@mauro-tridici

Most easy known solution : only accept really trusted devices on your pfSense LAN.
From this LAN network, you could connect your own device - that you should trust - and access pfSense. You can even lock down to access to just one LAN IP : the one your device will get when it is connected.

All other users : use another LAN called OPT2. From this OPT2, devices they can do what they want, but they should only be able to contact pfSense over port 53, UDP and TCP. Block the rest with destination .LAN2 IP pfSense.

Ooo, that's fun.

@somethig
Many others will do it in the same way, or am I wrong with that?

RouterOS Untangle ClearOS Endian Sophos

@steveits Logs, but I don't think I checked that particular logfile. I can check my backup for those double entries to see if that were the case.

In any case, I'm back up and running and about to start the upgrade to + 😬

Ah I see. Perhaps in my previous setup, the OpenVPN server wasn't assigned to an interface!

Thanks everyone for the explanation!

Hello @dobby_ ,

thank you for your reply.
I was able to fix the NTP sync problem detected on some particular "NTP client" devices.
It was an issue related to the NTP client software. The devices vendor support suggested to uninstall ntp client and install chrony.

Now, everything is working as expected.
Anyway, I wasn't able to increase the verbosity of NTP server logs on pfSense 2.6 and I wasn't able to detect the reason of "reject" issue.

Have a great day,
Mauro

@consistent_plum3631

I haven't stopped to look at travel routers since
I don't have enough budget to buy several
devices for this project

GL-SFT1200 (Opal) save WLAN-Router for travelers – AC1200 Dualband-Gigabit-Wireless-Internet-Router | IPv6 | USB-2.0 | MU-MIMO | 128 MB Arbeitsspeicher | Repeater-Brücke | Access Point-Modus

45 € Router
20 € Bag

As a AP, as a repeater, connect and feed over powerbank, USB C, 3 WAN/LAN Ports WiFi AC small and able to carry
inside of your backpack or a greater pocket!

and the protectli seemed to me a very good idea
because of its versatility,

It is not able to feed over a powerbank, and is not that
I would prefer to carry the whole day around elsewhere
I go! You sit on a green inside of a park and the GL router
is able to connect you via; WiFi, USB LTE modem, over
your smartphone and can be powered over the Laptop or
a small powerbank. Try this with the Protectli please.

since I can always end up reusing it for something else,

You can also that router reuse again. The Protectli is for home usage and the GL ones are for travelers or traveling.

besides instead of a proprietary firmware with a simplistic GUI,

OpenWRT is fine.

I want this project to help me learn about pfsense,
vpn's and networks in general.

You could do more by using pfSense at home and OpenWRT in the wild or outside.

Hmm, the fact it saved a crashlog at all shows that the drive didn't fail entirely.

Using ram disks can be problematic with larger packages like that.

You have an internal switch too though I assume? Is that showing 10G?

Yeah, I would go to Intel NICs if you can.

You can search the config for sshdata tags.

@nollipfsense said in initial config; won't act like a router:

knowing that doesn't make sense.

Not sure I would say that - its quite possible to use pfsense as just a router without any firewall. You can either turn off the firewall completely - or just use any any rules as another method.

If your going to use pfsense as just a router downstream of another router, be that your own or the ISP. You still need to understand that your not going to talk to the internet via a rfc1918 address. If you don't want pfsense natting rfc to its wan address - you would need to make sure that the upstream router that has a public does the natting of your downstream rfc1918 networks if they are wanting to talk to something on the internet.

internet - routerA - 192.168.1.0/24 - routerB - 192.168.2.0/24

Lets say you had a transit network of 192.168.1/24 and your downstream routerB had say 192.168.2 behind it.. In this case if your downstream router is not going to nat the 192.168.2.x address to whatever IP it has on the 192.168.1 network.

Then the router connected to the internet would need to nat both 192.168.1 and 192.168.2 addresses. If pfsense was being used as this edge router, and you setup a downstream network, and the routing for these downstream network(s) then it would auto nat them to the public internet interface IP, etc. If you had not turned off automatic outbound nat. Once you create the router to the downstream network(s) and the gateway to get to them, etc. The automatic outbound nat would add those downstream network(s) to its natting.

Normally if you were going to use a downstream router in your network, no it wouldn't be natting from rfc to rfc, but the edge would need to handle the natting of rfc to public IP space if you want your rfc networks to talk to the internet.

@heper thanks for testing. Shame on me, I was running the commands on macOS and not on Linux. Trying on the latter worked, indeed! Damn mac, how much wasted time on this!! Thanks again

Yes, you can certainly break things that way. 😉

But enabling an interface is a fairly small change and you can copy/paste the line from another interface so the risk is low.

@epiclper

There will be perhaps three things you could try out to
gain the throughput a bit more. But with 870 MBit/s
plus TCP overheat you will normally reaching the
range of 900 + something MBit/s and this with a
older 4 core CPU!!!

First point:
Install the last firmware 4.19.0.1 according to this HowTo.
APU Bios upgrade
PC Engines APU BIOS depot

Set up in the /boot/loader.conf.local the following entries;

hint.p4tcc.0.disabled=1 hint.acpi_throttle.0.disabled=1 hint.acpi_perf.0.disabled=1

Now your cpu will be not running anymore between
600MHz and 1000MHz, it is able to "run" from
1000MHz to 1400MHz, you should watch out
the entire CPU temperature too please!

Second point:
Since pfSense version 2.6 the entire WAN load will be
pulled over several queues, if you are not nailed to the
1 CPU core usage using PPPoE, you will be benefitting
from the 1 queue = 1 CPU core. That means in theoretic
more queues = more throughput. There are three
different numbers for the queues as I know it;

queue amount queue length queue size

Third point
The mbufsize can be tuned also, not even needed but also
nice to know. If you are size them up you could get a gain
from, with point of view towards to the throughput.

A tip from me, if you are installing a fresh pfSense 2.6
please install it and then test it out without any packages
installed and configured, your rules should be in place for
sure, but no packages please installed. So you will see the
entire throughput and you see then also what packages
are narrow down the entire speed later! I was setting up
at the installation using ZFS and size up the swap partition
to 4 GB, since that I am not using 60% -90% of my onboard soldered ram, I am using 39% ram and ~35% swap, so it free me a bit of ram for more headspace.

A side note, all available tunings can be single solve the
problem, but often it is a together working game play
of them, and to find out the bets option you must
perhaps do some more tests in either different configuration to get the most out for you.

update to this thread:

I've moved to an Intel X520-DA2 dual port NIC and I'm getting much better performance. I had to do some tuning. But I'm now getting about 7-8Gbps to my ISP's iperf3 server which seems reasonable for 3 hops away.

I get about the same routing across subnets (vLANS) through pfSense.

I'm also not processor or thread limited any more.

At this point, I'll consider that a 'mostly win' - seems like a massive improvement from where I was. Assuming this box stays stable, I'll purchase support from Netgate since this will be my first time not running on Netgate hardware (outside of some VMs).

Thanks everyone who chimed in here.

Unlikely IMO. Hardware errors are usually more random.

Did you restart the Starlink box? Is the 2100 pulling an IP address on it's WAN?

The Realtek driver and loader values should survive across a minor upgrade like that.

The fact the Intel NICs are lost certainly isn't expected. It sounds like something low level if a power cycle brings them back. When they are lost do you see any errors in the boot log when the driver tries to attach? If they are not detected at all that seems like a PCIe error somewhere.

Steve

Hmm, that setting it to WAN would have reset the default route. It may have lost it's default route somehow. But that would have broken the connection for everything.