The ISP is handing the gateway as a private IP and that's common for a PPPoE link and not normally an issue. I have that here. But, yeah, using a 192.168.x.x address is far more likely to conflict. However, exactly as I also see, that gateway does not respond to ping. You should set the monitor IP to something further upstream like 8.8.8.8 so you get real monitoring data for the link. Steve

@steveits hi thanks for the reply. I tried what you suggested but unfortunately nothing

@jimp your description fits my case exactly. Thank you very much, this solved my issue. Have a great day, Mauro

@rcoleman-netgate said in Is APU1c good for latest versions of pfSense?: @joea IIRC this is what I did on mine last year. . . . Thanks. Just one more step required.

@stephenw10 Thank you, I was not aware of the « Use non-local gateway » option but setting the gateway using the cli instead of the web interface seems to automatically detect wether it’s local or not and now it working as expected. Thank you all for your time of the explanations.

Yep, you would think. Except errors maybe. But worth checking, we've seen weird things like that before.

Yeah, it returns 'pfSense' there intentionally. Anything else would be uncontrolled if it's not hardware we know about.

You can read through the thread where this was initially diagnosed here: https://forum.netgate.com/topic/173923/strange-error-there-were-error-s-loading-the-rules-pfctl-pfctl_rules I doubt anything can be learned at this point since the reported errors from there will always be 'device busy'. As shown there we need to see the truss output leading up to the point where is gets stuck which is the first time pfctl is run for this that were hitting it consistently. Steve

Not really unfortunately. None that I'm aware of at least.

You would probably want to use the DNS blacklist feature in pfBlocker to filter requests made against the resolver in pfSense. By default pfSense will pass it's own interface IP to use for DNS via DHCP to clients. You can also force clients to use that rather than something hardcoded: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html You would then add clients you want to be unfiltered as static dhcp leases and set a different DNS server for them to use. Steve

@bob-dig said in Performance on Hyper-V broken by Microsoft Dec 13 patches?: @stephenw10 Is this sysctl. in the pfSense GUI in System-Advanced-System Tunables presant? I don't see it in 22.05. Not by default but you could add it. It shouldn't be needed because the default values there should be to disable the RSC behaviour. It doesn't appear to be here for some reason. Steve

@wintok Hi wintok, I have another option for you that may assist you with overcoming your problem. I have just noticed that FreePBX has OpenVPN available. pfSense also has OpenVPN available. Setup a VPN tunnel between FreePBX and pfsense then let your phones communcate with FreePBX over the VPN tunnel. It should then be a matter of traffic rules to get it all working. Here is a link with some instructions. https://wiki.freepbx.org/display/FDT/%5BHow-to%5D+Setup+VPN+between+pfsense+and+FreePBX Cheers

Yup re-installing on a new hard drive should not be a problem. As long as the NDI doesn't change you will be able to see the upgrade repo and re-upgrade to Plus. Steve

Nice! I think I've used it one time previously. It's not a commonly known feature! Steve

@travelmore Technically, but they do share a cable going from switch to pfSense. Other than that cable, it's a completely separate network. I bet it's enabled on that laptop. Yes. That's what I thought you wanted to do from the start. Won't need a new piHole though, you can just use the existing one but if you want another, go for it. So that's why I said to make that network a /30. A /30 gives you 4 addresses, the network address (in your case 192.168.20.0), 2 usable addresses (.1 and .2) and a broadcast address (.3). If you go into the vlan20 interface, change the name, then change the IPv4 Address from a /24 to a /30. Disable the dhcp server. Then set the WAN on the lab pfSense to 192.168.20.2/30 as a static address. That will give you a lab network with it's own router. You can keep it at /24 until you're ready to connect the router, or keep it that way forever but there's no need since once the router is connected you'll never use more than 2 addresses.

Yes, you could certainly route between the firewalls. But you need to use a separate transport subnet between the two firewall interfaces and then add gateways and static routes between them. That way you avoid asymmetric routing and can properly filter traffic at both ends. If they have separate ISP uplinks you can also setup each as a failover for the other. Steve

Then I would use a Limiter outbound on the IPSec interface at either end. https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html You could also apply that inbound on the source interface if that's known at both ends. Either way it's better to limit at the sending end than receiving. Steve

Is this an L2TP problem? Open a thread General pfSense Questions if you're unsure. We can always move it. Give as much details about the problem as you can. Steve

@stephenw10 now it worked thanks to everyone the rule was like this, blocking only the origin of the virtual network to which the guy will connect in the case 40.40.20.0/24 the other openvpn server of the company's employees accesses everything normally via VPN. Thanks![image: 1671070101417-capturar.png]

@jbohbot Hmm, yeah, the APC Windows Personal software has like two settings, and the Business software has 700 settings and a bunch of fancy charts to help you figure out the hole you've just dug for yourself. :) After 20 years I still have to look at it to explain it and I always seem to end up ignoring half of what they show to find out what it's actually going to do. I guess we make the best of it with this free package. :) The Business program also has power on delays for runtime and/or % battery charge. The one I was looking at had Kill on Power Fail unchecked so I'll have to check that other places. What does "on powerfail" mean anyway? Right away, after shutdown, etc. Seems like it could have been explained in detail. Eh, I'll stop whining now.