I set on accept for Promiscuous mode, mac address changes and forget tramits on WAN vswitch,
Since my network goes Virtuel WAn switch-pfsense-virtuel LAN switch.
Also very important to note that is a reboot of whole esxi is necessary for it to acctually implement the changes made.

I didnt discover this at beginning.... so alot of my testing was flawed cause changed wasent acutally being made...

Thanks for all help.

Sure... without success :(

Thank you. That fixed my problem.

Traffic between the modem and Asus router there is all inside PPPoE apart from traffic to the modem itself. So that's probably not what you want to do. pfSense would not 'see' most of that traffic.

pfSense as the gateway and Asus as an access point is the way to go there.

Steve

If you use a shellcmd that gets stored in the config file and hence can be retsored and is never lost at an update etc.
If that command calls a custom script that might be lost though. You can use the filer package to store that in the config so it's all restored however.

Steve

TNSR is a completely different product than pfSense, and both will be developed concurrently from what the Netgate people have said recently.

Upgrade fixed it! Thanks.

Impressive response time. 3 minutes. :)

@akuma1x

Hi Jeff,
thank you for showing me the way to the discussion about it.
Now I know a bit more.

James

Could be an MTU issue. Try to ping with large packets, how large will pass?

https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html

Steve

If you do need to apply that command at boot you can do so with a shellcmd:
https://docs.netgate.com/pfsense/en/latest/development/executing-commands-at-boot-time.html

And actually now I think about it if you use the 'afterfilerchnages' type there it will be applied if the WAN goes down and comes back up. That might be all you need there.

Steve

Did it work just connected directly behind pfSense then?

Steve

Very cool. I have a synology NAS. Thanks!!!

Just to report back, in our situation the upstream Zyxel modem had features to block ping, probably to mitigte DoS:

0_1551958166307_problemi_monitor.png

Disabling this stuff fixed gateway monitoring

Hello,

yes I edited manually by adding that to an <earlyshellcmd>

Anyway, now i created a new gateway via WebUI , i checked the box to say that gateway is not part of the wan network, deleted my earlyshellcmd, rebooted and yes now it is working.

I was used to put all my initial route and the way to reach the gateway onto the earlyshellcmd as i was not aware of this options, maybe this option is quite new.

Anyway before version 2.2 it was working find and never had this problem.

but pb is solved now. thanks.

Regards

One method:

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

Yeah you could do that - or you could do this for living and just now that .192 is /26

Just like
.248 is /29
and
255.255.255.252 is /30
etc. etc.

☺

I have never seen it working but I've tried to make it work myself. As far as I know the components are all there, Squid should be able to do it. However I believe Cisco rely on a GRE tunnel to the proxy and I think it's likely that is where the problems may be. Traffic is not going across it correctly in one direction, probably the outbound traffic from Squid.
It may be possible to make it work. If you can set it up we can look at it.

Steve

@stephenw10 There are no errors:

Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll ... igb3 1500 <Link#4> 00:1b:21:37:df:0d 1668697756 0 0 2484214267 0 0 igb3 - fe80::%igb3/6 fe80::21b:21ff:fe 0 - - 0 - - igb3 - 10.245.51.192 10.245.51.193 18159161 - - 44321347 - - ...

Regards.

@mitch_sullo said in PFSense Traffic Shaper Wizard:

I want to setup QoS / DSCP marking

Be aware that QoS on pfSense is performed based on connection states. Connection states are established by the first packet of a connection. To perform QoS based on DSCP, the expected DSCP code point must be present in the first packet of a connection visible to pfSense.

If that protocol uses a separate media stream that has the right tags it would be OK. For example if it performs signaling on port AAAA to setup a connection, DSCP on that doesn't matter if it makes a media (audio or video) connection on port YYYY and uses DSCP on the first packet there.

There are some ugly workarounds to match DSCP inside connections, but it involves making 'no state' rules which is ugly and unlikely to help.

many thanks Grimson
I want a pfsense product to deploy on my infrastructure i will use like a acces point wifi what do u suggest???