Finally had some time to test this. VPN Server via Asus - FTP download speed around 3Mib NO VPN Server - Port forwarding Ftp around 5 Mib Now we also tried it with a higher spec router (instead of the AC-56U we used a ASUS AC-86U) and the speed were only a bit better. VPN Server via Asus - Ftp download speed +- 4 MiB No VPN Server - Port forwarding FTP speed +- 7Mib Now I just recently received my package from the US with the SG-1100 and going to set it up at my friends house and put the Netgate in the DMZ of his ISP Router (Non Bridged) and see what that brings us. (speed wise)

@sydgarrett said in 21.05 blocking TiVo connections for unknown reasons: @jimp Yeah, I shut down access outside my network a long time ago. Digging through things to see what might be setting up those rules. Found it. Even though I had shut down access, there was still an option in there to configure the router using UPnP that had NOT been disabled. Don't remember that option being there in the past but it has been a LONG time since I set up the server. Thanks SO much for your help on this. I consider this resolved (at least until the next update of something on the network :) ) Thanks!

@bthoven said in Incorrect login/password on Windows browser, but okay on Android phone: Any suggestions what has happened Whatever it is, it's something we couldn't have seen. You are our last hope. @bthoven said in Incorrect login/password on Windows browser, but okay on Android phone: and how to solve it. The phone works, so make it useful : look at the log while you try to login from your PC. When I logged in with a browser, I saw : 2021-07-02 16:56:23.047556+02:00 php-fpm 57272 /index.php: Successful login for user 'admin' from: 2001:470:1f13:5c0:2::88 (Local Database) Using another browser, from the same PC, using a wrong password : 2021-07-02 16:56:48.427027+02:00 php-fpm 49571 /index.php: webConfigurator authentication error for user 'admin' from: 2001:470:1f13:5c0:2::88 and a : 2021-07-02 16:56:48.484064+02:00 sshguard 62299 Attack from "2001:470:1f13:5c0:2::88" on service unknown service with danger 10. a second one : 2021-07-02 16:57:06.938048+02:00 php-fpm 49571 /index.php: webConfigurator authentication error for user 'admin' from: 2001:470:1f13:5c0:2::88 Now comes : 2021-07-02 16:57:06.938303+02:00 sshguard 62299 Attack from "2001:470:1f13:5c0:2::88" on service unknown service with danger 10. and a 2021-07-02 16:57:06.938386+02:00 sshguard 62299 Blocking "2001:470:1f13:5c0:2::88/128" for 110 secs (2 attacks in 18 secs, after 1 abuses over 18 secs.) Now both browsers are 'locked out' as they use the same IP. The web server couldn't even update the page any more : 2021-07-02 16:57:06.000000+02:00 nginx - 2021/07/02 16:57:06 [crit] 36881#100306: *273 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 2001:470:1f13:5c0:2::88, server: [::]:443 After a couple of seconds, my browser gets smart, and uses it's IPv4 : 2021-07-02 16:58:12.118235+02:00 php-fpm 49571 /index.php: Successful login for user 'admin' from: 192.168.1.2 (Local Database) edit : this is just one possible scenario. Many other are possible. and that works.

@stephenw10 Just booted Trunenas on a Dell R220 Xeon 1220-V3 16GB ram and linked directly to Dell workstation with OM3, running windows and Xeon 1230V5 16GB ram. 546+ SFP+ mellanox cards Results [ 1] local 192.168.2.1 port 57829 connected with 192.168.2.2 port 5001 [ 2] local 192.168.2.1 port 57830 connected with 192.168.2.2 port 5001 [ ID] Interval Transfer Bandwidth [ 2] 0.00-10.03 sec 5.57 GBytes 4.77 Gbits/sec [ 1] 0.00-10.03 sec 5.44 GBytes 4.66 Gbits/sec [SUM] 0.00-10.01 sec 11.0 GBytes 9.45 Gbits/sec Happy with that. This is interesting - I now did the same iperf transfer but this time removing the OM3 fibre and using DAC 2M copper and here are the results - [ 2] local 192.168.2.1 port 62289 connected with 192.168.2.2 port 5001 [ 1] local 192.168.2.1 port 62288 connected with 192.168.2.2 port 5001 [ ID] Interval Transfer Bandwidth [ 2] 0.00-10.01 sec 6.33 GBytes 5.43 Gbits/sec [ 1] 0.00-10.03 sec 4.61 GBytes 3.95 Gbits/sec [SUM] 0.00-10.01 sec 10.9 GBytes 9.39 Gbits/sec I ran both tests a few times and DAC is consistently slower transfer rate.

@viragomann thanks brother, that worked.

@wlp94611 You don't need a WAN address, as link local addresses are often used for routing. So, run that way for a while and see what happens later.

The problem was on ISP side. All is good now

Dear @nogbadthebad , Asolutelly I have to upgrade to DEVEL than. :) Regards, Mucip:)

@maria-1 Your firewall rules are all wrong. Normally on LAN you do not want it to be too restrictive or else your users complain that things they need don't work. With that in mind, you would usually block what you want blocked and then allow everything else. You are trying to do the opposite where you try to allow some things and block everything else. Firewall rules are processed top-down, first match wins and no other processing is done. Start by putting an Allow All to Any rule at the bottom. Then start stacking your restrictions above it. I will go by your rules one by one: This won't be necessary since the Allow All rule at the bottom will handle everything. This rule is ok but could be better. Create a Port Alias called Admin_Ports and fill it with 22,80,443 and then use that alias in place of port 22 in your rule. That will allow only .21 to access pfSense via ssh or http/s. We will add a block rule later. Destination should be This Firewall if pfSense is your DNS server. There is a way to redirect all external DNS queries to pfSense if you want to capture all DNS. Add a new rule here that blocks LAN net to This Firewall This rule allows anyone to reach port 80 on pfSense. Inter-LAN traffic does not go to pfSense at all, so this rule only takes effect when someone tries to hit pfSense via tcp/80. It's not necessary and you can delete it. This rule is useless. What you want here is to create a Port Alias called Web_Ports and fill it with 80,443. You then create a block rule that blocks everyone from accessing anything via Web_Ports. Useless rule that should be deleted. Before, you were not blocking tcp/443 which is https and the way 99.999% of websites are served now. With tcp/80,443 blocked, nobobdy will be able to access any websites except through the proxy. You can create an IP alias to hold IP addresses of people allowed to bypass the proxy such as admins or management, and then create a rule directly above your tcp80,443 block rule to allow that alias to access anything.

@cmos_battery One thing to bear in mind is there's nothing magic about VPNs. They're just one way to establish an IP connection between sites. Once they're set up, you use then as you would any other connection. Years ago, things like frame relay and fractional T1s were used. These days, out in the real world, you might come across MPLS or QinQ VLANs, As for setting up VPNs, you have to know which one and the specifics depend on the brand. For example pfsense supports OpenVPN, IPSec and Wireguard VPNs. But the details of configuring IPSec, for example, on Cisco would differ from pfsense. I don't know that a class such as your is the place to learn more than general principles, though you may get into setting up one. But when you get out into the real world, you could easily find yourself working with another. The principles will remain the same, the but details may differ and you'd be expected to work those out on your own. One thing I complained about years ago was the schools teaching Windows and Microsoft Office, rather than operating systems and office apps, so that a person would have portable skills. It's sort of like a auto mechanic class teaching only one make of vehicle, as though the others didn't exist.

@keyser @bingo600 After some additional digging it seems it’s not related to Zabbix but rather unbound resolver in combination with pfblockerNG-devel 3.0.16 I started suspecting unbound because “top -SH” in I/O mode (press m) showed that unbound constantly was doing disk I/O I’m investigating further for now, but stopping pfblockerNG (which stops and reconfigures unbound) releases the allocated diskspace which then returns to the 25% it should be. Maybe it’s something related to the new python integration i pfblockerNG and Unbound. The Issue must have arisen when I upgraded to 21.05 from 21.02 I’ll close this thread and create a new one under the pfBlockerNG forum.

@steveits Yup. Unfortunately RealTek holds a huge market share for NIC chips, including in embedded devices and IT appliances, and in my case, the integrated NICs on the motherboard I'm using. Hard to avoid, therefore perhaps should be better supported in FreeBSD. I'm no stranger to FreeBSD and they are notorious for seemingly arbitrary and sudden driver breakages after updates and I'm not entirely convinced the problem wouldn't happen to Intel one day either. Unless they've decided that's the only card they test - which would be short sighted. Too bad this has to run on FreeBSD and not Linux but I do understand why.

@dlogan said in No traffic on WAN, gateway status down, errors "arpresolve: can't allocate llinfo for <WAN IP> on igb1: I have a WAN configured on IGB1 of an SG5100. How? PPP, DHCP, etc? Some hints on this in the logs?

Hmm, not sure why the ix NIC doesn't see it then.

That's a firewall rule and the destination is a public IP. You need a NAT rule too and that changes the destination to the internal target IP for the firewall rule. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards Steve

@cza There is the ifconfig command to shut and open an interface, which might help. However, i also suspect it's a hardware issue.

@dilligaf said in Pfsense 2.5 stacks at boot with dots: I also fully understand already that ClamAV isn't going to see encrypted traffic. What I've should have mention where I wanted to go : ClamAV will see the traffic that all the process read and write to disk. What if : some key word(s) in this traffic (the config file to be written) doesn't please ClamAV ? Is there a way, as any (many) anti virus can do : exclude this file from being scanned ? Does the issue exists with ClaAV running and not with ClamAV stopped ?

@mrjoli021 if you plan on inspecting https traffic using squid that's not possible without doing a MITM unencryption of the traffic and even then your users are going to see warnings in their browsers even if you install your own certificates. This will just alarm your users and flood you with complaints. If you want to reduce the chances of your users connecting to malicious sites configure DNS to use the Quad9 servers.