@johnpoz Got it. Changed the top rule, and voila ... it works. Thanks for your help! Much appreciated.

@teamits Thank you. If i come back to Suticata i will try what you suggest. Things seem to be working now with snort so i may resist the temptation of playing more and digging another bottomless hole for myself!

Indeed, much more! What type of tunnel is it? How is it configured? What is it connected to? Does traffic fail in both dircetions? Is it the same tunnel the fails each time? How long does it take to fail? Etc Steve

@stephenw10 thanks a lot! For further reference the corresponding FreeBSD PR is found here.

There have not been for a while and I use invert rules myself. I try to use them only for single subnet aliases though. Can't find a bug report for that now but I know I have hit it in the past. Steve

Yup. That. https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#pkg-pfsense-org-has-no-a-aaaa-record

@hescominsoon said in Why Pfsense is free and who is mysterious benefactor we should be grateful ?: yes it could..but why? That would lead to it being more insecure by default. That was just to demonstrate my point that pfsense is just an interface on top of BSD and does nothing that couldn't be done by BSD alone. It would mean manually configuring all the various services, including pf, but it could be done. It's the same on Linux, where the configuration app (Yast) configures everything, including IPTables. Without that app, you could still make a good firewall, but it would take more work. BTW, I go back to the days when everything on computers was done from the command line (I was working with VAX/VMS long before I ever saw PC/MS-DOS and IBM mainframes before I bought my XT clone) and when I first heard about the Mac, I wondered why anyone would need a graphical interface. Putting Wireshark would take a lot more work than I'm prepared to do. I do use Packet Capture frequently and download the captures to examine with Wireshark. I can also put a managed switch, configured as a data tap in line with any connection to pfsense.

It required binary changes/compile options, so no, not possible on 2.4.5.

@stephenw10 Thx for pointing that one out to me

@johnpoz said in Strange performance problem: What do you think of the odds of something like that happening are? ;) Zero. How many home networks are out there with old cheap crap "routers" that want you to believe that NAT is a firewall... So much stuff is going on. My ISP (Spectrum, formally Time Warner) will give me a /56 prefix. Nice. But, this same ISP thinks that power cycling is the cure for all issues. Begging is required to access someone who knows their head from a hole in the ground. A lot needs to improve.

What do you have limiting the bandwidth? How are you applying that? Can we see screenshots? Do you see blocked traffic in the firewall log? If you are able to connect at all through that port then it must no longer be showing as 'no carrier' I assume? Steve

Yup those later P4s were hungry hungry beasts!

Yes, those values you're seeing are small, 8 queued, 4 occurrences. Often if you hit a problem like that you will see far higher numbers there. If you are not seeing any actual connectivity issues you might choose to ignore it. You should not be seeing it though. Steve

@valepe69 Have a look at the Netgear GS350 Series of Smart Managed Pro switches. I've used the GS308T, GS310TP and the GS324T. All solid. And the price is right. I have some spare GS308T's (I consolidated several switches) if that's all you need and are interested.

Hmm, that absolutely shouldn't happen. As long as the assigned interfaces in the config are still present at boot pfSense should not care about other interfaces that may or may not exist on the firewall. Commonly an interface may be removed that changes the ordering of other interfaces, if they are all igb NICs for example. If you don't have any other 10G NICs in the system and have unassigned it I would not expect an issue. Steve

@dzmnetworks Swap a known good working cable and see whether you get the same response. Be sure to reboot the modem when you swap cable.

Yes, or roll back that last config change. https://docs.netgate.com/pfsense/en/latest/config/console-menu.html#restore-recent-configuration Steve

Yeah, you don't need any sort of bridge there. The pfSense router will connect out as an OpenVPN client to remote servers without needing anything special. Steve

@stephenw10 Good advice. I just used my generated pfsense LDAP CA to issue another cert for the second DC and imported the CA cert and generated server cert into the certificate store on that domain controller. Totally forgot you could choose more that one auth server in the OpenVPN server config. Thanks for reminding me!