@gimpymoo

I have a custom built appliance, specs as below:
Intel G5400
4GB RAM
SSD
Intel Dual GB NIC

If these are still your system specs, simply swapping the Intel Dual GB NIC for something like this will do it. Unless you've got extra card slots, then just add one for some extra ports.

https://www.newegg.com/p/pl?d=intel+x540+dual+port+10gbe+nic

Just watch out for counterfeit cards...

@stephenw10 Sure I can grab it and put on a test box but it will take a day or so. I will post back here as soon as I have an answer.

No problem. If you're able to test it I'm sure others would find that useful. 👍

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

Ok, so you mean that it is the best solution?

That's what I would choose over anything else if it's available.

You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.

Steve

Having a seperate IPMI-network comes in handy in those situations :)

For not-that-technical users, I would think it would be a very welcoming thing to have an easy method to enable transparent fw. But having tons of public webservers maybe not the exact average users do.

Thanks for your help and advice :)

You can do that in the gui cert manager now too.

Screenshot from 2022-04-24 21-15-37.png

Steve

Many thanks @stephenw10 for replying to my query. Sorry for replying earlier. I coudn't get back due to a mishap in family. The issue was finally resolved. I was due to fault in the ONT provided by the ISP. The bridge mode was not working properly. After follow up with ISP, they replaced the ONT and it worked.

Thanks again for you time.

@marzdor said in Not getting same speed as isp router:

I unplugged the cable from the WAN and put it in the OPT port and it showed up as 1000

Mmm, that in combination with the fact both ports are configured the same starts to look like a problem with the port.

Open a ticket we might have to reset your NDI manually if your install is not pulling the cert correctly.

https://www.netgate.com/tac-support-request

Steve

@jknott I think the Netgate 1537 does 10 gig RJ45 WAN & LAN. I can going to call there sales dept Monday to see if that would be a soultion.

Traditionally things were put in /conf for that because, many years ago, it was shared between boot slices. That doesn't apply any more but custom files are often put there. I would expect /root to be fine though, I've had custom things there for years.

Steve

@stephenw10 Thanks that helped. Once I enabled UPnP it worked.

Thanks for the suggestion. I'm not sure how often pfsense scans for the ip address for the WAN, but 8/10 times it will finally get a legit ip address, sometimes taking several minutes to register when I power down/up my modem.

There is a patch for 22.01/2.6 to fix the outbound NAT (masquerade) function of miniupnpd you may want to test:
https://forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game

It's in the recommended patches list in the System Patches package.

Steve

Thanks for following up. That could save someone else a lot of time. 👍

@panzerscope said in Editing loader.conf:

@bmeeks

Thanks guys. So it was indeed Snort. Removed it, and the logging went away. I have since installed Suricata and so far so good. Looks like high volume traffic through the WAN is not producing any queuing issues which is awesome.

Thank you for the feedback. Hopefully this thread may help someone else in the future with a similar issue.

I'm glad Suricata seems to be working better for you. I collaborated with the Suricata upstream team to add the multiple queue support for netmap back during the summer of 2021.

Just be aware that using Inline IPS Mode (which requires netmap) will cause some issues with certain other pfSense/FreeBSD features. First and foremost, limiters and shapers are not currently compatible with netmap. Secondly, VLANs do not always work well. It depends on the exact configuration. When using Inline IPS Mode, you must run the Snort or Suricata instance on the physical parent VLAN interface.

@stephenw10 Thanks for the tip, I reinstalled the software

No, it's not restricted by license.

Steve

Yes, the 2100 is arm64 and from 22.01 can run ZFS.
The 3100 is 32bit and cannot.