@pkeogan said in PFSense Behind BW320 with Static IPs: I would like to use my PFSense server to handout the public IPs, @pkeogan May I suggest that you take a look at the HaProxy package...

Not really if you don't have any traffic shaping. 200Mbps is above what you would see if there was a link speed/duplex mismatch. You should check Status > Interfaces for errors though. Steve

Run top -HaSP on it during the test and see what's actually happening. I'm betting one core will be pegged at 100%.

@stephenw10 Hi stephenw10 and johnpoz, I changed the NAT mapping protocol to "any", and now I can access the Wifi router from LAN net. Yay, it's working. Thanks so much!

@michmoor I have not had time to test lately - but if unbound uses a shared cache you can not do this. Now it might be possible with views to do something like this - but last I checked you could not specific do view forwarders, and I don't think it creates a different cache per view. Now pretty sure bind can do this, as it creates different caches if not mistaken per view. If you want to to do something like this your local dns has to create separate caches, or you run into a problem with unfiltered looking up host.xyz.com and it getting locally cached, and then filtered client asking for host.xyz.com and get returned the cached value vs it looking up via some filtering forwarded dns that would return blocked. And the reverse happening where blocked gets cached, and then someone that is suppose to be unfiltered getting back the blocked cache. The most reliable way to do this would be to use 2 different dns, that both have same local data.. Where ns1 you run is unfiltered and ns2 you run is filtered. And you point your clients to the specific ns depending if you want them filtered or not filtered. Now you might be able to do something new in unbound there has been some changes of late and they did add rpz policies, etc. . I just do not have any need or desire to do this currently.. And of the mindset if worth filtering - worth filtering for all. So haven't played with if this is now possible in an easy to do way. edit: Looks like steve mentioned using unbound and dnsmasq on pfsense - yeah that could work for sure.

@ashton324 Yes, just like you said. I'm sending you a picture. 64.96/29 is my subnet. [image: ouymqyq.jpg] [image: fvi3uus.jpg]

NATing on the VTI tunnels is one of the noted restrictions: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html#vpn-ipsec-vti-firewall You can only do that by applying it to the assigned interfaces and you can only do that by switching the IPSec filter mode which means you can no longer use policy based IPSec tunnels. You could just add an OpenVPN server at site2 and connect to it directly? Steve

Ah:- https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html "Do not edit the existing tags and change the parent interface, it will cause problems with the interface assignments. Always create new tags, switch the assignments, then remove the old tags."

Without topng, darkstat and bandwidthd is much better. See the screenshot below. I'll run a few more tests. Thank you for your help! [image: 1654060805787-02.png]

@penguinpages well just bump up this mask to something larger so you can have more IPs on this network. Normally going from say to /23 or /22 from /24 is really low impact. Only static set on the devices would have to be touched. Only issue might be if you have other vlans that bump up right next too to the ip range. Yeah if your only allowing for 50 ips in teh pool that could be limiting. That number at the bottom would be lease in the pool, static reservations are set outside the pool so those shouldn't be listed. it shows you the active pool size you have set there as well with the start and end of the pool address.

@haidymikhail There are many causes (bad cables, failing NICs, WiFi testing, bad switch configs) that are outside of the software and then a few inside (proxies, intrusion detection). What are the drivers for the NICs? Model of NIC? Are you connecting through switching hardware? The more detail you have to provide the more likely someone can help point you in the right direction.

It might be 9600bps. Or it might have reverted to defaults causing the problem? The port is a real serial port so it will be cuau0 or cuau1. The upper case U implies a USB connected serial port. Steve

@dominikhoffmann I'm late to the thread but you could use my script to have your pfSense notify you when updates are available to the base as well as any installed packages. https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts

Thanks all for your help. I just wanted to come back and things seem to now be resolved due to the above steps. Fingers crossed it stays that way. Hopefully some other newb will find this useful in the future.

Yup, see: https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html pkg uses the pfSense repo by default. Be aware of the issues that can happen by installing FreeBSD packages but using individual packages directly is generally safer as it won't pull in incompatible dependencies. Steve

It not only indicates lots of fragments it indicates lots of fragments that were not fully reassembled and disposed of in a timely manner so they continued to occupy a fragmentation entry slot until there were no more available. As has been said the best course of action is to find the reason for the excessive/faulty fragmentation and fix it.

You need a firewall rule to pass traffic from VPN clients coming in over the tunnel. That either has to be on the OpenVPN tab on the firewall rules page or the assigned interface tave if you have assigned the OpenVPN server as an interface. Be aware that the OpenVPN tab acts as an interface group that includes all OpenVPN servers and clients. If you have assigned an OpenVPN interface you usually want the rules on the assigned interface tab and not on the group openvpn tab. Steve

@dmytrokoren glad you got it sorted.. You would almost never have to do a fresh install - unless something crazy wrong that you can not even get to pfsense or something. Or other times it can be a time saver vs tracking down the actual issue causing the problem.

@koby-peleg-hen well you do you - but I never got why anyone would ever do this.. Did you get it free - if so I could attempt to use one of their certs. Looks like not single domain 78$ for six years. For starters I don't ever see using an actual public domain on my pfsense gui? I own multiple domains, don't use any of them internally.. Pointless to do so.. I use local.lan - but at some point will switch over to home.arpa for local domain. But if did want to use public - why not just use free ACME cert? So did you create the CSR and have them sign it? How exactly did you go about getting the cert and key.. Without some actual details, going to be impossible to help figure out what is wrong. What does the log say? You can setup pfsense to allow both http and https access - so even if the gui doesn't like the cert for some reason, the gui should be available just over http so you can see the log, etc.