@jarhead Thanks, missed that.

@lpd7 said in Creating My Own IP4 Deny List Within PFB: find all the numbers associated with a domain? Can entail some detective work to be sure. For example you have www.domain.com, while easy enough to look up that IP.. And from that IP get the ASN that IP is part of, so any other IPs in that ASN. But what if this company using domain.com also hosts their backend stuff for their services of CDNnetwork, or OtherCompany, etc. etc.. So while you might be able to block some of their front end stuff they host on ASN1, but they could providing their whole software or system using ASN2, and ASNX, etc. The more global and complex a system might be, the harder it can be to block or find all the possible IPblocks being used to host that system on a global scale. Don't forget IPv6 as well - that would be completely different ASNs And don't forget if you start blocking CDNnetworkX ASN, you could end up blocking other stuff hosted there that you didn't want to block. If it was me, I would just block on dns - don't allow clients to use external dns. Blocking doh can come with its own headaches, but easier than trying to block a huge list of IPs service might use, and some of these ip ranges these days quite often shared with other services you might not want to block.. Most everything these days is hosted of very large CDNs (content delivery network).. Blocking those can be very problematic when comes to stuff you want to work, now not working. Prob easier to just find the fqdn client is trying to access to get it to said service, and block those via dns.

@michael_samer said in 22.05 Net problems after upgrading (SG3100): In the "drop packet/Connection loss" case I get a new IP everytime the connection is lost which is very dubious in itself. Hmm, yeah that seems very odd. Like it sees a new MAC. Hard to see how that could be the case though. The NIC link status is logged in the main system log only. So DynFi, in your setup, just runs commands over SSH remotely? Not that then. Steve

@keyser The videos I have seen show connecting two pfSense interfaces to the UDM. One to the UDM's WAN port and one to a UDM LAN port to carry the trunked VLANs. It's an interesting concept, but you lose all the netflow data - at least on the UniFi network controller dashboard. Thanks for your suggestion. I'll experiment with it when the 6100 gets here today. I can always run them independently with their own public IPs assigned via DHCP from the AT&T gateway until I figure it out. I am mainly curious to see what others are doing with their UDMs. Thanks again.

@stephenw10 yep I saw your posts in other questions and I knew the ARP was working the gateway was working too but the problem for me was my ISP Gave the IP they gave me to someone else and didn't update their Sheet of IP's they have. Everything is been working fine for a the past few hours. they are giving me till Friday to verify it works properly.

@psp 28 Days 22 Hours 38 Minutes 45 Seconds Freaking power company had a planned outage that was scheduled for like 4 hours, which is well beyond what my ups can handle, so had to do a shutdown :( It only ended up being like 2 hours, maybe could of made it through - but didn't want risk a hard down.. But yeah that killed my uptime, before it was since updated to 22.05 when it came out.

thanks for the quick reply Steve. I will give it a test as soon as other users are left for the day. William

@stephenw10 I will talk to them about it. Thank you Sir ! Apaar

Yes, but not in the same way. Depending on how the 'modem' is setup you may be able to access it without doing anything since it's now in the traffic path (no ppp encapsulation). However you may need to add an IPAlias VIP in the modem subnet to WAN and add an outbound NAT rule on WAN to catch the specific traffic for the modem and translate it to that VIP. That way the modem has a way to respond to queries coming from inside the firewall. Steve

@saggittarius [image: 1662969376849-c9b53244-f0ab-4931-8b76-7891a29f30ef-image.png] Who is 10.0.10.1 ?Is this your pfSense LAN interface ? Unbound listens on the LAN interface ? It does so be default. LAN interface firewall rules do not block port 53 TCP & UDP ?

Hi Steve, thank you again. The Netgate support have been brilliant and very quick. I set the Draytek 130 and the the Netagte 2100 was setup as PPPOE and very was straight forward. Now adding pfBlockerNG to block ads and types of categories.

@stephenw10 that’s great to hear. Once again thanks for providing good info. Appreciate yah !

@stephenw10 Correct, I have seen this multiple times. I had to rebuild the unit, and re-configure OpenVPN on all users. Very annoying. It literally just loads pfsense and text very quickly, then flashes to the black screen. I get it on some 11th Gen and 12th Gen CPU setups. Even if it does work, the interface is laggy like crazy. I will try to video it tomorrow. Thank you.

Hmm, that's an unusual use case! Can you see the Radius server responding as expected when the quota is exceeded? Steve

Thanks! I have PFSense running under a VM on TrueNas Scale, and it works great. Not the ideal setup. It has plenty of horsepower, disk, & memory on the Scale Server (probably WAY overkill). For the price of that little guy might as well try it out. If it doesn't work out, it goes back. I did find out the NIC's are Realtek, and I'll beat it up to see how it performs.

It looks like it's mentioned in two places. One where it's disabled for a list of MAC types: if (sc->re_type == MACFG_68 || sc->re_type == MACFG_69 || sc->re_type == MACFG_70 || sc->re_type == MACFG_71 || sc->re_type == MACFG_72 || sc->re_type == MACFG_73 || sc->re_type == MACFG_74) { //Disable Giga Lite MP_WritePhyUshort(sc, 0x1F, 0x0A42); ClearEthPhyBit(sc, 0x14, BIT_9); And the other where it's disabled unconditionally in the setup function for the 8125: static int re_ifmedia_upd_8125(struct ifnet *ifp) { struct re_softc *sc = ifp->if_softc; struct ifmedia *ifm = &sc->media; int anar; int gbcr; int cr2500 = 0; if (IFM_TYPE(ifm->ifm_media) != IFM_ETHER) return(EINVAL); //Disable Giga Lite ClearEthPhyOcpBit(sc, 0xA428, BIT_9); ClearEthPhyOcpBit(sc, 0xA5EA, BIT_0); cr2500 = MP_RealReadPhyOcpRegWord(sc, 0xA5D4); cr2500 &= ~RTK_ADVERTISE_2500FULL; Neither has any sort of external config dependency so it doesn't look like you can choose. And it looks like it's always disabled in the 8125. Steve

@stephenw10 Oh my God, you're right, I just couldn't see it, on Monday I'll change the port to 636, I'll update you, thanks so much for your help. Greetings Domenico

@johnpoz said in I don't think PLEX is connecting to plex.tv: If its in AP mode why would your client be trying to ask it for dns? You should be asking pfsense for dns 10.0.0.2 Well, when you put it that way, It's obvious what's wrong. HA! HA! I feel like I should have caught that. I changed the DNS server setting in ProxMox to the correct IP and everything works as it should. It was a setting that was left from the old router. I actually tried to have those two IPs the other way around when installing pfsense, but ran into issues. I still don't know why this caused playback errors for transcoding, but it all works now. Thanks so much for all the help.

PPPoE is effectively single threaded so it's probably hitting a single core limit: https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics Though at 5% total that would have to be a lot of cores! What CPU is it? What NICs are you using? Setting net.isr.dispatch to deferred as shown in that doc will help though. Steve

Well if you can do a test to make sure it will actually solve the problem first that may be worth it then.