You are going to need some sort of tunnel to do that I would thing. Unless everything is using public routable IPs. It probably should be a VPN tunnel. Steve

@jimp in my opinion, this issue warrants an advisory sent to users, and also a note in Known issues. As an idea, I'd also love if advisories could be checked by internet facing boxes (those that can talk to the Netgate servers) and shown in the GUI and pushed via alerts to whatever is configured as alert system (Telegram for example).

@stephenw10 I use Zabbix , and like it. Note The zabbix DB loves to be on a SSD, especially when doing "cleanup tasks". My install (Debian VM) with around 100 monitor points - takes up 20GB diskspace including OS. Here's linux install guide(s) https://www.tecmint.com/install-and-configure-zabbix-monitoring-on-debian-centos-rhel/ https://www.tecmint.com/configure-zabbix-to-send-email-alerts-to-gmail/ https://www.tecmint.com/install-and-configure-zabbix-agents-on-centos-redhat-and-debian/ https://www.tecmint.com/install-zabbix-agent-and-add-windows-host-to-zabbix-monioring/ I used this one , back in time. https://www.tecmint.com/install-zabbix-on-debian-10/

@stephenw10 Yes those to NICs are in a lag configuration, have been for several years at least. I will try your suggestions and see what I can find.

When you only have one interface defined in pfSense (Appliance Mode) the default allow rule and anti-lockout rules apply on that interface. Those allow you access to the webgui. If you add another interface pfSense go to full routing mode where it drops all traffic on WAN and allows traffic on LAN by default. So if you still need to access the webgui via the WAN after doing that be sure to add a manual pass rule on the WAN before adding the second interface. Steve

@magikmark said in pfSense 2.5.2 periodic HUGE lag spikes: https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4/770 Ah, OK. That's not a bug it's a feature. I've never hit that but it looks like you would only ever hit it if trying to re-configure an existing pipe that is actively in use. Steve

@stephenw10 Thank you Steve. I will apply the patch.

Do the packet captures show the traffic following the expected rules? Is there any reason you're still running 2.4.5? Not that I'm aware of anything in 2.5 that would make any difference though. Steve

@stephenw10 Thank you for clearing things up!

Nice result!

@elmo1943 said in vpn router on 2.5.2 pfsense: The modem (pppoe provided) and both pfsense (192.168.20.1) and wrt3200 (192.168.132.1) are connected to tp108 switch (dumb switch) that allows pfsense and wrt3200 to 'share' connection. Ok those are different subnets (probably) so are those the LAN side subnets of each device? What is the pfSense WAN IP address? What is the WRT3200 WAN IP address? I expect those to be in the same subnet and it will be a private subnet because I do not expect your ISP to allow 2 PPPoE connections. Can we see a diagram? Steve

@cxcmax said in Openreach GPON, BT Infinty FTTP moden: will try and not break it now :) Ha. Don't do that. Backup your config that works then try to break it. Learn what breaks it and what works. (and how to restore your config!) Steve

I always used separate interfaces in the past, I'm not sure why I didn't think of doing that with pfsense and that's what I'll be doing. Then I can allow only the ports I want and if someone ever gets in via wifi, they won't get access to much.

Oh, sorry I should have seen that. Yeah .0 is the network address in that subnet, you can't use it directly. Steve

What exactly is the cronjob you see? Is it: 0,15,30,45 * * * * root /etc/rc.filter_configure_sync That is added by have firewall rules with a schedule configured. If it's killing connections every time it loads it may be doing exactly what it's configured to do. Steve

If it's really a hot spare you could configure HA sync to copy the config across whenever there are changes. It would be better to use a fully configured HA pair to avoid any downtime. The SG-1100 is not well suited to that however because of it's switched interfaces. It could still be done though and it would failover in some situations, including manually failing over. Steve

Just did mine (SG-1100). Zero issues, fast restart.

Indeed. Check the rules on LAN for a rule named that. Also check the floating rules tab for anything that might apply to LAN. Steve