@the-loquitur WAN Net is not the Internet, it is WAN’s subnet, often a /24.

If you are trying to block LAN1 from accessing 2, you need to add block rules, like:

Reject from LAN1 net to LAN2 net
Allow from LAN1 net to any

Hmm, that's about as safe as it could be then. 🤔
Your description of the failure sounds like it might have somehow pulled in a pkg from 23.09 before the upgrade resulting in a mismatch at some point. I'm not sure how that could have happened but clearly if it wasn't online it couldn't have happened.

@SteveITS Yep. TV is a vizio flatscreen (basically a big monitor) on it's own generic UPS from walmart. pfSense, WiFi, Cablemodem all on different UPS :)

Yes, it wasn't known at release but it could certainly be there now....

You just installed the 23.09 image directly? What was different to when you initially tried to do that?

@johnpoz thank you. this straightforward tutorial helps a lot!

@michmoor said in Certificate issue after starts squid proxy:

https://redmine.pfsense.org/issues/14390

It does depend on what you're connecting to but yeah the 409 error can be painful.

@SamR-0 said in Data parasites:

Actually, the graph showed equal tx & rx transfer, which must be a component of how DO works

When you are in "devices on the internet and my local network" mode
you will be sharing whatever other internet PC are requesting. So yes that's how it works, in that mode.

Easy to monitor
"Find out what you’re getting from other PCs—and what your PC is contributing—with Activity Monitor. "

https://support.microsoft.com/en-us/windows/delivery-optimization-in-windows-10-0656e53c-15f2-90de-a87a-a2172c94cf6d

However since you are a single PC and and have no other PC's on your local network to actually share updates with or spread downloads to, the appropriate setting is to turn it off.

"As always, you decide whether you want Delivery Optimization to share parts of downloads between your PC and others on your local network or the Internet. "

It's Microsoft's "Fun" way of saying here use your computer to help us offload demand from our servers. We’ll even tell you how much of a boost your PC is getting from other PCs on the Internet.

Notice when the DO is off you will still get updates (but only directly from Microsoft) in a single PC environment there is zero benefit to having any of it turned on.

Screen Shot 2023-11-14 at 1.59.15 PM.png

Screen Shot 2023-11-14 at 2.00.01 PM.png

@jimp

Cleaning up the PFBNG lists (deleting many that were not downloading) seemed to resolve this issue. Now, on to an all new issue with SNORT after upgrading!

Thanks!

Yes, but it looks like it may have a significant bug.

In general ZFS may try to use more RAM than other filesystems (like UFS) but a lot depends on the actual usage patterns. Reads cause ARC (read cache) to increase which increases RAM useage, writes wind up in a different location, simplistically "transaction groups". Writes are held until either a timer expires (nominally 30secs) or a lot of items need to be written (not sure but on the order of maybe 4K or 4M).

A firewall would be mostly writes so I'd expect it to go up and down if you are logging a lot. Not sure if pfSense is creating a RAM disk for anything, but that would also increase useage.
The cached memory could be ZFS buffers, could also be network buffers.

@bmeeks
Say no more. The move to a software model that you have to pay for and has exclusive features is the only thing that makes sense.
I understand the hangups people have on the whole CE vs Plus debate and i certainly understand how the messaging on that may have rubbed folks the wrong way but people need to understand that it costs money to make money.

@JonathanLee said in Squid gone now what:

DNS versions don't work, they bypass the DNS with DoH or https3 dns

Long/detailed doc on how to block those:
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
from:
https://jpgpi250.github.io/piholemanual/

@michmoor said in Random disconnect:

@stephenw10 @bmeeks
Is that with ANY interface state change or only when an interface is a wan-type?

A flapping interface is not uncommon. So if i have a DMZ leg that is flapping does that mean my LAN -> WAN flows will be impacted? Essentially 2x interfaces that have nothing to do with DMZ will see an outage?

I believe it is either a physical link status change or the execution of ifconfig up or ifconfig down that triggers the restart all packages command. And I think dpinger will trigger that ifconfig up/down command when it fails to reach the monitored IP within the configured time window. I have never examined all the PHP and shell script code for this in pfSense to find every possible trigger.

If it's a policy based IPSec tunnel the only workaround I'm aware of is adding a static route via the LAN:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#static-route-workaround

Steve

Solaris developers that released ZFS under CDDL were setting the stage for everyone else like FreeBSD, IllumOS, the OpenZFS folks to take advatage of things like BEs.

Netgate folk did a very good job integrating the feature with the GUI interface. There are a lot of little bits behind the scenes, keeping them all straight and then presenting them in an easy to use manner is not a trivial thing.

@rloeb said in 4100 upgrade to 23.09 no internet connection:

@keyser Wow. They went general release with that serious a bug? Seems irresponsible. Not many users are going to check Redmine to see whether they should upgrade...

No, it was first discovered right after release as I understand it.

2e3017cc-7fd4-4fca-8014-f09df9ddbf2a-image.png

I had this happen to me recently after a power outage.
For some reason it changed the webConfigurator protocol to http/
I logged in using http and my custom port and changed it back to https/

@jfooobet said in Newbe: Wifi device disconnecting:

ISP router to work as AP somehow

Any wifi router can be used as just an AP, turn off its dhcp server and connect it to your network via one of its lan ports = just AP.. Normally its a good idea to set its lan IP to be on your network so its easier to adjust its wifi settings.