@stephenw10 said in Use of bridge and span interface for traffic analysis: You might be better off spanning the ports in Proxmox though. I've never tried that. You wouldn't see the traffic inside PPPoE of course. I can see it on the PVE host with tcpdump -i vmbr1 -U -s0 -w - pppoes. But whether it's straightforward to see it with an attached network analysis guest, I have not tried yet.

Cool. Maybe note it in the other ticket for other to read if it's fixed. Steve

@ssmsti said in pfSense kicking off LAN device for trying to download from usenet.: I can't get a ip address assigned to the server after that and the server says that the network cable is unplugged. Any chance you have a loop on the bridge and stp is disconnecting it? If that port is in a bridge how is the bridge configured? The bridge interface is assigned as LAN? Check the output at the command line of ifconfig -vma. Does pfSense also show the link as down? If so that will be logged and may include a reason for it. Steve

If you add logging to the pass rule(s) on the VLAN then you can see the states opened in the firewall logs by filtering on that interface. Steve

@bigsy Thanks; I completely missed that! thank you.

@pkeogan said in PFSense Behind BW320 with Static IPs: I would like to use my PFSense server to handout the public IPs, @pkeogan May I suggest that you take a look at the HaProxy package...

Not really if you don't have any traffic shaping. 200Mbps is above what you would see if there was a link speed/duplex mismatch. You should check Status > Interfaces for errors though. Steve

Run top -HaSP on it during the test and see what's actually happening. I'm betting one core will be pegged at 100%.

@stephenw10 Hi stephenw10 and johnpoz, I changed the NAT mapping protocol to "any", and now I can access the Wifi router from LAN net. Yay, it's working. Thanks so much!

@michmoor I have not had time to test lately - but if unbound uses a shared cache you can not do this. Now it might be possible with views to do something like this - but last I checked you could not specific do view forwarders, and I don't think it creates a different cache per view. Now pretty sure bind can do this, as it creates different caches if not mistaken per view. If you want to to do something like this your local dns has to create separate caches, or you run into a problem with unfiltered looking up host.xyz.com and it getting locally cached, and then filtered client asking for host.xyz.com and get returned the cached value vs it looking up via some filtering forwarded dns that would return blocked. And the reverse happening where blocked gets cached, and then someone that is suppose to be unfiltered getting back the blocked cache. The most reliable way to do this would be to use 2 different dns, that both have same local data.. Where ns1 you run is unfiltered and ns2 you run is filtered. And you point your clients to the specific ns depending if you want them filtered or not filtered. Now you might be able to do something new in unbound there has been some changes of late and they did add rpz policies, etc. . I just do not have any need or desire to do this currently.. And of the mindset if worth filtering - worth filtering for all. So haven't played with if this is now possible in an easy to do way. edit: Looks like steve mentioned using unbound and dnsmasq on pfsense - yeah that could work for sure.

@ashton324 Yes, just like you said. I'm sending you a picture. 64.96/29 is my subnet. [image: ouymqyq.jpg] [image: fvi3uus.jpg]

NATing on the VTI tunnels is one of the noted restrictions: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html#vpn-ipsec-vti-firewall You can only do that by applying it to the assigned interfaces and you can only do that by switching the IPSec filter mode which means you can no longer use policy based IPSec tunnels. You could just add an OpenVPN server at site2 and connect to it directly? Steve

Ah:- https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html "Do not edit the existing tags and change the parent interface, it will cause problems with the interface assignments. Always create new tags, switch the assignments, then remove the old tags."

Without topng, darkstat and bandwidthd is much better. See the screenshot below. I'll run a few more tests. Thank you for your help! [image: 1654060805787-02.png]

@penguinpages well just bump up this mask to something larger so you can have more IPs on this network. Normally going from say to /23 or /22 from /24 is really low impact. Only static set on the devices would have to be touched. Only issue might be if you have other vlans that bump up right next too to the ip range. Yeah if your only allowing for 50 ips in teh pool that could be limiting. That number at the bottom would be lease in the pool, static reservations are set outside the pool so those shouldn't be listed. it shows you the active pool size you have set there as well with the start and end of the pool address.

@haidymikhail There are many causes (bad cables, failing NICs, WiFi testing, bad switch configs) that are outside of the software and then a few inside (proxies, intrusion detection). What are the drivers for the NICs? Model of NIC? Are you connecting through switching hardware? The more detail you have to provide the more likely someone can help point you in the right direction.

It might be 9600bps. Or it might have reverted to defaults causing the problem? The port is a real serial port so it will be cuau0 or cuau1. The upper case U implies a USB connected serial port. Steve

@dominikhoffmann I'm late to the thread but you could use my script to have your pfSense notify you when updates are available to the base as well as any installed packages. https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts

Thanks all for your help. I just wanted to come back and things seem to now be resolved due to the above steps. Fingers crossed it stays that way. Hopefully some other newb will find this useful in the future.