@inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): Do I understand it correctly that the default Gateway is for using Internet and talking to the "main" Almost. pfSense sends any traffic which has a destination address outside of the subnets defined on its own interfaces to the default gateway. So yes, packets to the internet are sent to the default gateway, however, packets to any other subnet which are not known by pfSense as well. @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): Another Gateway would be the 30.1 for the internal LAN connections in the Lab-Network? You must not set a gateway on the LAN interface. You have to remove this again. Additionally you have to set the "FritzBoxGateway" as default to get upstream traffic work. @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense): And the static route i can just delete in the FB? As stated above, you have to decide if you want to set up a routing a NAT network environment. If you prefer routing you have to add NAT rules for incoming traffic for the 30.0 subnet on the FB directly by using the device IP addresses out of 30.0. In this environment you will still need that route on the FB and you should turn off NAT on the pfSense. If you use NAT you don't need that route, you have to forward any traffic for the 30.0 subnet to pfSense and on pfSense you have to add further NAT rules to forward the traffic to the destination devices. However, all that is not necessary to get internet access to work.

is that "changing the name on a Gateway is not allowed" the same as me renaming "Interfaces/assignments" but I guess so as that's where the internet for what you want is going.. as im allowed to change it.. but thank you jimp for your input too (:

@stephenw10 Yes, bce1 statistics are not correct with pfctl (interfaces status page). Others statistics for bce0 (LAN) or bce2 (WAN 200Mb/s) are correct. pfctl -vvsI -i bce1 bce1 Cleared: Mon Sep 30 17:39:08 2019 References: 83 In4/Pass: [ Packets: 1580 Bytes: 451707 ] In4/Block: [ Packets: 331 Bytes: 23142 ] Out4/Pass: [ Packets: 37376681 Bytes: 6059122661 ] Out4/Block: [ Packets: 0 Bytes: 0 ] In6/Pass: [ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 0 Bytes: 0 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 1 Bytes: 116 ] netstat -bh -I bce1 Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll bce1 1.5K <Link#2> XXX 2.0k 0 0 492K 3.0k 0 326K 0 bce1 - XXbce1/6 XX 0 - - 0 0 - 0 - bce1 - XX XX 1.6k - - 441K 0 - 0 - sysctl dev.bce.1 dev.bce.1.com_no_buffers: 0 dev.bce.1.stat_CatchupInRuleCheckerP4Hit: 0 dev.bce.1.stat_CatchupInMBUFDiscards: 0 dev.bce.1.stat_CatchupInFTQDiscards: 0 dev.bce.1.stat_CatchupInRuleCheckerDiscards: 0 dev.bce.1.stat_IfInRuleCheckerP4Hit: 1 dev.bce.1.stat_IfInMBUFDiscards: 0 dev.bce.1.stat_IfInFTQDiscards: 0 dev.bce.1.stat_IfInRuleCheckerDiscards: 0 dev.bce.1.stat_IfInFramesL2FilterDiscards: 0 dev.bce.1.stat_XoffStateEntered: 0 dev.bce.1.stat_MacControlFramesReceived: 0 dev.bce.1.stat_FlowControlDone: 0 dev.bce.1.stat_OutXoffSent: 0 dev.bce.1.stat_OutXonSent: 0 dev.bce.1.stat_XoffPauseFramesReceived: 0 dev.bce.1.stat_XonPauseFramesReceived: 0 dev.bce.1.stat_EtherStatsPktsTx1523Octetsto9022Octets: 0 dev.bce.1.stat_EtherStatsPktsTx1024Octetsto1522Octets: 2 dev.bce.1.stat_EtherStatsPktsTx512Octetsto1023Octets: 23 dev.bce.1.stat_EtherStatsPktsTx256Octetsto511Octets: 5 dev.bce.1.stat_EtherStatsPktsTx128Octetsto255Octets: 1347 dev.bce.1.stat_EtherStatsPktsTx65Octetsto127Octets: 1624 dev.bce.1.stat_EtherStatsPktsTx64Octets: 43 dev.bce.1.stat_EtherStatsPktsRx1523Octetsto9022Octets: 0 dev.bce.1.stat_EtherStatsPktsRx1024Octetsto1522Octets: 226 dev.bce.1.stat_EtherStatsPktsRx512Octetsto1023Octets: 16 dev.bce.1.stat_EtherStatsPktsRx256Octetsto511Octets: 1 dev.bce.1.stat_EtherStatsPktsRx128Octetsto255Octets: 21 dev.bce.1.stat_EtherStatsPktsRx65Octetsto127Octets: 1630 dev.bce.1.stat_EtherStatsPktsRx64Octets: 60 dev.bce.1.stat_EtherStatsOversizePkts: 0 dev.bce.1.stat_EtherStatsUndersizePkts: 0 dev.bce.1.stat_EtherStatsJabbers: 0 dev.bce.1.stat_EtherStatsFragments: 0 dev.bce.1.stat_EtherStatsCollisions: 0 dev.bce.1.stat_Dot3StatsLateCollisions: 0 dev.bce.1.stat_Dot3StatsExcessiveCollisions: 0 dev.bce.1.stat_Dot3StatsDeferredTransmissions: 0 dev.bce.1.stat_Dot3StatsMultipleCollisionFrames: 0 dev.bce.1.stat_Dot3StatsSingleCollisionFrames: 0 dev.bce.1.stat_Dot3StatsAlignmentErrors: 0 dev.bce.1.stat_Dot3StatsFCSErrors: 0 dev.bce.1.stat_Dot3StatsCarrierSenseErrors: 0 dev.bce.1.stat_emac_tx_stat_dot3statsinternalmactransmiterrors: 0 dev.bce.1.stat_IfHCOutBroadcastPkts: 43 dev.bce.1.stat_IfHCOutMulticastPkts: 2 dev.bce.1.stat_IfHCOutUcastPkts: 2999 dev.bce.1.stat_IfHCInBroadcastPkts: 1 dev.bce.1.stat_IfHCInMulticastPkts: 0 dev.bce.1.stat_IfHCInUcastPkts: 1953 dev.bce.1.stat_IfHCOutBadOctets: 0 dev.bce.1.stat_IfHCOutOctets: 346999 dev.bce.1.stat_IfHCInBadOctets: 0 dev.bce.1.stat_IfHcInOctets: 512099 dev.bce.1.unexpected_attention_count: 0 dev.bce.1.dma_map_addr_tx_failed_count: 0 dev.bce.1.dma_map_addr_rx_failed_count: 0 dev.bce.1.mbuf_frag_count: 0 dev.bce.1.mbuf_alloc_failed_count: 0 dev.bce.1.l2fhdr_error_count: 0 dev.bce.1.%parent: pci1 dev.bce.1.%pnpinfo: vendor=0x14e4 device=0x1639 subvendor=0x1028 subdevice=0x0235 class=0x020000 dev.bce.1.%location: slot=0 function=1 dbsf=pci0:1:0:1 dev.bce.1.%driver: bce dev.bce.1.%desc: QLogic NetXtreme II BCM5709 1000Base-T (C0) pfctl -vvsI -i bce0 bce0 Cleared: Mon Sep 30 17:39:08 2019 References: 30 In4/Pass: [ Packets: 11072294 Bytes: 2460981815 ] In4/Block: [ Packets: 8457 Bytes: 160657 ] Out4/Pass: [ Packets: 13905940 Bytes: 9512430255 ] Out4/Block: [ Packets: 0 Bytes: 0 ] In6/Pass: [ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 124349 Bytes: 16424984 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 3 Bytes: 268 ] netstat -bh -I bce0 Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll bce0 1.5K <Link#1> XXX 12M 0 0 2.5G 15M 0 9.1G 0 bce0 - XX%bce0/6 XXX 0 - - 0 0 - 0 - bce0 - XX XX 296k - - 18M 261k - 15M - Thanks

That is their reply packets being dropped because the TCP state outbound to them had already been closed. That's quite common and usually nothing to be concerned about: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html Steve

In the Custom Options Before Auth field in the Squid general settings. [image: 1569848769553-selection_700.png] You can only specify an IP there, you can't use a gateway group. If you need Squid to use a gateway group you can leave it as default where it will use the system default route and then set that as gateway group in System > Routing. Steve

OVH do weird things. Like that might be the actual gateway they are using completely outside the WAN subnet. If pfSense can connect out, ping arbitrary fqdns, but clients behind it cannot it's probably a NAT problem. The default outbound NAT setting, auto, should work though. The default dhcp settings should give reasonable values to clients. The default LAN subnet should also work. If any of that has been changed from the defaults the clients might have bad subnet or route. Check that. Steve

Most likely: The LAN subnet or the DHCP server MAC address changed and now Windows sees it as an untrusted public network so is blocking requests from other clients. Steve

ARP movements are usually either some sort of load-balancing, like an actual load-balancer or teamed NICs in a server sharing one IP, or Apple's Bonjour sleep proxy. Check the OUI to see if it's Apple. However it can also be an IP address conflict if two hosts are set to the same static IP. Check what those MAC addresses are on your network. https://docs.netgate.com/pfsense/en/latest/monitoring/arp-moved-log-messages.html Steve

If you're using swap at all you have a problem. pfSense should not use swap in normal operation and if it does performance can be very degraded. Work out what is actually using your RAM and tune that out. Steve

Thanks. Curently I am runnig it from within my network to play a bit and tweak it. Regarding lan2 interface. I am going to configure managed switch to mirror traffic to sniffer port (hopefully this conf will cope with all the traffic). This is for mapping all the traffic within local net, including traffic that does not go thro router. If this will not work I will just use normal config. HD

You might need to open a bug against the package if that update touched it. The patch corrects it for everything we have seen in base but maybe not for packages. Steve

If it's mulitwan and one is still up you should be able to resolve over that. As long as you have setup servers on both WANs or you a gateway group set as the default gateway you should still have DNS.

Thanks. I've got a computer here which I'll shove in my server room with pfSense running 24/7

It's probably a lower sync speed. That may increase over a few days. The SG-2220 is capable of far more that that. Try establishing a PPPoE session from a laptop connected directly to the modem. What speed do you see there? Steve

[2.5.0-DEVELOPMENT][root@pfSense.localdomain]/root: pfSense-upgrade -h > > Usage: pfSense-upgrade [-46bdfhnRUy] [-l logfile] [-p socket] [-c|-u|[-i|-d] pkg_name] > -4 - Force IPv4 > -6 - Force IPv6 > -b - Platform is booting > -d - Turn on debug > -f - Force package installation > -h - Show this usage help > -l logfile - Logfile path (defaults to /cf/conf/upgrade_log.txt) > -n - Dry run > -p socket - Write pkg progress to socket > -R - Do not reboot (this can be dangerous) > -U - Do not update repository information > -y - Assume yes as the answer to any possible interaction > > The following parameters are mutually exclusive: > -c - Check if upgrade is necessary > -i pkg_name - Install package PKG_NAME > -r pkg_name - Remove package PKG_NAME > -u - Update repository information > how about pfSense-upgrade -d -y ?

@Gertjan @stephenw10 The discussion is getting interesting. I am starting a new thread, https://forum.netgate.com/topic/146882/pfsense-memory-usage-part-2 Regards, Ashima

Glad you found it.. :)

Or maybe he thought he was helping things by hard setting the speed and duplex where not supported? Auto-neg is my friend...

@stephenw10 probably not, it's a matter of habit. I'll probably disable ARP altogether and see what happens.

Yes usually there is the public IP. I do have a DHCP for my LAN but i doubt that this is the issue here. Either way i entered the DHCP server ip, will see if this changes anything.