@tux4000 While your issue is solved, just wanted to add for those searching in the future that on all my customer sites, all unifi devices report to a digital ocean linux 'box' running the controller software. I have pfSense FWs and pfSense+ on netgate appliances, a varied mix. No tweaking of any kind ever needed on the firewall, as all traffic is outbound (from firewall's perspective).

The only exception was human error before I put the controller on DO when controller and device were on separate VLANs (w/out rules). After that, I no longer used local controllers.

@stephenw10 If only there was some kind of video on youtube by netgate that can give an example on modifying the config.xml when porting it over to new hardware 😁

The speed drop is because when the client is on VLAN1 that traffic is all moving through the switch. When it moves to VLAN2 pfSense has to route all that between the interfaces. That's expected.

Steve

@johnpoz I ditched HAProxy and went to Traefik and all is working now. :)

@stephenw10

Maybe.. weird that some updated aliases were working fine though.

@saifullah

If you have a CCNA then you certainly can learn about pfSense. While the details are different, the principles are the same.

That is the correct file. Assuming your WAN is DHCP. And it's the only WAN you have.

Steve

172.21.16.1 is my local pfSense LAN interface where Unbound is listening and responding to queries.
8.8.8.8 is Google's anycast DNS IP.

With the override in place I would expect 8.8.8.8 to return an IP address but Unbound locally to fail.

Steve

You can do that using manual outbound NAT:
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#working-with-manual-outbound-nat-rules

First you need to have those public IPs present on the firewall. So a public subnet that is routed to you be the ISP perhaps.

Steve

The 1100 only has one NIC, mvneta0, and all interfaces are VLANs on that including WAN and LAN.
Your new hardware probably has at least two NICs so you can add the VLANs to either. If it has 4 NICs you may only need VLANs 20 and 66. The other interfaces can be moved to real NICs.

Steve

The redirect target IP on the port forward should be the internal server IP not the LAN address.

I expect to see one port forward for each port unless they are all directing to the same internal IP in which case you could use a 1:1 NAT rule.

Steve

@koenh
This indicates that somewhere between the pfSense WAN interface, and what ever monitoring ip you are using, has some ugly packetloss.

I would shift the monitoring ip back to "default" ... (the DHCP delivered default gateway) , and maybe change the network cable between the pfSense & the ISP Box.
Your pfSense Wan IF is connected directly to the ISP box, correct ??

Maybe i'd power off/on the ISP Box, just to make a "fresh start" ...

If it continues with packet loss between pfSense Wan and the ISP default gateway , i'd contact the ISP and explain the issue.

Edit: V'man beat me to it 😊

/Bingo

I would not expect it to. Disabling NUT as a test is pretty easy though.

I don't find it paranoid or over the top to use a dedicated, offline system for managing your IT infrastructure considering the low prices for a Chromebook or similar. My diy nuclear reactor must stay secure... ;)

@viragomann
They are all Realtek, damn them and their drivers.
However I solved it by putting two NICs on another PC where at least there is an Intel NIC that I use for the LAN.
How much time wasted for a PC that until a month ago was working without problems and in the last month has simply been turned off.
Thanks a lot for the support.

@dennypage The power wasn't flickering, the power was out from 10p through 1a. The nut server is not configured to turn the UPS proactively so the UPS just shuts down once the battery is completely depleted a few minutes after every client was supposed to shut down ("low battery" when nut clients are being turned off is set to 10%). I understand the behavior in the log could be explained if the UPS turned the power to pfSense off and then back on between 22:52:05 and 22:52:13 but I don't think it was the case. Based on the timestamps alone it would seem pfSense went from shutdown to boot immediately while the system remained powered by the UPS.

@tquade to be honest port scanning the "world" could be less troublesome - than an isp customer complaining about another same isp customer

But sure yeah probing the world not normally a good thing ;)

To be honest many an isp should be filtering fellow customers from talking to fellow customers..

But forget getting in trouble or what you should be doing or not being doing to be a good netizen. I make sure no rfc1918 traffic leaks out my wan for sure.. Just doing my part to be a good netizen.. Rarely happens but now and then I typo a address or something.. I make sure that dns for my private domain never goes outbound as well - just no point in sending such traffic that isn't going to resolve..

What would be the point other then pure curiosity knowing that some fellow isp customer has ssh open, or running xyz as their router? What would you even do with that info? I would rather not waste my cpu cycles and bandwidth finding out that info in the first place - and just not send probes out my wan..

Now if he devices on pfsense wan this 192.168.8 network - and he wants to discovery his own devices on that network. Then going to have to look into making sure ntop only discovers 192.168.8/24 and not whatever his real wan is..

@stephenw10 Call quality is fine. I’ll have a look at the logs. Thanks!