Mmm, there are some USB adapters that will do 2.5G under FreeBSD but.... don't expect that! 😉

So you have couple options:
• Setup any VPN on pfsense or your NAS and use it to file sharing (NextCloud) service.
• Setup NextCloud through Nginx on NAS and setup correct access policies in nginx to access only to share links, and with other access to admin/sharing only from local network or VPN IPs.
• Setup NextCloud on NAS and haproxy on pfsense. And do same as above but on haproxy side.

Last two options are pretty complicated, and required good knowlege in nginx or haproxy configs.
There are no way to limit file sharing service only on firewall/nat. If you open access to share links you automatically open access to admin panel.

You must understand that almost all hacked and cryptolocked NASes on web was hacked through file sharing services that expose whole file sharing service to web. And you need limit unrestricted access only to file shares. Any links that not fall into allowed category should be dropped without any access to NextCloud server.

@lange-ludo Thanks, I had the same issue upgrading to 2.6.0 and this fixed it for me.

On last reply and this can be put to rest.
using there device and setting to bridge mode only granted me a day with no notifications and no loss of internet.

My guess is that recently they must have implemented something that checks for the nokia router. I only say this because while it's setup as a router and i put my pfsense box in the DMZ of the nokia router no issues whatsoever.

Thanks @stephenw10 for replying

The only downside I have experienced with this is when you have a DNS you use tied to monitoring a WAN that is offline -- you lose use of that server.

@gertjan Thanks for your preferential answer on trying to gear me in another direction. I simply wanted to know how to do this in a technical manor. I'll research else where.

Update! I heard back from Starlink. They were nice enough to let me know I should only have one router in my network and sent instructions on how to change DNS addresses. 🤦 I reopened the ticket, explained again, and asked for it to be escalated to a higher tier support so it can be sent to hardware engineering. We will see.
Adam

Ah, then you will hit this: https://redmine.pfsense.org/issues/12954
It's fixed in 2.7 and 22.05. You could upgrade to either of those as a test.

With a link exhibiting buffer-bloat that badly you probably need shaping of some sort.
You could try using an ALTQ shaper instead.

Steve

It's always DNS

After much experimenting (thanks @stephenw10) I figured out the problem. We use DNS Filter as our upstream DNS resolver. DNS Filter is tied to specific IP addresses and refuses to resolve if the request is coming from an "unknown" address.

New network connection was unknown so some addresses that could be resolved locally or were cached worked. Thus why it worked for a few seconds. I finally figured it out when I tried entering IP addresses and that worked. (Hint, 1.1.1.1 is a good webpage to try if you are ever in this situation.)

Sigh. My fault.

@stephenw10 said in Restoring Pfsense config in a new system with less eth ports:

If there are NICs in the config that do not exist on the firewall it will ask you to re-assign the interfaces.
The same as if you restore a config into a system that uses different NICs/drivers even if the number is the same.

With a large number of interfaces it can be easier to edit the config file directly but that does open the possibility of typos as you say.

Steve

Thank you.
Gladly, I use mainly 2 interfaces, so I need to take care of them first and the new device would have at least 2 eth ports, so I'm not worried.
Regarding the NICs, I'm not concerned about it because I can lose/overwrite them, I was just wondering if the process breaks.

@jt40 just create a CA in pfsense, then create a cert with that CA and have your browser(s) trust that CA.

cert.jpg

You can put whatever SANs you need to IPs, old name, etc..

I had created this cert way before browsers started limited valid dates to like 398 days or whatever they limit to these days.. So you can see mine is good til 2027, and browser has no complaints about it.

Once you create this CA you can create certs for any other stuff on your network that wants a cert, printers gui, switch gui, unifi controller gui, nas gui, etc. etc.. And since you trust the CA in your browser it will be happy with the cert and no complaints.

nas.jpg

@stephenw10 I deleted the WireGuard tunnel then I set it up all over again. Done the same thing at VPS. Rebooted remote VM and pfSense and it started working.

I have no idea what happened before but I thanks you for all the support you provided!!

Thanks a lot

:-)

kind regards

@kreki1986

There is.. Number 15 : Restore recent configuration
List the backup sets (sub menu 1) , and pick for example 01 or 02 to restore, using sub menu 2.

Did the ifconfig output just not show the interfaces then? What the bridge learns is which MAC addresses are connected to which bridge members. Hard to see how it could not show that.

That RSC issue only affects pfSense running as a VM in Hyper-V.

So the same client connected via wifi gets the expected upload speed? And that still goes through pfSense?

Restrictions if that sort of order are usually either unintentional traffic shaping or a speed-duplex mismatch in a link somewhere.

Steve

Hi all thanks for the support so far but I was sick for the last days and in this meantime the VPS deleted my inactive VM instance so I have to setup my VM and tunnel all over again...

I'll try again later and if I don't succed I'll try ipsec or wg tunnel later.

thanks for the support

kind regards

@stephenw10 Thank you

Thanks
It seems to work fine :)

There's no way to do that in pfSense currently. You could add a feature requests if there isn't onbe already: https://redmine.pfsense.org/

It would be quite a significant new feature though as it would need to be tied into quite a number things.

Steve

Although for that value it probably could be either:

[22.05-RELEASE][admin@cedev-3.stevew.lan]/root: sysctl dev.vmx.0.iflib.override_ntxds="0,4096" dev.vmx.0.iflib.override_ntxds: 0,2048 -> 0,4096

Adding it as a loader variable works past that.

Steve