Thanks for the responses. Taking to search I found this http://linorg.usp.br/pfsense/downloads/ Hopefully not spyware-ransomware embedded, but I am only using it in a closed off lab so should be OK. Now that I think about it - not providing older versions (for sake of regression testing like I'm doing) really puts users at more risk if they are forced to go elsewhere for older versions. It's a bit of an own goal if you ask me, but is what it is. I'll take my chances, and try and remember to offline store the installation ISOs and checksums from now on. I never expected I'd be regression testing this product, but then again, I didn't expect pfSense to have such a dire FRR OSPF bug (which OPNsense doesn't have... but it has other issues so not keen to turf all my config out the window just yet!).

Ugh! If only I had checked back my email. I found that only until today, well… I found that the system is mounted read-only, fixable (not that is broken) with mount -uw /. I thought it was like a FreeBSD jail thing. It's never not amazing the simplicity with which UNIX-like systems solve problems while others just pile bloat on top. On other hand though, attempting to break my system, 'cause that's what I'll do, I ran into another of these: [image: 1600251379167-screen_shot_2020-09-16_at_03_55_18.png] Another disappeared key. Does it mean I have to install it through the GUI too? I guess we'll see; I just pushed another copy and I'll let proof here even if I'm only talking to myself to come back to it later. [image: 1600252842844-screen-shot-2020-09-16-at-04.19.54.png] 🧩

@enigma27 You can just disable it at your workstation. You won't have any issues until you are either behind cgn or not assigned an ipv4 address

Running the speedtest CLI test on pfSense itself is not an accurate test. What throughput do you see from the laptop connected to the pfSense LAN? An i5-4570 should have no problems at all passing 1Gbps. Steve

Hmm, odd. And it does that with the same crash when you boot with WAN2 connected? What if you boot with the NIC connected but not actually connected to the WAN2 modem? That might determine if it's a hardware/driver issue or a network stack problem. I could see pfsync being either. Steve

So you are connecting from a client behind the firewall to a public pop3 server and sometimes it fails? Are you running any packages that might be blocking it like Snort/Suricata? Do you see anything blocked in the logs? Check the state table when it fails for traffic to the server. Ultimately run a packet capture for that traffic to check it's leaving the WAN and what's coming back. Steve

go to interfas wan, General Configuration, Speed and Duplex : Autoselect and solve the problem

Indeed I can't imagine a way to do it in pfSense unless they have some method of connecting devices that cannot easily enter a password. Like WPS maybe. It's unlilkely. Steve

WAN is usually DHCP when that happens. Conflicting static subnets would not be allowed. Steve

@stephenw10 , Thank you very much for the direction to the necessary information. According to the documentation on the link, I configured DNS forvarder properly, rechecked the settings of all hosts. Oh, miracle !!! Some had a DNS server 8.8.8.8. I fixed it and it worked. Thank you very much for your support!

@qsystems said in Conditionally poor throughput to linux client behind pfSense: It seems like an issue with the combination of pfSense/Spectrum/and that linux system. How are the cables? Defective cables can cause that sort of problem.

Not necessarily a problem. I would expect the portforwarding rule to only be on inbound traffic , hitting the ISP router. Meaning if you portforward ie. port 80 , it will still allow users on the "inside lan" to browse to the outside internet. It's highly unlikely that they would get a source port of 80 or 443 assigned as outbound port on the ISP router. You are correct here - but I should add the following caveat. I believe most things (like web browsers) assign random ports in the range of 1024 to 65536 or whatever the maximum port number is. (16 bit integer, I don't remember exactly?) So, what I meant to say was this... Surely just directing all traffic with destination port in the range of > 1024 would break other users connections? Consider this example: A computer with address 192.168.0.35 connects to a webserver with return port of 1024. If port 1024 is always forwarded to IP 192.168.0.200 (for example) then the response from the webserver requested from IP 192.168.0.35 will never reach that address... because it will be forwarded to 192.168.0.200. Unless there's a caveat I don't understand here?

@stephenw10 Thanx Steve I see the use for URL Table aliases, in blocklists etc. But i won't build "core" firewall rules that depends on a web service, on each load. Then i'd rather do the web clicking. But a nice feature i overlooked, if i ever need a huuuge "dynamic" blocklist. /Bingo

@Gertjan said in configure PfSense ftp: @tafovizo said in configure PfSense ftp: Hello. How to configure an exit from the local network (client) to an ftp server on the Internet on PfSense? The default LAN rule handles outgoing FTP just fine, that is a device on LAN using and FTP client, accessing a FTP server on the net. Edit : that is, most FTP servers are hosted on the Internet using a NON RFC1918 IP, and the visiting clients are mostly behind a router like pfSense. Read something like https://www.deskshare.com/resources/articles/ftp-how-to.aspx why you really want to ditch FTP where it belong : the national museum of ancient technologies. Thank you ;)

Mmm, I see what you mean. If you disable a static route during run-time then you might expect problems since that route is then removed and would not be re-added until OpenVPN us re-started. But if it's disabled at boot I would not expect it to do anything. Re-opened it to discuss. Steve

You will always see double NAT through OpenVPN unless you have paid to get a public IP which some services offer I believe. UPNP does not pass requests upstream so you can cannot open ports on the VPN, it will never appear as open. You need to set static outbound NAT for the xbox both out the WAN and over the VPN. Steve

[2.4.5-RELEASE][admin@244dev.stevew.lan]/root: pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/arp-scan-1.9.7.txz Fetching arp-scan-1.9.7.txz: 100% 333 KiB 340.8kB/s 00:01 Installing arp-scan-1.9.7... Extracting arp-scan-1.9.7: 100% [2.4.5-RELEASE][admin@244dev.stevew.lan]/root: rehash [2.4.5-RELEASE][admin@244dev.stevew.lan]/root: arp-scan Interface: vtnet0, type: EN10MB, MAC: 9z:86:v8:d6:7b:52, IPv4: 172.21.16.180 Usage: arp-scan [options] [hosts...] Target hosts must be specified on the command line unless the --file option is given, in which case the targets are read from the specified file instead, or the --localnet option is used, in which case the targets are generated from the network interface IP address and netmask. You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write packets require root privilege. The target hosts can be specified as IP addresses or hostnames. You can also specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts in the given network (network and broadcast addresses included), or IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the inclusive range, or IPnetwork:NetMask (e.g. 192.168.1.0:255.255.255.0) to specify all hosts in the given network and mask. These different options for specifying target hosts may be used both on the command line, and also in the file specified with the --file option. use "arp-scan --help" for detailed information on the available options. Report bugs or send suggestions at https://github.com/royhills/arp-scan See the arp-scan homepage at https://github.com/royhills/arp-scan

Well this got out of hand pretty fast, haha. At least it was a good learning experience. It's not easy to get memory stats out of this thing! I have not finished editing to make sure everything is perfect and portable but for now this works well on an sg-1100 which is the target system(s). On to the next project! #!/usr/bin/env sh #The purpose of this script is to collect system information for use with mailreport package. #TODO: See notes in comments - rounding memory calculations with bc #Variables for searching logs datesearchclog="`date '+%b %e'`" datesearchpfb="`date '+%m/%d/%y'`" #Basic system summary cat /etc/platform /etc/version echo -n "Last config change: " ; date -r `awk -F '[;:]' '{print $4}' /cf/conf/backup/backup.cache` && awk -F '["]' '{print $4}' /cf/conf/backup/backup.cache echo echo "SUMMARY - See load avg last 1, 5, and 15 minutes" ; w #CPU utilization checking cpuload="`uptime | /usr/bin/sed 's/^.*: //'`" cpuload5="`echo $cpuload | awk -F '[. ]' '{print $3}'`" if [ "$cpuload5" -gt "1" ]; then echo "WARNING! 5 MIN CPU LOAD HIGH:" $cpuload5 echo "Top CPU" ps -auxw | head -1 && ps -auxw | sort -nr -k 3 | head -5 echo "Top TIME" ps -auxw | head -1 && ps -auxw | sort -nr -k 10 | head -5 fi echo #MEM information and utilization checking #vmstat -ah top | head -4 | tail -1 totalmem="`sysctl -n vm.stats.vm.v_page_count`" if [ "$totalmem" -gt "0" ]; then inactivemem="`sysctl -n vm.stats.vm.v_inactive_count`" cachedmem="`sysctl -n vm.stats.vm.v_cache_count`" freemem="`sysctl -n vm.stats.vm.v_free_count`" usedmem=`echo "$totalmem - ($inactivemem + $cachedmem + $freemem)" | bc` memusage=`echo "($usedmem * 100) / $totalmem" | bc` #round with bc? physmem=`sysctl -n hw.physmem` physmemh=`echo "$physmem / (1024*1024)" | bc` #round with bc? echo "Mem:" $memusage"% of" $physmemh"M used." if [ "$memusage" -gt "60" ]; then echo "WARNING! MEMORY USED HIGH:" $memusage"%" echo "Top MEM" ps -auxw | head -1 && ps -auxw | sort -nr -k 4 | head -5 fi else echo "ERROR READING MEM PAGE COUNT!" fi echo #DISK information and utilization checking df -hl / /var/run diskused="`df -h / | /usr/bin/tail -n 1 | /usr/bin/awk '{ print $5 }' | /usr/bin/cut -d '%' -f 1`" if [ "$diskused" -gt "60" ]; then echo "WARNING! PERCENT DISK USED HIGH on /:" $diskused"%" fi echo #LOGS - provides more detail and filtering than mailreport package offers echo "Filtered Log Output" [ -f /var/log/pfblockerng/error.log ] && echo "Log output: pfblockerng Errors (pfblockerng/error.log)" && grep -e "$datesearchpfb" /var/log/pfblockerng/error.log && tail -n 20 #/var/log/pfblockerng/error.log ; echo echo [ -f /var/log/filter.log ] && echo "Log output: Firewall (raw) - Admin Interfaces GUEST (filter.log)" && clog /var/log/filter.log | grep -e "$datesearchclog" | egrep "1566350082" | tail -n 20 echo [ -f /var/log/filter.log ] && echo "Log output: Firewall (raw) - Combined Blocklist (filter.log)" && clog /var/log/filter.log | grep -e "$datesearchclog" | egrep "1597881531|1597881664" | tail -n 20 echo [ -f /var/log/filter.log ] && echo "Log output: Firewall (raw) - GeoIP Regions (filter.log)" && clog /var/log/filter.log | grep -e "$datesearchclog" | egrep "1599316667|1599316737" | tail -n 20 echo [ -f /var/log/gateways.log ] && echo "Log output: Gateway Events (gateways.log)" && clog /var/log/gateways.log | grep -e "$datesearchclog" | tail -n 20 echo [ -f /var/log/ntpd.log ] && echo "Log output: NTP (ntpd.log)" && clog /var/log/ntpd.log | grep -e "$datesearchclog" | tail -n 20 echo [ -f /var/log/routing.log ] && echo "Log output: Routing (routing.log)" && clog /var/log/routing.log | grep -e "$datesearchclog" | tail -n 20 echo [ -f /var/log/system.log ] && echo "Log output: System (system.log)" && clog /var/log/system.log | grep -e "$datesearchclog" | egrep "fail|emerg|alert|crit|err|warn" | tail -n 20 echo [ -f /var/log/watchdogd.log ] && echo "Log output: watchdogd (watchdogd.log)" && clog /var/log/watchdogd.log | grep -e "$datesearchclog" | tail -n 20 echo

Yes seeing this in 2.4.5-p1, already tested with 2.5.0.a.20200911.0650 yesterday and it's the exact same. -Rico

Do you mean alias or firewall rule? Using Easyrulelike that would normally add a new block firewall rule on LAN. What exactly are you trying to do by doing that? If it's the same IP you should just enable or disable the rule from the GUI. Steve