@csfshore As this doesn't appear pervasive, it must be something in my config. (Which is vanilla, honest 😊 )

When new release 21.09 is out, I will take it down to the bare metal and reinstall, unless I can figure out anything from the logs.

Anything is possible with the right script. 😉

But as you right pointed out there are security implications to that.

You might consider using URL aliases which are already setup to pull lists from remote servers.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-aliases

Have a look here for some ideas:
https://docs.netgate.com/pfsense/en/latest/backup/remote-backup.html#alternate-remote-backup-techniques

Steve

@stephenw10

As shared on another thread: Here is a series of screenshots that might help you help me.
https://www.dropbox.com/sh/zbcxeaujmmfo4xf/AADDmYE3XDL2uZdbG62Ihayfa?dl=0

This might help resolve also this situation when I LOOSE my connection over wifi after a while. :/

See: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Steve

For future reference - could of spotted this problem right away by looking on the sniff when reply traffic went out the wan. Validating the mac address on the outgoing traffic.

Unlikely, it's just forwarding in and out between two directly connected subnets.

Some MTU mismatch could cause that sort of problem.

Steve

I'm not aware of anything that would do that in a driver or the tools. It seems like it would have to be something in ESXi.
I would try an e1000 NIC there if you have not already though.

Steve

Yeah, I would start out with some basic shaping here using PRIQ. Put RDP and VoIP as high priority and everything else low. Start out as simple as you can, it's easy to end up with something far too complex for traffic shaping.

Steve

Yes I would still reinstall from there but if you are trouble-shooting that I'd run:

That will show you whatever issue is preventing it see updates.

Steve

@stephenw10 I had them bridged, but missed removing DHCP from the first interface. I redid the config with DHCP on the bridge and it works fine now. Thanks!

@stephenw10 said in Comm Error Packages Section:

Do you have that installed only on the Primary perhaps?
Why are you running 2.5.2-RC and not Release?

Are you actually running different versions on each node? That will break sync for good reason.

Steve

Yes, the ix ports are generally not compatible with SFP-RJ45 modules.
We have seen some reports of modules working but if do it's by luck only! The SoC NICs cannot read the module data.

Steve

Not easily. Not via the normal interfaces assign dialogue certainly.

I would probably generate a basic config file and import it for this. Or just assign one of the 1G NICs as WAN initially so you can access it and create the LAGG in the GUI vefore deploying it.

Steve

Yes, that's correct. LAN side clients should be using the pfSense LAN IP as their gateway.

pfSense should only have one gateway itself though in a simple setup like that. If it has more that one (probably wrong) it might be choosing the wrong one. Setting the default gateway to WAN_DHCP does not hurt in any case.

Steve

Yes, exactly. You could allow access only to an alias containing a list of known MS IPs.

Then block access to everything else on port 80 and 443. Or just on all ports if you need to.

You can probably use either a URL alias or via pfBlocker to create that alias and update it automatically.
Something like this: https://forum.netgate.com/topic/137691/office365-ip-list

Steve

Right, so in the 3rd table you are using pfSense as one side of the iperf test directly. That will always give a bad result.

Snort was blocking something and the block expired? Check the alerts.

Something else caused it to reboot? Check the uptime.

Review the system logs.

Steve

@tboston

I believe that distinction is relevant only where powers of 2 are used, such as memory size. I don't believe that applies to data rates, which have always been in powers of 10. It's been that way for as long as I've been in the telecom business, almost 50 years. I certainly have never heard of bandwidth expressed in numbers based on binary.

What is the modem? What speed does it normally link at?

What type of interfaces are those?

I assume you've tried swapping the cable?

Can you test putting a switch between the WAN and the modem?

Steve

Yeah it's this: https://www.freebsd.org/cgi/man.cgi?query=pf.conf#TRAFFIC%09NORMALIZATION
Though there no more info there.

I've never seen it cause a problem.

Steve

If you're restoring it in ACB it just uses whatever the configured password is and will fail with that error if it doesn't match.

Steve

John many thanks for that will check that out when free!
Enjoy your day!

Technically you could do it by running pfSense as a virtual machine in Windows using hyper-V or VBox etc. But pfSense is a complete operating system, it cannot run as an application on your desktop. It expects to be running on it's own dedicated hardware but running virtualised can also work.

Steve

@stephenw10
Hello, Thank you for reply.

Q: Are you able to resolve any address?
A: I tryed under diagnostics/ dns lookup, it takes 60 seconds or more to resolve.

Q: Is Unbound running? (Status > Services)
A: Yes, it is running.

I figure out that i have 2 addresses in general setup dns, one is our remote AD / DNS Server, the second DNS was 8.8.8.8
I tryed to ping our AD DNS server without success so i changed it to 8.8.8.8 and 1.1.1.1 in general setup than switched from DNS Resolver to DNS Forwarder after that it worked.
The AD DNS IP i set under DHCP Server IP with 8.8.8.8 too.
Thank you for the help.

Dennis from Netgate on Reddit stated that they are shooting for the end of this year.

@techpro2004 said in Plus for 3rd party hardware:

I am wondering about when plus for 3rd party hardware will be released. Thanks.

Thanks, @stephenw10
Maximum Table Entries made no difference, as you expected. I will try pfBlocker right now.

Ok so you did mean 'update' not 'backup'.

What version did you update from?

What method are you using for the backup?

Steve

If you are running an OpenVPN server in pfSense (VPN > OpenVPN > Servers) you do not need to change anything in pfSense. Traffic to it will be forwarded from the external router and it will accept it.
What needs to change is how the remote side is connecting to it. If it's not using an FQDN that you can update via DNS it will need to have the new public IP entered directly.

Steve

@stephenw10

yes when i keep 115200 its working now

before it was on 9600 by default

thank you very much..

If you need external clients to connect to the server you would need rules on the WAN to allow that.
Rules on the VLAN would allow the server to connect out.

That is assuming you have not assigned the bridge as WAN, for example, which is something you could do but probably just complicates things.

Steve

@aryeduino said in Building a pFSense Hardware with Internal modem to replace current modem-router:

Can I use the NIC 4 ports and the RJ45 connection that I have on the motherboard together?

Yes.

Since you already have a Proxmox host you should just use that for file sharing and keep the firewall separate.

If you can it's better to have the PPPoE session on pfSense itself so that the public IP is on the interface.

Steve

@stephenw10 Got the WAN port working, everything is great now. I had to disconnect the old router from the ONT (I had been doing that previously and I'm certain that was not part of my original problem, which you have helped me solve).

Thank you!

@overlord

If some PHP scripting is an option, see here for an example :
Auto update check, checks for updates to base system + packages and sends email alerts .

Thanks. I believe the issues you are seeing are largely due to pfBlocker which updates the pfSense configuration system (and hence triggers a backup) on a very frequent basis. I have increased the capacity of the server to the highest reasonable value which may help a little.

A couple of years ago a mechanism was introduced to allow pfBlocker to bypass the backup system, but so far it has not found much employment. I plan to contact the developer as well as a member of our own development team to see if we can can some movement there.

In addition, some filtering has been added to pfSense to help alleviate the situation. You should see that in the next release.

@steveits good tips, thank you!

Just a quick note that I'm using 2.5.2-RELEASE which is FreeBSD 12.2

In order too get tux and mosh to work I had to copy both en_US.UTF-8 and C.UTF-8 from the 12.2 base into /usr/share/locale since LC_CTYPE is a link.

Nice. If you need to use the 2nd WAN change the subnet the upstream router is using.

Steve

Unlikely to make much difference IMO. For a test it doesn't really matter anyway.

Steve

@johnpoz said in advice on physical layout plans for new PFSsense router setup:

stephenw10 dude - bet you beer that is spammer.. Look at his other posts.

Just his question made me wonder if he's serious. Physical layout? Really?