@billy_c

Thanks for the additional information Billy! It's all helpful.

@johnpoz said in PfSense pretty slow GUI opening FW rule:

@operations said in PfSense pretty slow GUI opening FW rule:

I don't even use PfBlocker

So you don't have any large aliases setup like with all of the internet IP ranges in them?

Nope, couple of aliasses with one to max 6 or 7 IP's.

Other options here might be simpler but Home Assistant cloud is pretty cheap and since there is an pfsense integration that makes all the stats accessible from anywhere without “exposing” direct access to pfsense to the internet. There are other security risks involved with this approach. Just wanted to throw in some other options.

@operations said in Fine tuning PfSense for network with AD:

@stephenw10 yes i have my AD DNS as a forwarder pointed at PfSense atm. Just wanted to check this part.

Then setting the override will allow pfSense to resolve names in AD DNS (e.g. local SMTP).

Private is not necessary.

You can also override the reverse DNS if you have AD DNS set to use/hold the reverse zone. Then it can look up LAN IPs.

@stephenw10 Solved by set in firewall rule( Lan traffic to ExpressVpn) default gateway to ExpressVpn. Thank you for your assistance. Have a good weekend!
Screenshot 2023-03-25 022907.png

Are you trying to connect to the IP address(es) directly? Or using fqdns, which would go via Cloudflare?

Do you see the connections coming in if you run a packet capture or check the state table?

Steve

It's probably possible. You'd need to arrange VLANs shared between the physical and virtual pfSense instances such that all interfaces share a layer 2 connection with each other.

Steve

Hmm, the last thing shown there is a zfs command. If it was unable to write to the drive whatever is accepting connections there could also be unable and eventually fill the buffers causing that queue overflow.
However usually that would also prevent writing the crash report.

Are you able to reproduce this?

Steve

You could also check this by fitering for the public IP you're testing from in the state table (Diag > States). You should see the incoming state on WAN with the NAT applied and an outgoing state on the internal interface the DVR is connected to.

Steve

Thanks: https://redmine.pfsense.org/issues/14176

Mmm, that could be clearer. You might open a docs request with a suggestion: https://redmine.pfsense.org/

You can add a boot delay in /boot/loader.conf.local (create that file) like: autoboot_delay="120"
But you shouldn't have to. That's really only used for problematic WAN side modems.

If the firewall can connect out to remote sites from the cli but LAN clients connot it's probably a firewall rule or NAT issue at that point.

If the firewall can only reach the gateway and nothing beyond it's probably a missing default route. Make the sure the WAN gateway is set as default and not automatic in System > Routing > Gateways.

What do you do to restore access from the LAN when this happens?

Steve

@stephenw10

Yes widget is there and all was working fine.

I rebooted for good measure.

I will add my error to the redmine issue

@jegr

researcher: you have security issue
admin: how so
researcher: when I log in with root and the root password
admin: yes?
researcher: I can run any code I want.
admin: you don't say <rolleyes>

@stephenw10 it shows up as USB adapter with 10/100/1000 speed options.

Anyway i have figure it out. So as I said, I used intergrated NIC for WAN interface and USB to ethernet adapter for LAN interface. First I tried plugging in ethernet cable to my intergrated NIC Intel(r) ethernet connection i219-lm adapter on wich I had 100mbps speed.

I went testing that interface and noticed that intergrated NIC on my laptop was always the same speed (even if I pluged ethernet cable to professional switch - Juniper or just dummy switch). But if I added another USB to Ethernet adapter and pluged this one to my laptop it worked with 1Gbps.
So I went and reinstalled drivers for my laptop NIC, installed all updates and nothing changed.

I went testing on another laptop - same story. I couldnt get 1Gbps speed on integrated NIC and it worked only if I used USB to ethernet adapter for laptop.

Then the last thing that came on my mind was that i changed ethernet cable to 6a category and ... it started working on 1Gbps.

I'll do some more testing and reasearch but for now its working with 1Gbps.

Thanks for help!

I expect to see the WAN set as 81.x.x.115 with gateway 81.x.x.114.

Then you can use 217.x.x.112/29 on an internal interface directly. That could be the LAN but if you want to use one of those public IPs on a server directly you would need to use the /29 on the interface the server is on. If you only have two NICs that could be a VLAN interface.

Steve

@stephenw10 That fixed it. Thank you.

I solved the problem by reinstalling the firewall with version 2.6.0 and reloading an old backup.
But I realized that the package reinstall solution ( pkg upgrade -fy ) solved the log problem but blocked me from accessing the web page.
Thanks.