Persistence FTW! 👍

@michmoor said in Duplicate tracking ID:

Help me understand why igc0 or igc1 comes up in the logs but its called 'LAN' in the or IOT in the config. Why is it using the physical name of the interface instead of the description?

Maybe because you don't have igc1 assigned as an interface dircetly? Only VLANs on it?
Because the rule is for 'not igc0' that includes all interfaces that pf can see including untagged on igc1. The switch is leaking it there.

I still would not expect the same rules ID there though.

Ok, 550 x 2Mbps pipes is greater than the total available bandwidth. So it's possible you're simply seeing an upstream limitation dropping packets at which point pfSense has no control over it.
You might be better off setting a bandwith sharing dynamic Limiter on the interface rather than a hard 2Mb limit per user.

You mean the cron pfSense package?

You can install that from the CLI like:

[23.01-BETA][root@plusdev-3.stevew.lan]/root: pkg install pfSense-pkg-Cron Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-pkg-Cron: 0.3.8_3 [pfSense] Number of packages to be installed: 1 8 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching pfSense-pkg-Cron-0.3.8_3.pkg: 100% 8 KiB 8.4kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing pfSense-pkg-Cron-0.3.8_3... [1/1] Extracting pfSense-pkg-Cron-0.3.8_3: 100% Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_resync_config_command()...done. Menu items... done. Writing configuration... done.

Steve

@stephenw10

Oke great.
It is in the pipeline so to speak 👍

Thank you!

thank you for everyone's support

I had what appeared to be this exact issue yesterday. I switched from latest stable (pfSense 2.6) to DEVEL (2.7), and the new NIC seems to be working as expected. I just wanted to share that it is possible to get the I225-V single-port card working.

pfSense version info:
2.7.0-DEVELOPMENT (amd64)
built on Mon Jan 02 06:04:33 UTC 2023
FreeBSD 14.0-CURRENT

Relevant dmesg output:
igc0: <Intel(R) Ethernet Controller I225-V> mem 0xf7a00000-0xf7afffff,0xf7b00000-0xf7b03fff irq 16 at device 0.0 on pci3
igc0: Using 1024 TX descriptors and 1024 RX descriptors
igc0: Using 4 RX queues 4 TX queues
igc0: Using MSI-X interrupts with 5 vectors
igc0: Ethernet address: 88:c9:b3:xx:yy:zz
igc0: netmap queues/slots: TX 4/1024, RX 4/1024

OpenVPN with DCO can use QAT if the hardware is supported.

Really depends what the Fritzbox has enabled by default. Many SOHO style routers have a bunch of things enabled by default that can only make them less secure; UPnP, wifi, samba even!

@jdeloach

http://web.archive.org/web/20210502020725/http://www.shallalist.de/Downloads/shallalist.tar.gz

Use the wayback machine for the website before the shut it off, the last list they had is available in a historical context

Hello @Gertjan, I did test the memory with memtest86+ and it did find issues with the existing RAM. I have installed new RAM in the system and tested it with a "PASS" result.

I will keep monitoring the system to see if the crashes will stop.

Thank you for your help,

@operations said in WhatsApp videocalls on same network, connection really bad:

I have bought a subnet /29 from a different company. So i setup a GRE tunnel and use IP Alias for the /29.
Do you understand what i mean?

I do. I would check the routing though, make sure the GRE tunnel has no become the default gateway for anything unexpected.

Your description of the problem indicates to me that the calls are forced to fall back to some sort of relay mode rather then clients connecting directly. It's unclear what causes that though.
It could be they require static outbound source ports since you didn't have any set. That would be a significant drawback for WhatsApp working behind many firewalls though.

Steve

@mc-amz Just in case anyone stumbles upon this issue. We were able to fix it by adding the setting
"ldap server require strong auth = no"
to our smb.conf file.

@bmeeks
Good to know!

@nicesub said in Pfsense refuses to boot on Hyper-V:

Few more things left to be fixed on it if possible:
It does not know what kernel is installed and when I go to "System update page" it does not know which version is installed. Also I get message there "Unable to check for updates".
In the package manager I cannot see the list of installed packaged as well and I cannot retrieve list of "Available packages".

That's fixed years ago 😊
You need the 2.6.0, not the ancient 2.5.2.

@chrisan I wasn't responding to you nor was I referencing your issue but rather responding to @JKnott's comments.

@optimus-prime
If he has an wifi AP you could connect it to your switch and configure a separate subnet for the guest wifi.

@johnpoz : I was originally using it as a bridge server, but the second side of that bridge server is not connected anymore and everything is on one side now.

I think my best bet at this point is to take a separate computer and a separate switch and connect those to a separate NIC on the Sinology NAS so that I can access the GUI. From there maybe I can rework the network and get it put back together.

To recap, when I installed the Netgate, I basically matched all of the networking. I wanted it all to be the same as it was in the sonic wall. Same, WAN, same, LAN, same port forwards.

Basically, everything worked out except for the NAS.

I crack into it more after the holiday.
Thanks for your response.

@viragomann
I tried it works great
Thank you so much

@nollipfsense that's almost what I was doing anyway, but then that again gets the printer on a different subnet from the PC, which puts the barrier between the UDP communication, which would make the printer not function.

That said, I think I may have figured out that the Canon driver potentially is only using UDP broadcast to initially find the printer if it's IP address is changed or it's a new installation. So, if I assign the printer a static IP on its network, and I temporarily move devices that need to print to it to the same network just for the driver install, then I can move the devices back to other subnets on the overall network and maintain functionality.

I'll have to test this through a few reboots and several days to confirm it does indeed work, that would suffice for now. I may eventually try to figure out which UDP ports I need to relay to get the Canon drivers to work without having to move devices around between the networks, if it becomes more problematic and this workaround doesn't hold.

Just wanted to post an update. Was able to get this unifi AP working on a different subnet by SSHing into the AP and pointing it with setinform to the controller on the other subnet.

@victor-2 said in Cannot ping pfSense:

ASRock A320M-HDV

Don't use the Realtek NIC if you have Intel NICs!
The Driver support is badly.

@furom you could always put in a feature request over at the pfsense redmine

https://redmine.pfsense.org/

edit: not widget but if your on the normal firewall log, you can put in a !WAN for the interface and get all interfaces that are not wan.

@revamp LOL, Well as long as you are aware that Palo Alto, the number 1 security vendor in the world and Pfsense would fail your requirement. I guess Fortigate wouldn’t?

@stephenw10
The ping test could have been after ARP expiration.

Once the network failures were history, I tried switching to VirtIO, but speed was 35M even with offloading disabled. I set it back to Bridged, and got 250M with 4 CPUs. 2 CPUs in Virtualbox gave me over 500M. Not bad, but still ~50%.

Each reboot I would lose connectivity on the i211 LAN and the only way I could get it to work was to switch it promiscuous mode on/off while the VM was running. Crap...

I gave up on Virtualbox and moved it over to Hyper-V with 8 CPUs set. I got 30M, researched, and disabled RSC (even though it was already reported as disabled) via PowerShell with these commands:
netsh int tcp set global rsc=disabled
Get-NetAdapterRsc | Disable-NetAdapterRsc

Then I could get a solid 940M in Hyper-V, AND have the luxury of auto-start after host reboot. (Lessons for anyone reading this)

@nar94k the Google router will need to forward either the OpenVPN ports or all ports to pfSense. pfSense can allow access to the OpenVPN server ports on its WAN, or if you set up a dynamic DNS hostname you can allow that hostname.

@jwt @stephenw10 appreciate your feedback here. Truly do.

@stephenw10 Yeah, I read that but it doesn't really give case scenarios. I appreciate the help.

Yup, see: http://files.pfsense.org/jimp/BEGEMOT-PF-MIB.txt

The phase 2 entry for each device should use the IP address they specify in the 'NAT/BINAT translation' and the real address in the 'Local Network' field.

See: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html#example

You do not need an outbound NAT rule if you can add the route to the OpenVPN tunnel at Site1.

Steve

Ryan, I ordered directly from netgate.
Thanks all.

@spyderturbo007 Part of my job involves monitoring the forums and reddit :D

I have no thoughts on Wireguard, to be honest. I haven't had a chance to really work with it yet -- the one time I did a test deployment I bungled it.

Personally I am not a fan of OVPN. I know it works. But I can just as easily disable a login user for IPSEC RA. IPsec is bullet-proof once you get it going. I also have mine set up as a full-tunnel so all the traffic comes through home/DC and that is really helpful when road warrioring.

But OVPN will work almost anywhere... which is why it's so popular.

Thanks guys.

I normally shutdown properly but had an issue with power loss at home which was pretty regular. I have a UPS but it's just my Unraid that's plugged into that but I'll look at getting my pfSense hooked up to it too maybe. Power cuts were down to my Lava Lamp as it happens which I've now stopped using anyway.

Interesting stuff though.

@bongo-nations
You don’t need a console using only Unifi APs. I setup two U6-Lites in 5 minutes using the Unify Network app from the Apple store on iPhone and iPad. You only need a console to do more than basic setup , which is all I needed. Last week, I upgraded the U6-Lites I used for a year to two U6-Pros since they became available in my area. It took 5 minutes each to setup on the IOS app and they work perfect.

They all work flawlessly with Pfsense 2.6 with no changes once setup using the app. However, if you need more than what’s available in the app, such as VLANs, you need a console. I tested the console on a Mac out of curiosity and setup an AP. After playing around I reset the AP and went back to the app. It’s all surprisingly easy.

A tip which has nothing to do with getting them to work but may help: I recently got 1.2Gig from Comcast and upgraded the modem to S33 and U6-Lites to U6-Pros (I will upgrade my Protecli FW6A and HP 2520-24 switch eventually). But wifi topped about 475-500, the trick was to bump the 5Gz channel width from 40Mhz to 80Mhz in the IOS app and bingo, I got 899 on my iPad Pro 11 connected to one of the U6 Pros. Not bad considering my best wired speed is 937.

@jknott I agree, this opens a can of worms for cyber security, just one website and one wrong web cookie could direct DoH DNS requests to a another server, I just noticed you can disable it in Chrome and on the OS side. I use Squidguard and block a list of DoH domains, many servers are in different countries. I just started looking into this with one.one.one.one and other cloudflare DoH servers.

https://forum.netgate.com/topic/176693/dns-over-443?_=1672162126374

Another post with lists of DoH servers.
Combined DoH servers list if you want to create a block list.

Positive when it is turned off in the OS I do not see any requests on the proxy anymore. So you can block it that way.

1672081401354-combineddohlist.txt

Anyone able to test 23.01beta to see if it still happens there? A lot of changes have gone in there that might prevent this.

Steve

The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here.
To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think.

Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense.

Steve

@lexxai
Answer by himself.
I do test

dd if=/dev/zero of=/var/db/testets.db bs=1M count=100 dd if=/dev/zero of=/var/log/testets.db bs=1M count=100

Used space only on RAM disk, so ZFS not used.
Question closed.

Screenshot_20221227_015132.png