@bmeeks pfSense is showing me it's using igb (igb0, igb1, igb7).

Here is the offloading:
offloading.png

Is there a specific Intel based NIC card that you would recommend that doesn't have any issues with pfSense? Just wondering.

Yeah, since the re-write of many drivers to use the iflib framework the loading appears differently. So 2.6 and higher.

That loading level is not necessarily any sort of issue. It depends how much traffic it was passing at that point and when the CPU is.

Steve

The webgui listens on all the firewall IPs.

How do you have the host override configured?

Steve

Ah, no sorry, not for a block! 🤦

@sergei_shablovsky

I agree with Sergei, I hope we see pfs on freebsd 13 soon. I use frontier fiber and freebsd 13 resolves the issue of the wan interface not being able to grab an ip from dhcp because frontier and all the other telco's tag their transmission with vlan 0.

Just an update on this, I purchased a new intel NIC and the connection has been solid ever since, no dropped packets, no wan down. For anyone else reading, the updated realtek drivers helped a little, but it took a day before the dropouts slowed (no idea why). It also helped when I moved my realtek nic from WAN to LAN. The ultimate fix appears to be as @bmeeks suggested "change out the Realtek NIC for an Intel variety"

c83e9ff0-9081-4795-bb5b-00682d637599-image.png

@johnpoz Thanks for helping

@viragomann thanks so much and sorry for missing that previous post.

@creation2
https://search.brave.com/search?q=Freescale+T1042+CPU

No. See above - it's the same family.

@droidus said in Snort Inline IPS Speeds:

@bmeeks
It is the Protectli FW4B - 4 Port Intel® J3160. I have 8 GB RAM total.

That hardware should easily do much better than the 10/10 you said you are seeing.

I can already guess your next question, but sorry, "no, I have no idea why you are not seeing better performance" ... 😀. That slow throughput is certainly not the case with many other users here on similar types of hardware in terms of capability. You will likely never get line-rate Gigabit traffic inspection with Snort unless you have a screaming fast CPU, but you should get better than 200 Mbps with most hardware.

@marcosm They are not totally separate. It is physically impossible to turn off the the VPN service in the OpenVPN area unless you delete the VPN interface in the interface area. I was told this was done to prevent unwanted behavior but I was suggesting that it be changed to where disabling the interface is all that is needed to be able to turn off the OpenVPN.

@stephenw10

The problem seems to have disappeared, only change done was is pfBlockerNG set the DNSBL Mode to Python Mod.

After the change no more errors with Autoconfig Backup.

Thanks for you support.

@deanfourie Yes.

@stephenw10 If I can apply further information, I'd be happy to help

@treestomp said in Monitor Outbound DNS requests:

does DoH/DoT still have an effect or it's encrypted to the VPN anyway?

Nearly all traffic is already TLS these days, so VPN "to protect your data" is not needed.
The exception is of course classic DNS traffic.

DoH is more a DNS generated by the end user client's application : even your router, pfSense, can't "see" it. pfBlockerNG can only block it, if it's a known DoH endpoint server.

@viragomann yes I prefer certain VPNs for work or personal.

I do it via having different interfaces so all the firewall rules switch at once. However, it's annoying to switch DNS settings as well

I am/was struggling to get it to work via Gateway Groups. Do you know where I can find more on this because the official Netgate documentation only elaborated on setting up the proper gateway, not changing

@nevolex

Thanks for the update, glad to hear it's fixed!

@tibere86
Create a file called "loader.conf.local" in the /boot folder. That will stay between reboots.
I use WinSCP to attach to the FW and create/edit because it's easiest for me.