@stephenw10 said in Footprint of Old Box in New Box?: I would also remove the MAC spoofing since that is doing nothing. Okay, will do that also, thanks.

i already was thinking of the SD card... but there was a little hope ;) the new msata ssd is already ordered. and now i'm hopping the SD give its best for the next 2 weeks. these pfsense is over 4h away from my home and i have no time to go there... thanks to all

I updated again without the traffic shaping and all is working ok! I really like the TS to manage my bandwidth! I don't see any improvement on the issues! Will this be solved? Tks

I assume you actually mean how many connections? That depends on the hardware and available WAN bandwidth. There is no artificially imposed limit though. Steve

@captncrypto941 Never set this up. So you don't need any authentication? If not, I think, it should work by selecting DHCP type. Simply give it a try.

Ah, nice! I guess there was some remnant of the static route you added somewhere. I don't see it in the table though. Weird. Everything there looks good to me otherwise. Steve

End-to-end encryption is most definitely diminishing the importance of IDS/IPS. And encrypted payloads can be the source of many false positives. The random encrypted data will occasionally match up with the tested bytes in a rule. There is also the issue of some admins misunderstanding the intent of some rules. For example, there are categories in both Snort and Suricata where the rules are designed to simply detect malformed network traffic. Not all malformed traffic is nefarious. It may just be the result of bad or inexperienced programming on the part of a developer. Some is the result of asymmetrical routing. So rules that detect this type of traffic are really for "information" purposes and do not necessarily belong in the block or drop action list. They usually should be left at ALERT and not elevated to DROP (or block if using Legacy Mode). False positives are the biggest pain with an IDS/IPS. Tracking those down can take a lot of work. In the old days, IDS/IPS was extremely useful. This was especially true when it could peer into the packet payloads. Also, back then, raw traffic rates were typically lower (granted so was CPU horsepower, but you still generally had more CPU power than Internet bandwidth back then). But now looking into payloads is usually not possible unless you use MITM. And 10G Internet traffic can cause even a powerful CPU to sweat bullets when trying to inspect that traffic against several thousand IDS rules.

@nollipfsense After installing NUT and then configuring NUT it all worked after Pfsense was rebooted. The key was to reboot Pfsense. Thanks for the help!!

@zwiebelspaetzle Mobile could be IPv6, could be a different web server entirely as they have multiple IPv4s. https://www.ssllabs.com/ssltest/analyze.html?d=www.podtrac.com&s=44.239.236.149&hideResults=on&latest looks pretty good but does show "Chain issues Incorrect order, Contains anchor". If the client had an issue with that, I would expect it to be a problem regardless of connection...but again could be different web servers.

@nollipfsense great - glad you got it sorted!

@idiotzoo said in Wan failover doesn’t work and bigger problems: Just the WAN failover to do some more testing with. Hello! All of my multi wan failover configs running on 21.05.2 cratered due to this: https://redmine.pfsense.org/issues/11570 I manually reverted this code change from this issue to get it working again. John

In a single WAN setup disabling the monitoring action is an acceptable solution. The gateway monitoring allows you to tune the latency and loss levels to match your WAN though. You should should be able to set levels that are not triggered in normal use but still do trigger if it actually goes down. The ISP supplied gateway does not have to respond to ping at all. And it if does it doesn't have to prioritise it. It's not that unusual to see the gateway drop pings when it's under load but still route traffic just fine. A lot of devices like that would have separate control and data planes and it's the control plane which would usually have to respond to pings to it's own IP. Setting a monitoring IP as some external site also gives you a much better idea of the actual state of your connectivity. Monitoring the gateway wouldn't show an outage at the ISP but upstream of the gateway for example. Steve

Thanks for your answers, very informative.

Thank you! smooth as silk, before restoring config I verified that the order of em0 em4 was associated in the same way and everithing is perfecly working. I only had do install some packages Nicola

polkit is not a part of pfSense, nor is it available in our package repository, either directly or as a dependency. Given that polkit is usually a part of a graphical console environment (think: X.org and similar) that is unlikely to have been installed on a firewall anyhow. That said, similar to the situation with log4j, we can't always control what people pull in manually from third party repositories, so maybe if someone did something really bizarre they might have to manually track down and install an update, but since it didn't come from Netgate, there isn't anything we can do.

You're welcome, glad to be of help.

The method is the same for any PCI-device you want to pass through. In the documentation, which I now suddenly understand, they have command line examples using a graphics card with sound chipset on it. They may show up as separate devices (IOMMU groups) but you might want to pass them both together... hence "All functionality"... Anyway, as you say, now I have a much better solution than renaming devices. Which is actually the way I tried to set it up a long time ago...

It's possible to do that. You have to use policy routing with a load-balanced gateway group setup with both remote side IPs as gateways. However that only works for multiple connections between the sites. For a single file transfer for example it will only use one tunnel. Steve

Yes open a ticket to get the latest reinstall image if you do bot have 21.05.2 already: https://www.netgate.com/tac-support-request We did put in place measure to prevent installing incorrect packages. I know that works in 2.4.5p1 from a clean install since I recently tested trying to break it. If you came from an older version that than though it may be possible. Steve

@stephenw10 Only when saturated. Yes for now, I figured I'd give it some time to see if the issue persists or was a coincidence. ok. If this works, its a decent temporary fix, but in the future I may have multiple IPs that could saturate the upstream.