Ok. thank you that was super helpful

There is, unfortunately, no fine grained control for notifications. Yet. If you have a notification type configured you will get alerts.

Well the first thing is to confirm it really is pflow by disabling it making sure it doesn't happen.

What VPN type? How are you routing it? Can you change VPN address?

@stephenw10

I've deleted OpenVPN client to server on pfsense and a VPN Interface assignment deleted,
So far no more errors with "PF was wedged/busy and has been reset." and "There were error(s) loading the rules: pfctl: DIOCADDRULENV: Device busy - The line in question reads "

👍

@pp-ng said in WAN repeatedly going down every few days again:

@stephenw10 Also - to get my WAN back to 'online' I went into Interfaces > WAN and just clicked Save and then Activate. I know it runs several scripts or whatever in the background, so not sure which one got me back online, but that did it.

Sounds to me more like a configuration problem on your WAN or your ISP/upstream provider. That somehow smells like you have DHCP on WAN and your box looses its connection because the DHCP address expired or your provider doesn't "know" it anymore. Or you get a quasi static IP from your ISP and configured it as static IP but your ISP needs to hand it out via DHCP.

We had some of that use cases in support here and most of them had that exact problem. Saving WAN config brought them online and after a few hours or days the connection dropped 'cause packages wouldn't go out/in anymore. Switching the WAN e.g. from static to DHCP or configuring it the way your ISP needs/wants it could solve that. Or check the ISP modem or %device% depending on your internet. That a manual "save & apply" from WAN brings you back seems to indicate that a manual performed DHCP restart seems to work, so I'd have a look at the way you get your IP from your ISP.

Cheers :)

@Gblenn said in Googling blocked domains let them through:

@iSagen So fortnite.com and www.fortnite.com are "different" in this regard. You need to add all variants in order to completely block a site...

Try adding www.fortnite.com and it should block also when searching...

That did the trick, thank you :)

@bozo-bogd
if you have found a solution, plz post it here ;)

@deanfourie

You could run a packet capture for a while on your 4G interface and check what goes out and when.
Exclude ICMP traffic.

@Gertjan

Thanks for replying.

We have about 100 users/ staffs usually on my location, most use multiple devices, with other staffs that may come and go from another branch (about 500 total if counting all branchs). The portal was intended to use for WIFI and staff only, so we hooked our pfsense with a VPN connection to our AD (which is on another location) and use it as an authentication backend. But now higher-ups want to add voucher option for guests, previously we just made an account to use exclusively for guests instead.

We do have VLANS for each departments, separately from the portal WIFI networks. Before using portal, the WIFI was more of a convenient thing (which it still kinda is), with no authentication required.

RAM disk works as expected, what a huge difference!

SSD Write.png

cf5eb657-74a9-461e-a56e-c2c3707615b5-grafik.png

Hmm, thats shown as mbps but can I assume it's actually Mbps?

Does the traffic graph in pfSense itself also show traffic during that iperf test?

If so It sounds like one of those devices on VLAN2 has the wrong subnet mask set and is sending traffic to it's gateway rather than directly.

@stephenw10 said in Comcast email doesn't load on iPhones when connected to network - works on PCs with same settings:

Ultimately try running a pcap on pfSense for the IP of the phone then try to check the email and see what it's sending.

I'll try - I haven't actually used pcap previously so will have to figure it out.

@BobL4002 so you can't go here?

https://currently.att.yahoo.com

does it resolve from your client?

$ dig currently.att.yahoo.com ; <<>> DiG 9.16.50 <<>> currently.att.yahoo.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41641 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;currently.att.yahoo.com. IN A ;; ANSWER SECTION: currently.att.yahoo.com. 3532 IN CNAME atsv2-fp-shed.wg1.b.yahoo.com. atsv2-fp-shed.wg1.b.yahoo.com. 3532 IN A 74.6.143.26 atsv2-fp-shed.wg1.b.yahoo.com. 3532 IN A 74.6.231.20 atsv2-fp-shed.wg1.b.yahoo.com. 3532 IN A 74.6.231.21 atsv2-fp-shed.wg1.b.yahoo.com. 3532 IN A 74.6.143.25 ;; Query time: 12 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Tue Sep 03 13:21:59 Central Daylight Time 2024 ;; MSG SIZE rcvd: 159

what about in pfsense dns host lookup?

dns.jpg

@stephenw10 I just resorted to using opnSense, WiFi interface is detected straight out of the box through iwlwifi (It's FreeBSD 14) and no weird boot problems thus far. Thank you for the quick response, but I believe I might need some missing software/drivers or tweak the configuration accordingly, and I'm not getting much information on what's missing either, so I'm not going through that unnecessary rabbit hole.

@stephenw10 nope, there is no static routes defined.

@stephenw10 copy that. Along with over 300 APIs 🙌

@Matt2 That looks like https://redmine.pfsense.org/issues/15684
The fix is already in 24.08.

Well there are quite a few Unifi users here so you'll likely see more assistance setting that up. If you need it.

Both should work for this though.