Help me understand why igc0 or igc1 comes up in the logs but its called 'LAN' in the or IOT in the config. Why is it using the physical name of the interface instead of the description?
Maybe because you don't have igc1 assigned as an interface dircetly? Only VLANs on it?
Because the rule is for 'not igc0' that includes all interfaces that pf can see including untagged on igc1. The switch is leaking it there.
I still would not expect the same rules ID there though.
Ok, 550 x 2Mbps pipes is greater than the total available bandwidth. So it's possible you're simply seeing an upstream limitation dropping packets at which point pfSense has no control over it.
You might be better off setting a bandwith sharing dynamic Limiter on the interface rather than a hard 2Mb limit per user.
[23.01-BETA][email@example.com]/root: pkg install pfSense-pkg-Cron
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
pfSense-pkg-Cron: 0.3.8_3 [pfSense]
Number of packages to be installed: 1
8 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching pfSense-pkg-Cron-0.3.8_3.pkg: 100% 8 KiB 8.4kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing pfSense-pkg-Cron-0.3.8_3...
[1/1] Extracting pfSense-pkg-Cron-0.3.8_3: 100%
Saving updated package information...
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Menu items... done.
Writing configuration... done.
I had what appeared to be this exact issue yesterday. I switched from latest stable (pfSense 2.6) to DEVEL (2.7), and the new NIC seems to be working as expected. I just wanted to share that it is possible to get the I225-V single-port card working.
pfSense version info:
built on Mon Jan 02 06:04:33 UTC 2023
Relevant dmesg output:
igc0: <Intel(R) Ethernet Controller I225-V> mem 0xf7a00000-0xf7afffff,0xf7b00000-0xf7b03fff irq 16 at device 0.0 on pci3
igc0: Using 1024 TX descriptors and 1024 RX descriptors
igc0: Using 4 RX queues 4 TX queues
igc0: Using MSI-X interrupts with 5 vectors
igc0: Ethernet address: 88:c9:b3:xx:yy:zz
igc0: netmap queues/slots: TX 4/1024, RX 4/1024
I have bought a subnet /29 from a different company. So i setup a GRE tunnel and use IP Alias for the /29.
Do you understand what i mean?
I do. I would check the routing though, make sure the GRE tunnel has no become the default gateway for anything unexpected.
Your description of the problem indicates to me that the calls are forced to fall back to some sort of relay mode rather then clients connecting directly. It's unclear what causes that though.
It could be they require static outbound source ports since you didn't have any set. That would be a significant drawback for WhatsApp working behind many firewalls though.
Few more things left to be fixed on it if possible:
It does not know what kernel is installed and when I go to "System update page" it does not know which version is installed. Also I get message there "Unable to check for updates".
In the package manager I cannot see the list of installed packaged as well and I cannot retrieve list of "Available packages".
That's fixed years ago 😊
You need the 2.6.0, not the ancient 2.5.2.
@johnpoz : I was originally using it as a bridge server, but the second side of that bridge server is not connected anymore and everything is on one side now.
I think my best bet at this point is to take a separate computer and a separate switch and connect those to a separate NIC on the Sinology NAS so that I can access the GUI. From there maybe I can rework the network and get it put back together.
To recap, when I installed the Netgate, I basically matched all of the networking. I wanted it all to be the same as it was in the sonic wall. Same, WAN, same, LAN, same port forwards.
Basically, everything worked out except for the NAS.
I crack into it more after the holiday.
Thanks for your response.
@nollipfsense that's almost what I was doing anyway, but then that again gets the printer on a different subnet from the PC, which puts the barrier between the UDP communication, which would make the printer not function.
That said, I think I may have figured out that the Canon driver potentially is only using UDP broadcast to initially find the printer if it's IP address is changed or it's a new installation. So, if I assign the printer a static IP on its network, and I temporarily move devices that need to print to it to the same network just for the driver install, then I can move the devices back to other subnets on the overall network and maintain functionality.
I'll have to test this through a few reboots and several days to confirm it does indeed work, that would suffice for now. I may eventually try to figure out which UDP ports I need to relay to get the Canon drivers to work without having to move devices around between the networks, if it becomes more problematic and this workaround doesn't hold.
The ping test could have been after ARP expiration.
Once the network failures were history, I tried switching to VirtIO, but speed was 35M even with offloading disabled. I set it back to Bridged, and got 250M with 4 CPUs. 2 CPUs in Virtualbox gave me over 500M. Not bad, but still ~50%.
Each reboot I would lose connectivity on the i211 LAN and the only way I could get it to work was to switch it promiscuous mode on/off while the VM was running. Crap...
I gave up on Virtualbox and moved it over to Hyper-V with 8 CPUs set. I got 30M, researched, and disabled RSC (even though it was already reported as disabled) via PowerShell with these commands:
netsh int tcp set global rsc=disabled
Get-NetAdapterRsc | Disable-NetAdapterRsc
Then I could get a solid 940M in Hyper-V, AND have the luxury of auto-start after host reboot. (Lessons for anyone reading this)
@nar94k the Google router will need to forward either the OpenVPN ports or all ports to pfSense. pfSense can allow access to the OpenVPN server ports on its WAN, or if you set up a dynamic DNS hostname you can allow that hostname.
@spyderturbo007 Part of my job involves monitoring the forums and reddit :D
I have no thoughts on Wireguard, to be honest. I haven't had a chance to really work with it yet -- the one time I did a test deployment I bungled it.
Personally I am not a fan of OVPN. I know it works. But I can just as easily disable a login user for IPSEC RA. IPsec is bullet-proof once you get it going. I also have mine set up as a full-tunnel so all the traffic comes through home/DC and that is really helpful when road warrioring.
But OVPN will work almost anywhere... which is why it's so popular.
I normally shutdown properly but had an issue with power loss at home which was pretty regular. I have a UPS but it's just my Unraid that's plugged into that but I'll look at getting my pfSense hooked up to it too maybe. Power cuts were down to my Lava Lamp as it happens which I've now stopped using anyway.
You don’t need a console using only Unifi APs. I setup two U6-Lites in 5 minutes using the Unify Network app from the Apple store on iPhone and iPad. You only need a console to do more than basic setup , which is all I needed. Last week, I upgraded the U6-Lites I used for a year to two U6-Pros since they became available in my area. It took 5 minutes each to setup on the IOS app and they work perfect.
They all work flawlessly with Pfsense 2.6 with no changes once setup using the app. However, if you need more than what’s available in the app, such as VLANs, you need a console. I tested the console on a Mac out of curiosity and setup an AP. After playing around I reset the AP and went back to the app. It’s all surprisingly easy.
A tip which has nothing to do with getting them to work but may help: I recently got 1.2Gig from Comcast and upgraded the modem to S33 and U6-Lites to U6-Pros (I will upgrade my Protecli FW6A and HP 2520-24 switch eventually). But wifi topped about 475-500, the trick was to bump the 5Gz channel width from 40Mhz to 80Mhz in the IOS app and bingo, I got 899 on my iPad Pro 11 connected to one of the U6 Pros. Not bad considering my best wired speed is 937.
@jknott I agree, this opens a can of worms for cyber security, just one website and one wrong web cookie could direct DoH DNS requests to a another server, I just noticed you can disable it in Chrome and on the OS side. I use Squidguard and block a list of DoH domains, many servers are in different countries. I just started looking into this with one.one.one.one and other cloudflare DoH servers.
The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here.
To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think.
Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense.