@stephenw10 said in connectivity delay for new clients:

Partial IPv6 connectivity can introduce delays like that whilst Windows tries to use v6 and then falls back to v4.

Nice catch 👍

The firewall logs pull up the rule description from the current running ruleset based on the identifier. But the ruleset that was running when that log entry was created may have been different. Thus what shows there as the 'Permit to Internet' rule may have been something different at the time. And that seems likely because there is no way that rule could have matched that traffic. Unless it was far more open previously.
However any single rule that could match all those entries would have to be something that applied to all interfaces. When you look at the ruleset directly that would be a rule without an interface specified.

Steve

Yup, probably an authrorised device key required there like gmail uses since you can use a 2FA login.

Steve

@stephenw10 Yes, Multiple IPsec VPN instanses, so I could have several Mobile VPN implementatios with very different settings running on different WAN IPs.

Indeed, when you restore a config it will reinstall any packages referenced in it. But that shouldn't be a problem as long as you have a valid WAN connection.

Steve

@hefin
The client certificate might not be, what you need. This is meant for authenticating the client on the server.

You have to assign the certificate to the frontend.

BTW: you should better hide your public IP, at least if it's static.

@stephenw10

Apparently it is a 32 GB. I thought I bought a 64. The invoice doesn't say and the web site shows both 32 & 64 available. On the Ali Express site, you select the options you want to build the computer.

Well, not a problem. As I mentioned, I'm only using 4% of the 24 GB partition.

I've never tried but you could add static ARP entries for everything on all devices. I can only imagine it being a complete nightmare though! You'd be chasing connectivity issues forever. Hard to recommend. 😉

@michmoor concur - if the IP is what his ISP gave him - time to ask the ISP why its showing as a VPN and has such a horrible reputation.. Might be time to change ISPs as well..

I checked a few other reputation sites, and not seeing the IP he connected to the forums listed - but that one site I linked to above - sure doesn't like it.. Gives it a really bad score, says its vpn/proxy and and high risk, says listed on spam lists - but if I check spam lists I don't see it there, etc.

@stephenw10

I did some more reading and it appears they provide an unmanaged switch that connects to the ONT, but customers are free to use their own switch. Of course 10 Gb switches are expensive.

I'm going to ask about lower bandwidth connections.

OK, just setup the DNS Clustering on the Azure box to the Almalinux box and that worked. So it's either a failure of the API key or the internal IP range issue.

@steveits Thank you so much Steve for thinking outside the box and replying back, very nice of to go out of your way.

No, there is no port knocking implementation in pfSense. Yet.

There is at least one open feature request: https://redmine.pfsense.org/issues/8547

Steve

You can't route via a gateway group and you can't set a metric on a route directly so using dynamic routing, like OSPF, is usually how this is done.

You could just use policy routing if the PA can do some sort of reply-to to make sure replies come back over the same link. And if you only need to open connections toward the PA.

Steve

@barth

https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html#requesting-new-pfsense-features

@jbeez fixed... definitely user error. I was restoring a filter.inc from a prior version. Restored the proper one and its good to go.

@tyler_rm your links vs just posting the image here is a bit off putting for someone wanting to help.

Here is a post I did year a go or so on how to validate if avahi is working.

https://forum.netgate.com/post/1003226

I personally am not a fan of breaking the L2 barrier like this - but in the link I go over how to actually validate if its working or not, etc. Hope that helps.