Yeah, that's exactly what those Range Extenders do; hide all the connected clients behind their own MAC address. The first time I saw that I could hardly believe it was real. It's ugly as hell and best avoided if at all possible! Steve

@jsingh04 said in Static wan IP stops working after a power cycle: it shows a name resolution error Then you have a DNS problem. When you set the WAN as DHCP it probably pulls some external DNS servers that the firewall itself can use if it's own DNS resolver is not working. When you look at you system log you will note that initially the date/time is wrong. The boot log shows there is an RTC present but it seems to be incorrect. Probably the battery needs replacing. When you boot it with a static IP set after a power cycle the clock will be wrong and that leads to a scenario where Unbound fails to start because it's cert is invalid or it see results as invalid because DNSsec is enabled (by default). That means ntpd cannot resolve any external servers and the time cannot be updated. So do one (or more) of: Fix the RTC battery. Add at least one external DNS server when you use a static WAN. Disable DNSSec in Unbound. Add a local NTP server that can be reached by IP address. Steve

@bmeeks rgr that and thank you for the info. I did go ahead with the full reinstall just to be sure, but being able to reset is good option and thank you for the reply.

@bmeeks pfSense is showing me it's using igb (igb0, igb1, igb7). Here is the offloading: [image: 1658444243197-offloading.png] Is there a specific Intel based NIC card that you would recommend that doesn't have any issues with pfSense? Just wondering.

Yeah, since the re-write of many drivers to use the iflib framework the loading appears differently. So 2.6 and higher. That loading level is not necessarily any sort of issue. It depends how much traffic it was passing at that point and when the CPU is. Steve

The webgui listens on all the firewall IPs. How do you have the host override configured? Steve

Ah, no sorry, not for a block!

@sergei_shablovsky I agree with Sergei, I hope we see pfs on freebsd 13 soon. I use frontier fiber and freebsd 13 resolves the issue of the wan interface not being able to grab an ip from dhcp because frontier and all the other telco's tag their transmission with vlan 0.

Just an update on this, I purchased a new intel NIC and the connection has been solid ever since, no dropped packets, no wan down. For anyone else reading, the updated realtek drivers helped a little, but it took a day before the dropouts slowed (no idea why). It also helped when I moved my realtek nic from WAN to LAN. The ultimate fix appears to be as @bmeeks suggested "change out the Realtek NIC for an Intel variety"

[image: 1658399452499-c83e9ff0-9081-4795-bb5b-00682d637599-image.png]

@johnpoz Thanks for helping

@viragomann thanks so much and sorry for missing that previous post.

@creation2 https://search.brave.com/search?q=Freescale+T1042+CPU No. See above - it's the same family.

@droidus said in Snort Inline IPS Speeds: @bmeeks It is the Protectli FW4B - 4 Port Intel J3160. I have 8 GB RAM total. That hardware should easily do much better than the 10/10 you said you are seeing. I can already guess your next question, but sorry, "no, I have no idea why you are not seeing better performance" ... . That slow throughput is certainly not the case with many other users here on similar types of hardware in terms of capability. You will likely never get line-rate Gigabit traffic inspection with Snort unless you have a screaming fast CPU, but you should get better than 200 Mbps with most hardware.

@marcosm They are not totally separate. It is physically impossible to turn off the the VPN service in the OpenVPN area unless you delete the VPN interface in the interface area. I was told this was done to prevent unwanted behavior but I was suggesting that it be changed to where disabling the interface is all that is needed to be able to turn off the OpenVPN.

@stephenw10 The problem seems to have disappeared, only change done was is pfBlockerNG set the DNSBL Mode to Python Mod. After the change no more errors with Autoconfig Backup. Thanks for you support.

@deanfourie Yes.

@stephenw10 If I can apply further information, I'd be happy to help

@treestomp said in Monitor Outbound DNS requests: does DoH/DoT still have an effect or it's encrypted to the VPN anyway? Nearly all traffic is already TLS these days, so VPN "to protect your data" is not needed. The exception is of course classic DNS traffic. DoH is more a DNS generated by the end user client's application : even your router, pfSense, can't "see" it. pfBlockerNG can only block it, if it's a known DoH endpoint server.