I've been here for 5+ years and I've never heard of squish until today.

Maybe start by showing what you did to install squish, what happened when you tried to run it, and any errors in the system log, squid's log etc.

@sugaredaxe said in Can't login to web configurator or ping the LAN ip:

says that the lan port doesn't have internet access.

Maybe you have a problem with dns? Windows determines if it has internet access via a dns query.

Post the output of ipconfig all on your box your plugging into pfsense.. Did it get an IP from pfsense dhcp server.

And again your LAN should NO gateway setup on it.

You don't My point is you can listen on lan or lan and opt or wan only, etc. etc. If you don't pick an interface it "listens" on all interfaces - but listening has zero to do with doing query from..

It would use the interface connected to that network if local, or if network where the ntp server is is not local then it would use its wan or normal default route interface.. If you had say a vpn service pulling all your default routes setup, etc.

Yeah you can't have two interfaces in the same subnet like that.

You don't need two interfaces though you can just add two gateways on the one interface.

That's a bit ugly though it would be better to use different internal subnets on each ADSL router and connect them separately.

Or even better to set the ADSL routers in bridge mode and pass public IPs to each WAN interface on pfSense directly.

Steve

@vronp said in very strange problem:

@kom said in very strange problem:

That log doesn't look very good. High latency and packet loss.

What type of NICs are you using?

As stated, this is an SG-3100, from Netgate. So, I believe they are Intel.

The concern I have is not this "event", but the ongoing result after the packet loss and latency appear to have returned to normal levels.

I think the next time this happens, after I do what you suggest regarding ping tests, I will disconnect/reconnect the coax cable from the modem and leave the ethernet cable to the pfsense box alone.

This appears to be resolved and was apparently due to a faulty modem (Netgear CM600).

You aren't being rude, you are withholding required information, which is only hurting yourself. Before we can tell you where to get the correct version of the library, you need to answer the questions I asked. Not because we're being nosy, but because without knowing that, you could install the wrong one and cause harm to your firewall (at worst) or have a broken application (at best).

For example: pfSense 2.4.4-p2 is based on FreeBSD 11.2. Your application and the library you are seeing must also be compiled for FreeBSD 11.2. If your application is compiled against FreeBSD 12, it's likely to fail.

If you don't want to answer any questions, then the solution is: Get it from FreeBSD. If you need more guidance than that, you need to cooperate, or this thread is useless.

@davey_bones said in Errors trying to install or uninstall packages:

looks like im missing /usr/ all together.

A small hope : reboot to single user mode, and be friends with fsck a while.
Your system is in a real bad shape.
Put on your todo list : Get a copy of your config.xml file.

I am glad that you edited and added to your post I was starting to think your name should be salty johnpoz :).

I am surprised you have never seen this before. As I stated in my post this is typical of every consumer grade device that I have ever owned and configured, and all the ISP devices that I have ever used for ADSL/Cable/ and now Fiber. There have been a bunch since 1998 until now.

I did state the results from the different settings above in my post. I just posted the medium settings. I was wondering why I would need 53 open (not hosting anything) and the ICMP as well, but I am no expert.

Yes when I select the different settings nat only, low, medium, high, it changes the allowable settings and checked boxes as referenced above.

Thanks for everyone's help. I will keep reading and changing configurations until I feel confident that I can put my test pfSense box into full time operation, with vlans, dhcp, firewall, vpn, etc.

As a take away I am glad that from this discussion it seems confirmed that the default configuration of the pfSense firewall is better than my ISP box on it's high.

Thanks!

Snorf

You probably didn't account for the larger subnet in your firewall rules, outbound NAT rules, IPsec P2s, and other places. You probably need to add more rules or adjust subnet masks to match what you changed.

So, I think I found the source of my issue: my DNS setting.

I had shut off and uninstalled SquidGuard, Squid and Snort (in that order) and still had no luck. As soon as I changed my DNS settings to Google (for example), I no longer have any latency issues. Put back Squid and Snort and still no latency.

So, it looks like something with OpenDNS is causing my problem.

Off to try another DNS to see if it's still running ok.

Well there is a Community Job Board: https://forum.netgate.com/category/63/community-job-board but expect to pay quite a bit for an actual expert to even consider your offer.

@bldr said in LAN loses WAN egress; no other problems:

AES-NI CPU Crypto: No - so sad for my future :(

But not for a while: https://forum.netgate.com/post/823904

Yes, update to 2.4.4p2 and confirm it still happens there before going further.

Steve

The on-board NICs on the C2758 will use up 4 queues/cores. Running that top command will show what's happening.

Steve

Just happened today again

[2.4.4-RELEASE][Vetal@router.place.somedomain.com]/home/Vetal: pfSsh.php playback svc restart tinc Attempting to issue restart to tinc service... tinc has been restarted.

Nothing is added to the syslog, I did tail -f to it. Nothing related in tinc.log

Next time I'll check "ps aux | grep tinc", today's while in "stuck state" was not wide enough to fit "/usr/local/sbin/tincd" part. I already UI-restarted it

You can consider this problem solved.

Thanks

@farmwald said in 10G NAT/Firewall performance problems:

I'm quite serious about being willing to make financial contributions to Wireguard port to PFSense.

https://forum.netgate.com/category/30/bounties good luck.

No. ACB and local config backups are separate systems. A checkbox to allow vouchers syncs to be excluded from local backups might be a good idea. I'll look into that once v 2.5 is stable.

That same error keeps looping every minute or so.

Anther way that might make more sense when (possibly someone years from now) is reading the rule set would be to make four rules:

pass TCP 25
pass TCP 587
pass TCP/UDP 53
reject any

You could combine 25 and 587 into a port alias but not sure it's worth it for just two ports. Anyway, that's what I would do.