@johnpoz I only need internet on the WAN(that I have) and Management subnet(don't have), nothing else.

The rest of the VLANs will only connect to interfaces on the same subnet. They should not connect to other VLANs(that is the point of me using pfsense. and having more VLANs and DHCP per subnet on my network).

I got it working. The system was locking to a MAC. Once I spoofed the old UTM firewall everything just started working. Monitoring is still failing, but I can live with that. What I don't understand is why it refused to allow the new MAC from the pfSense, when I was able to plug in a laptop and a Linksys WRT without needing to spoof the MAC.

Thanks to everyone here for the quick responses.

@tobornimda said in Outbound NAT not working:

Internet provider gave me a list of IP's from a different pool that will route out of my original gateway. I created a Virtual IP / Other / WAN / Network. Put the IP pool in with /27.

If these additional IPs are not routed to your primary WAN IP by the ISP, you have to add each single IP out of the /27 subnet as a virtual IP to use it on pfSense.

@jknott that's right, but is comes with some linux distos as a boot menu option which is rather handy

In addition to a fresh install, I would consider any secret that touched that firewall to be compromised, including the admin password.

Make sure you change everything on there. Passwords, VPN keys, anything considered private/secret.

See this recipe for ideas:

https://docs.netgate.com/pfsense/en/latest/recipes/changing-credentials.html

@steveits
Thanks! I did some more testing and the CoDel rule seems to work fine. Bufferbloat still gives nice scores.

So I'll keep it like this and see next week for some real-world tests. Thanks for the fix!

@stephenw10

Thanks for the reply. I forgot to mention I did iPerf tests between 10GB > 1GB nodes and the router - all got full speed. That being said, I think I've found the issue. The MikroTik switch is the problem. I am running it in SwitchOS mode, but when I change to RouterOS everything works as expected. So I'll open a ticket with them. I appreciate the help!

If some client was hard coded to use DoH then and local filtering/redirecting would not apply to it. However if would still be routed the same as any other traffic from that host so it should work OK.

Steve

Please leave feedback on that bug report if it works for you.

@dstacey147 said in Slow Speed between subnets in one direction only:

I know that explaining an issue to someone else often makes you realize yourself what you haven't checked

QFT!!! That is quite often the case for sure!! I see it all the time on troubleshooting calls..

Laying out the details, and having to go through what you have done - quite often pops something into your head, oh shit I didn't check that or this..

Glad you got it sorted..

Directly replacing that file should only be necessary if you're unable to see any repo branch.

In most cases you should be able to switch to one of the other branches, an updated pfSense-repos pkg will be pulled, which you will see logged, and that would repopulate the files.

Steve

As long as the main gateway has come back up any new states would created via that. So, yes, I would expect it to failback.

I'm not sure we have any specific documentation for that but it should be as simple as configuring the LDAP module, which is included.

Steve

@stephenw10 thanks, seems ntopng was heavily spiking a minute ago. I have removed it and will monitor what happens in the next hours.

@cloudless-smart-home said in Status / Services page and Service Status widget not real time?:

Feature requests / bug reports should be done on redmine?

It's usually better to ask on the forum first and then open an issue on redmine once you have proven a bug or that a feature doesn't exist.
Way too many people open bugs on redmine without any real troubleshooting first.

Steve

@stephenw10 said in CGNAT UPnP Issue Advice:

Part of what UPnP does is return the external IP to internal hosts that request it. If it doesn't have a valid external IP it can't do that. And if it returned the private IP a lot of services using it would fail.

But it was an upstream design decision. See: https://redmine.pfsense.org/issues/10398

Steve

I'm thinking UPnP is mostly used in home environments, and the largest use case by far, is gaming.

A setup with an upstream router (ISP provided or not) does in fact work for gaming with other solutions also involving UPnP, like Ubiquiti and most or all consumer wifi-routers etc.
As I mentioned, it works fine with pfsense as well, IF the upstream router hands out an IP which pfsense recognizes as something from a public IP range.
Why then can it not simply accept whatever IP is given, as an override alternative? The "old fashioned way" with Hybrid mode (static IP) and port forward of the required ports work fine of course...

I made some testing with my public IP as an override WAN. Not sure I did it the right way though, just put the IP directly in the field, no alias etc. But games like MW2 (2009) and MW3 can't even login to Infinity Ward servers, don't even get Strict NAT.
The UPnP status page shows me the requested ports though, (like 28960 or 3074).

I also tested with Stun but all I get is STUN: ext interface vtnet0 with IP address 192.168.3.15 is now behind restrictive NAT with public IP address NN.NN.NNN.NN: Port forwarding is now impossible
That is quite an assumption isn't it, considering that it's a DMZ and clearly works also for pfsense...