@johnpoz said in iperf3 server on wan, and client on lan : but how?: @cabledude possible you had enabled shaping/limiting of some sort? Nope, I did look for something like that, but no traffic shaping in pfSense and none in UniFi, at least not for the VLAN my laptop is in. Will investigate some more. Thanks, Pete

See for example: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck Steve

@stephenw10 said in New to pfsense. Hardware and setup: There are a lot of variables so I couldn't tell you the exact speed you'll see. Steve Ya that's a given. I know once I get it together it will be time to test, reconfigure, rinse and repeat.

@stephenw10 yes so when it's continuously beeping I hit the reset button on my console and it resets/reboots or whatever and then boots up normally with the boot up jingle.

You should only usually have that checked on an external interface. You should never see traffic coming from a private IP on an interface that has a public IP. The only exception that is if you are double NATed and need to access the pfSense device from a box in the WAN subnet and that is public. Steve

@bugman said in Very basic interface question: When I try to assign a VLAN to a specific port in Interface Assignment I get the error: This Switch port is already in used by another interface. That setting in the main interface config does not configure the switch. Instead that is used to have the VLAN interface status reflect the port status. So for example if you have a VLAN assign as OPT1 and the switch is configured to have port 4 as an access port for that VLAN, you can set port 4 there so that OPT shows as DOWN when port 4 is disconnected. What you need to do to trunk a VLAN to a port is set that in the switch config. Like: [image: 1637192181011-screenshot-from-2021-11-17-23-36-11.png] That will make a VLAN created in LAN, mvneta1.100, available tagged on port 4. You need to be sure to set in the internal port, 5, also tagged as shown there for all VLANs you need. Steve

@stephenw10 I was using GNU/Linux for 15 years. Last year i finally switched to FreeBSD as my daily driver and i never looked back. Linux kernel has become a bloated mess. And unlike modular GNU/Linux nightmare, FreeBSD is a complete operating system in every sense of the word. And i really love their strict RTFM community. And the fact that pfSense is based on FreeBSD makes me very happy.

@bmeeks Appreciate the info, I've already go things going and pretty much completed.

@stephenw10 Thanks for your help here. I actually had created a second P2 but had created it backwards. Fixed that up and now all works. Thanks again, James

@ppal Troll...

Running at the command line pciconf -lv will show you what NICs you have and which drivers they are using. If they are any Intel NIC though I'd expect to see at least close to 1G with that CPU. Check the top output while testing. Steve

I don't use it, so not an expert on traffic shaping. But what you want to do should be possible. There is a dedicated Traffic Shaping Sub-Forum here: https://forum.netgate.com/category/26/traffic-shaping. You might get better answers to your question in there as those folks are generally active users of that feature.

Hello, Just to update about the crashs: they didn't happen again. Also, I've being using Suricata 6.0.3 release since than, and no netmap issues So, I changed my RAM, and tested the old ones: 24H of MemTest86+ and at least 5hrs of GoldMemory (not the best tests, but still), resulted in not a single red flag for them (tested individually), AND I'm using them on other Win machines withouth BSOD or anything in the logs. I already saw RAM tests failing to detect problems, so based on what you explained, I'm assuming that both 1 - the issue with Suricata's Multithreading ring access, and 2 - darkstat, were hitting some intermittent problem, that I could not with tests and other OS. Anyway, thank you for helping me out solving this. Really appreciate @stephenw10 and @bmeeks !

@raffi_ not usually needed for your end users. But for say IT or Helpdesk. For example I sometimes need to VPN into more than one remote office to move data from remote site to remote site. Handy to be able to copy from one to the other (need to be able to connect to both VPN servers at the same time). But without this checked, can only connect to one at a time. End users don't usually need to do this, so fine to leave unchecked.

P.S. I take it back - you may need firewall rules for IPSec to allow BGP traffic. You can create them from the firewall logs if you see blocked BGP traffic on IPSec.

@stephenw10 said in Properly Prometheus (with alertmanager & exporters) + Grafana installation on CE DEV version: Not on pfSense directly. Why? Exactly pfSense have exporter for Prometheus. So the question about version are still actual. There are quite a few tutorials on how to do exactly this by exporting the data to another host. And that's the correct way to do it IMO. Of course, I read it. But asking about tho new version are only on official Prometheus web, but quite old version are in FreeBSD repo.

Ah, nice result. Thanks for persisting!

@johnpoz said in Confusion About Log Entry: So anything someone or something running on that device could be doing the queries.. Say in a remote desktop session.. Thanks for your feedback. I guess that might be technically possible but I think there would be a whole bunch of hoops that would have to be jumped through. First of all the server is part of a MS domain. So only an authenticated user that can provide proper login credentials could connect to it (of which there are only two) and then the only things that they could access are the remote apps installed in Remote Desktop Services. And those connections can only happen from a LAN address, nothing is open to the WAN or other internal vlans. Secondly, the server has Microsoft Server 2012 as it's operating system and does not have the dns role installed on it so I don't think it could respond to a dns request from another machine. And thirdly, if that server itself did have a dns request via it's own ethernet adapter it would be routed first to the domain controller at 192.168.163.10 which would then forward to pfsense at 192.168.163.1. In that case I would expect to see the domain controller's ip address (192.168.163.10) as the source of the query. It really seems more likely to me that I must have missed something in my pfsense setup. @johnpoz said in Confusion About Log Entry: Might be helpful.. I would for sure actually sniff on that device that its sending the specific queries your seeing, and this would also allow you to see if anything is asking that IP for this which is somehow being sent on.. I'll run a sniff and post back my findings. would you run it with the Host address as that of the server (192.168.163.25) or scribe.logs.roku.com? @johnpoz said in Confusion About Log Entry: I see queries for that scribe.roku.com on my network all the time - but they all come from my rokus - but there could be some sort of software that also does queries for that?? There is some sort of roku app that can run on windows 10 for example, not sure if just a remote - but something like that could be doing the queries. The weird part is that I have no blocked queries whatsoever in pfblocker reports on the roku vlan (192.168.168.xxx) for scribe.logs.roku.com. All dns requests on my system for scribe.logs.roku.com are showing as coming from the server. Resolver is listening for queries on All networks, so I would think if the roku was sending them out they would be blocked too. There is a roku app installed on a tablet but that is on a completely different vlan (192.168.160.1/24) than what we have discussed and which is also isolated from the LAN and the roku vlan. I would find it hard to believe that the server has a rogue app on it as the only things installed on it is Word, Excel, a pdf reader and a CRM. It's running a pretty stripped down Microsoft Server 2012 and not a bloated OS like Windows 10 Home. Thanks again for your help! I'll work on sniffing around tomorrow and will let you know what I find.

Ah, that would do it!

@sergei_shablovsky What exactly are the rule(s) they enabled. Because I still do not get what the issue is here. When asked if they also disabled the antilock out you stated no. It is not possible to block your lan network from accessing the gui with the antilock out rule there - that is the whole point of it!! Sure you can block internet access, and you could block dns doing that - but access to the pfsense lan IP on the gui or ssh port would still be allowed by the antilock out.. [image: 1636982261256-firstrule.jpg]