@michmoor said in Poor performance over IPsec but not Internet: I can only assume home residential broadband providers do this I wish I could say it's limited to that. You might find it's not at either ISP directly but in some device that happens to be in the route between them. It's not that uncommon to find routers that don't pass ESP at all or, worse, only pass it in one direction! The tunnel establishes using udp/500 traffic but cannot pass data at Phase2. Those are always fun. Steve

512MiB (536870912B) is the total allowed size PHP can use. It exhausted that when it tried to allocate an extra 928636928 bytes (885MiB). So something is doing something it should not there because that can never succeed. The Backup package trying to backup something far too large I would suggest. Steve

@viragomann Thank You after applied new version. It's works fine

@capitanblack said in CE 2.6.0 boot stuck at Synchronizing user settings...: besides fixing the LDAP server asap. "unstuck " is the same as "no access" in this case. That's the next best situation, as this is related to security. See it as a credit card : if you lost your PIN, there is no 'plan B'.

While this system of keeping an active list of a company's netblocks works great -- beware. It can suck up memory and result in "cannot allocate memory" errors. Example: building a list for Apple (AS6185) will give you a large list of small netblocks in 17.x.x.x. However, "whois 17.0.0.0" shows that 17.0.0.0/8 is a direct allocation to Apple, so specifying a network alias with a /8 takes a lot less memory. Google is even worse with 7400+ IPv4 netblocks from the whois ASN output.

@steveits You are correct that my original post was referring to Google's May 30, 2022 deadline turning off third party app support. I think perhaps I read more into this than I should - but we'll know for sure in about 6 weeks. In the meantime - I have set up 2FA and set up an App password for pfSense. Notification is all working well for now. Thanks to all for their advice. I do wish pfSense provided a little more control of which notifications to send, but that is a different topic.

@panja said in Not your average "internet speed" problem...: options do I have... One : you deal with what you have, and you made it work for you !! To rephrase what I said above : it might work, as is was sold to you with the idea that it would work. I've been using Realteks half my live and wasn't really bothered with them. I did have several NICs in advance, as they just don't 'live' very long. These days, I always disable build in NIC's, and add quad Intel branded NIC in systems. When I buy material, I always check what the used hardware is. The price, shape and colour details comes next.

@stephenw10 you're right. I've checked this plugin deeper and it seems it supports additional DNS plugins which works perfect! Thanks.

@gertjan Only thing in the error.log under /var/log/nginx is from 2020, 2020/07/31 12:48:14 [crit] 4493#100471: *102827 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.1.9, server: 0.0.0.0:4430 2020/08/26 15:32:03 [crit] 8968#100454: *25803 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.1.9, server: 0.0.0.0:10443 2020/09/08 04:19:59 [error] 4127#100429: *20842 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.9, server: , request: "POST /acme/acme_certificates.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "violetdragon.ddns.net:10443", referrer: "https://violetdragon.ddns.net:10443/acme/acme_certificates.php"

@stephenw10 Oh for sure haha ,, Ill be doing a ton of stuff as i learn more . Love it Thanks again!

Just block everything coming via the same router.

Yes, ~5% is typical usage: [22.01-RELEASE][admin@7100.stevew.lan]/root: top -aSH last pid: 66887; load averages: 0.16, 0.16, 0.08 up 0+00:03:03 12:54:54 579 threads: 5 running, 547 sleeping, 27 waiting CPU: 0.0% user, 0.0% nice, 1.8% system, 0.0% interrupt, 98.2% idle Mem: 99M Active, 62M Inact, 398M Wired, 7302M Free ARC: 175M Total, 30M MFU, 142M MRU, 32K Anon, 597K Header, 2248K Other 48M Compressed, 125M Uncompressed, 2.61:1 Ratio Swap: 1024M Total, 1024M Free PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 155 ki31 0B 64K CPU0 0 2:53 99.77% [idle{idle: cpu0}] 11 root 155 ki31 0B 64K CPU2 2 2:54 99.73% [idle{idle: cpu2}] 11 root 155 ki31 0B 64K CPU3 3 3:00 98.26% [idle{idle: cpu3}] 11 root 155 ki31 0B 64K RUN 1 3:04 93.52% [idle{idle: cpu1}] 8 root -16 - 0B 16K e6000s 1 0:11 6.37% [e6000sw tick kproc] 65687 root 20 0 14M 4668K CPU1 1 0:00 0.16% top -aSH The process polls the switch IC for the port status once a second. It does so using the MDIO bus via ix2 but that process is slow in the ix driver so it ends up using significant CPU time. The same process in the 2100 or 3100 is faster via the mvneta driver so it appears to use less CPU time there. Steve

Mmm, this is not regression, it's always behaved like that, as noted here: https://forum.netgate.com/post/111569 As is says there: 'The last SAVED values will be used, not necessarily the values entered here.' After you test the values shown are not those you just tested with so saving afterwards can replace them with bad values. I agree though it could be clearer. Steve

That looks like you have a VPN from pfSense to the AWS VPC? AWS use APIPA addresses for the VPN tunnel subnet to route across so that may be expected. If you can make connections from AWS to the local DB server then it probably has a route back in order to reply. Unless the outbound NAT you added was on the internal pfSense interface. In that case the traffic from AWS appears to be local so it can reply but it can never open connections the other way. If you need to do that then you need to fix the routing issue rather than masking it with OBN. Almost certainly the DB server has a bad or missing default route. Steve

@jimp not just to @manicmoose , it happened to me today when reinstalling a 2.6 box in order to get the new ZFS layout. Steps to reproduce: a 2.6 box (VM on ESXi) with older ZFS layout, upgraded since 2.4 series install 2.6 over it, choose to recover the old config (note there are no keys in /etc/ssh after the installer finishes) after first and subsequent boots, the sshd keys are not regenerating, and clicking "Start" on the SSH service yields nothing. Only starting from CLI reveals the issue (missing keys). Regen via CLI (almost instant) cd /etc/ssh ssh-keygen -N '' -t rsa -f ssh_host_rsa_key ssh-keygen -N '' -t ed25519 -f ssh_host_ed25519_key adapted from here fixes it.

See: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online You can just use the json list directly in pfBlocker-ng to get a list of IPs for office365, including Exchange, and it will be auto updated. It doesn't include IPv6 yet. [image: 1649853872141-screenshot-from-2022-04-13-13-43-37.png] Steve

@pfnuevo said in 2009 MacMini - occasional crashes after logging in: I suspect the 70Mbps throughput is enough to max the 2 core CPU? Very unlikely, 70Mbps is nothing for anything remotely recent. What CPU is in that? USB Ethernet devices are notoriously unreliable in FreeBSD/pfSense. It should never disconnect like that. I would use VLANs on the nfe NIC instead if you can. As long as your WAN connection is <1G you likely won't see any speed reduction and it will be waaaaay more reliable. Steve