway the IP address that you mentioned is related to these IP addresses: IPV4 24.227.211.0/24 64.17.0.0/20 64.20.224.0/19 64.20.224.0/20 66.219.32.0/19 96.47.208.0/20 96.47.209.0/24 192.188.253.0/24 198.252.182.0/24 208.67.240.0/21 208.123.64.0/19 208.123.73.0/24 216.1.112.0/22 IPV6 2610:160::/32

Here this should help https://docs.netgate.com/pfsense/en/latest/nat/process-order.html Outbound nats are evaluated after the firewall rule... I think the confusion comes up when users think nat is evaluated first before firewall rules. -- which is true in the case of port forwards or 1:1 nats, etc. If you have a firewall rule that forces traffic out a gateway.. The nat will be evaluated after that - top down looking for the nat to apply to that traffic.. But the decision for what interface to send it out of has already been made.. So no outbound nat could not change what gateway that traffic would use.

@gregHANSford , I forgot to mention third step turn off your ISP modem for 10 sec. You will get a new ip gateway. Also you can always changing your server host as Steve mentioned. VPN > Openvpn > Clients > Edit > Server host or Address Change it to different host from your VPN provider, with Nordvpn is a bit easier. Just change the digits ch 167 to ch 134. This way you don't have to change your TLS key. [image: recommended-server@2x.webp] @Steve, it's true but I did notice this trick worked, 6 out of 10 connections will use the same ip as monitoring ip.

I'd love a solution to this - see it constantly on my lab SG-3100 - have even pruned it back in terms of packages and still does it :( Same scenario - usually I can SSH in and restart PHP-FPM but other times i have to hard reboot the device. Not the result i was hoping for testing an SG3100 for use at clients :/

So it was traffic shaping after all. What looked like defaults to me must have been the wizard’s work from ages ago when I was trying to do QoS for one specific machine. Thanks for your responses!

@DGCupit One thing I did years ago, when I had an intermittent problem with my ISP is I wrote a script that would periodically ping my ISP's gateway and log failures. You could have it restart DHCP instead. Here's my script: #! /bin/sh while [ 1 ] do ping <address> -4 -c 1 || date >> ~/log;sleep 50 done

Yup, that^. Just use two interfaces in pfSense and that will be the default behaviour. Otherwise reply-to uses the gateway defined on the interface. Steve

OK I think I found the way. For all the time I spent trying to figure it out, it's embarrasingly simple, but I took longer because I did not understand that: it needs powershell 7 (or maybe 6+, but I didn't test that) it needs to NOT run in ISE. Running in ISE screws up the type used for the file in the final hash table, even if you try to run PS 7 with enter-pssession. You've been warned! :-) Anyway, this sample code worked for me - hope it helps someone else: $Timeout = 15 $restorearea='aliases' $conffile='c:\path\aliasestest.xml' $CsrfToken = $null; $PW = 'pfsense' $Uri = 'https://192.168.1.1' $LoginPage = Invoke-WebRequest -TimeoutSec $Timeout -Uri $Uri -SessionVariable Session $CsrfToken = $LoginPage.InputFields.FindByName('__csrf_magic').Value $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList 'admin', (ConvertTo-SecureString -AsPlainText -Force ($PW)) $Creds = @{ __csrf_magic=$CsrfToken; usernamefld=$Credential.GetNetworkCredential().UserName; passwordfld=$Credential.GetNetworkCredential().Password; login='Login' } # Login to web portal $Result = Invoke-WebRequest -TimeoutSec $Timeout -WebSession $Session -Uri $uri -Method Post -Body $Creds $CsrfToken = $Result.InputFields.FindByName('__csrf_magic').Value # Get backup pagethat $Result = Invoke-WebRequest -TimeoutSec $Timeout -WebSession $Session -Uri "$uri/diag_backup.php" $CsrfToken = $Result.InputFields.FindByName('__csrf_magic').Value $RestoreArguments = @{ __csrf_magic=$CsrfToken donotbackuprrd='yes' encrypt_password='' conffile=get-item -path $conffile decrypt_password='' restorearea=$RestoreArea backuparea='' restore='Restore Configuration' } $Result = Invoke-WebRequest -TimeoutSec $Timeout -WebSession $Session -Uri "$uri/diag_backup.php" -Method 'POST' -form $RestoreArguments

@AKEGEC Thanks for the suggestion. I tried a managed switch but still saw the same issues. I think I must of somehow run the poe into the Pfsense box.

@Rico Thank you

@Rico @bingo600 In other words, if it is on "bytes", the max I get is 2mb/s if you mouse over the live graph. If I change to "Bits", the max I get is 16mb/s. But it should be 2MB/s for the bytes...right? The "b" isn't changing.

These should get you started https://docs.netgate.com/pfsense/en/latest/packages/freeradius.html https://www.slideshare.net/NetgateUSA/radius-and-ldap-on-pfsense-24-pfsense-hangout-february-2018

@OverrRyde said in Gigabit speed help: @Cool_Corona what's limiting? The onboard nic? Cpu? Thanks CPU

[image: 1603962208316-screenshot-from-2020-10-29-12-03-16.png] WARNING: If the remote server requires both a username and a password, but only one is filled in, the system will hang on reboot prompting for OpenVPN Client credentials unless Authentication Retry is checked.