Nice result!

@elmo1943 said in vpn router on 2.5.2 pfsense: The modem (pppoe provided) and both pfsense (192.168.20.1) and wrt3200 (192.168.132.1) are connected to tp108 switch (dumb switch) that allows pfsense and wrt3200 to 'share' connection. Ok those are different subnets (probably) so are those the LAN side subnets of each device? What is the pfSense WAN IP address? What is the WRT3200 WAN IP address? I expect those to be in the same subnet and it will be a private subnet because I do not expect your ISP to allow 2 PPPoE connections. Can we see a diagram? Steve

@cxcmax said in Openreach GPON, BT Infinty FTTP moden: will try and not break it now :) Ha. Don't do that. Backup your config that works then try to break it. Learn what breaks it and what works. (and how to restore your config!) Steve

I always used separate interfaces in the past, I'm not sure why I didn't think of doing that with pfsense and that's what I'll be doing. Then I can allow only the ports I want and if someone ever gets in via wifi, they won't get access to much.

Oh, sorry I should have seen that. Yeah .0 is the network address in that subnet, you can't use it directly. Steve

What exactly is the cronjob you see? Is it: 0,15,30,45 * * * * root /etc/rc.filter_configure_sync That is added by have firewall rules with a schedule configured. If it's killing connections every time it loads it may be doing exactly what it's configured to do. Steve

If it's really a hot spare you could configure HA sync to copy the config across whenever there are changes. It would be better to use a fully configured HA pair to avoid any downtime. The SG-1100 is not well suited to that however because of it's switched interfaces. It could still be done though and it would failover in some situations, including manually failing over. Steve

Just did mine (SG-1100). Zero issues, fast restart.

Indeed. Check the rules on LAN for a rule named that. Also check the floating rules tab for anything that might apply to LAN. Steve

It's not the syslog process that is the problem, you can see that reports 'done'. It's whatever is next causing the issue. It's more likely the package reinstall process if you are restoring onto a box that doesn't have a valid WAN connection. There were a number of things put in to improve that situation though, what pfSense version are you restoring into? Are you in fact doing that without a WAN connected? Steve

Aha! That would do it. They will be applied via a firewall rules on the DMZ interface. You will see it gas advanced options set. Though your floating rule should have applied before that so check for other floating rules that might apply. Steve

I mean I've hardware never tested that but I would expect it to.

@nogbadthebad You're right, I'd delete this if I could. Windows doesn't normally do that but on this build it's acting up. Thank you

That output looks fine for the igb NICs. You might want to disable hardware checksum offloading in Sys > Adv > Networking. That will apply it globally. It should be fine on the Intel NICs but has been known to give problems on other hardware, like the Realtek. You appear to have bridged igb2 and igb3 they have IP addresses in different subnets which looks wrong. Steve

@gertjan yes that is so

@gertjan said in SG1100 - Disk Full - Help: By looking at the logs, one of the first things you'll find out is : what's in them. Yeah, if those are the things you're sending then it's almost certainly the firewall logs filling it. Really you should not be storing that data on the eMMC in an 1100. Apart from anything else you are going to be significantly increasing the write wear on the storage. That level of logging should be exported off he firewall to a dedicated log server. It could be that is what's intended and it's storing them locally unintentionally. Steve

It's possible to run all those packages in 2GB or RAM but I would not recommend doing so. You have to tune them carefully to avoid exhausting the RAM. You cannot just enable all the signatures and lists in each and expect that to work. I run Snort and pfBlocker-ng in a 3100 as my edge here. But I use only basic ad blocking in pfBlocker and only the ET Open sigs in Snort (not in blocking mode). With that setup I could probably also run Squid (very carefully). But I would not! last pid: 2837; load averages: 0.67, 0.60, 0.62 up 5+18:13:34 16:40:10 81 processes: 1 running, 80 sleeping CPU: 0.0% user, 0.4% nice, 0.6% system, 0.0% interrupt, 99.0% idle Mem: 140M Active, 1285M Inact, 223M Wired, 84M Buf, 344M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 52379 root 2 40 20 271M 248M bpf 1 182:38 0.73% snort 73496 root 1 52 0 129M 49M accept 0 1:22 0.00% php-fpm 3052 root 1 35 0 129M 49M accept 1 1:56 0.00% php-fpm 67066 root 1 52 0 129M 47M accept 0 1:11 0.00% php-fpm 42460 root 1 52 0 129M 47M accept 0 0:49 0.00% php-fpm 81284 root 1 52 0 129M 46M accept 1 0:47 0.00% php-fpm 38356 root 1 52 0 127M 46M accept 1 1:29 0.00% php-fpm 45364 root 1 52 0 126M 44M accept 1 0:02 0.00% php-fpm 12066 unbound 2 20 0 61M 40M kqread 0 23:14 0.00% unbound 70717 root 1 20 0 46M 36M nanslp 0 3:57 0.04% php 1390 root 1 20 0 89M 29M kqread 1 0:16 0.00% php-fpm 4115 root 17 52 0 42M 21M sigwai 1 4:47 0.01% charon 34517 root 157 20 0 64M 16M uwait 0 1:06 0.00% filterdns 19905 dhcpd 1 20 0 13M 10M select 0 0:41 0.01% dhcpd That's with next to no traffic passing. However this may be a moot question since the 3100 is now EoS and unlikely to return. You would have to find one second hand at this point. Steve

Ouch! We ship to Canada all the time and I've not heard of anything like that kind of delay. We also have partners in Canada you can order from: https://www.netgate.com/partner-locator#canada Steve

Thank you all