pfSense itself can use any configured DNS server including anything that might be passed to it via DHCP. So it may be able to resolve when clients cannot when Unbound is not running.

However you should forget about DNS if LAN side clients cannot even get an IP address.

Do you have a subnet conflict between WAN and LAN?

Steve

I saw the exact same thing. Throttled my 300-350 Mb/s connection down to 40ish. I even reinstalled the thing from scratch and it repeated a couple days later. This morning would not pass traffic at all, but could ping from the gateway. Rebooted but still throttled. Disabling the shaper on the WAN interface completely fixed it immediately. I'll follow up if repeats the phenomena.

Will be happy to submit logs if you tell me what and where to send. Other than this, no complaints or issues. Running pfSense+ 22.01 "free" on a HP EliteDesk very small PC.

@f-meunier Thanks! I was hoping that would be the case, but better to know before-hand.

@chpalmer
thanks for the reply.
I've removed the old card and re-assigned the new card to my LAN. (to prevent confusion I only keep two cards in the server wan and lan)
there is only one light on the 530t and none on the insignia USB.

Not sure if setting the speed is the problem, even if it was running at 10 MBs, I should be able to connect to the internet from my PC , but the only machine that seem to be able to connect to the internet with two 1000base NICs installed, is the firewall server.
Also i do not see where I can change the speed. nothing on the console menu, or on the dashboard ( using a web browser to connect to the firewall ip address)

i've even ran an update from the menu after installing the card.
is there something that need to be run from the Pfsense dashboard when adding a new Card , something like disabling PfBlockerNG and then enable it.

is there a speedtest for the NICs , something that will show the speed the card is running at?

@cidk2 said in Talk Talk Fibre Broadband + pfSense:

Default Gateway 62.2XX.XXX.XX, please edit and mask.

@johnpoz said in Cloudflare:443 in fw log...:

just personally block all traffic to 1.1.1.1

Floating rule, out WAN, quick, source any/any destination 1.1.1.1/any?

Thanks

Yeah, it shows the current link. You can see the available link types the NIC supports in the speed/duplex drop down in the interface config. Or ifconfig -vm igc0 at the command line.

Steve

OpenVPN is UDP by default so port tests against it will fail.

I upvoted enough of you posts to get your 'rep' above 5. You should avoid the spam filter now.

Anyway, glad you're up and running. 👍

That's just the address the management page is using to access it for stats.

Squid can listen on any interface IP it's configured for. In transparent mode it uses localhost like that and port forwards redirect traffic to it. You should still be able to access it directly on the interface IPs though.

Steve

@stephenw10

thank you

I was looking at WPAD right now. i hope everything will be fine

@stephenw10

Thank you for pointing out that my firewall is generating a lot of logs. I have checked firewall logs and found out that my home assistant is causing the problem. Because I have configure DoH blocking in pfblocker, and this is what being triggered. I have disabled the logging for this and that fixed the problem.

Again thank you so much for the big help.

Can you just swap the LAN/WAN ports in the Interface assignments (and the cables) and see if the problem follows the swap?

Ok, so that's policy based IPSec (tunnel mode) at the pfSense end.
I'm not familiar enough with PA to know if that screen confirms route vase there. It does appear to have tunnel interfaces which implies it might.

The P2 policy you have configured there is only carrying traffic between the LAN subnet(10.3.93.X) and 192.168.5.0/24. Which means it isn't carrying traffic between 192.168.5.102 and 8.8.8.8 for example.

I would confirm the PA is using route based IPSec and then switch pfSense to match. That way you can route whatever traffic you want across the tunnel.
Otherwise you have to do this: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html

And that can be inconvenient because it often over-matches and pulls traffic over the tunnel you do not want to be.

Steve

@stephenw10 said in alias-subnet:

It's the default value for a DHCP Alias IPv4 address. It gets saved in the config if you save a change to the WAN but does nothing unless you actually have an alias IP address in there too.

Screenshot from 2022-05-05 14-51-27.png

Steve

hello Stephenw10, Thank you very much for the quick reply.
I wish you a good day.

@empbilly I don't know if you've tried this yet or not, but in the DHCP Leases page under the Status menu, you can easily (with a couple of clicks) add machines to the WOL list by clicking the little blue plus button in the Action column.

@maddy_in65 From what you've posted it seems like only outbound traffic to port 80 from the problem VLAN is failing. Maybe run grep ' 80 ' /tmp/rules.debug and look for something other than the standard "anti-lockout rule"?

Yes, if both those pfSense instances are running an otherwise default config that will work fine.

So if it's not it's because of something you have changed.

Firewall rules? Outbound NAT rules? WANs still using DHCP?

Steve

Thank you @stephenw10 and @johnpoz this looks like it is working now.

I assigned only one pool to NTP and now reach column shows 377 for four servers. So this is golden. Thanks again!

@stephenw10 Thanks, Steve. I reinstalled Snort and turned off blocking. So far, everything appears to be working fine.

Bert

Yes I added the lines in the config. The PPP connection was established without problem and there are no errors in the log file.
I haven't had outage since than, therefore I couldn't test the reconnect part.