Thanks both, that is definitely what's happing, as like bigsy I have an account with Zen. So the answer to my question is no there is no simple way of making my ports stealth . Project abandoned.

I tried adding rules to see if they would make any difference which they did not so I will remove them. The implicit deny rule I have added would stop anything internally using those ports anyway.

I put an extra implicit deny rule in to monitor any network activity I was not expecting. I presume like most firewalls I have worked on there is an invisible deny rule anyway.

Thanks for the help

@GunerX Try to temporary disable "Block bogon networks":
Screenshot from 2020-07-20 08-18-10.png
and run /etc/rc.update_bogons.sh (without force) again

@BocajPF

You need 1 NIC on the WAN side. You set up rules according to what you want. You haven't said anything about what you're doing. For example, do you have enough public IPs for all your hosts? If so, then you'd create a subnet for those addresses and not worry about NAT.

For example, on IPv6, I get 256 /64 prefixes. Each /64 can be used for a LAN or VLAN. So, on my network, I assign 1 /64 for my main LAN and another for my test LAN. This config means I have a 2nd NIC for my test LAN, in addition to the 1 used for the main LAN.

Without knowing what you're trying to do, it's hard to tell you how to do it.

You could always try this:
https://forum.netgate.com/topic/64735/speedtest-cli-run-speedtest-on-pfsense-box
If I was able to figure it out anyone can. But not as easy as clicking "+Install" ...
That said, a speedtest should be run from a client and not the FW. That's what I do.

0da1b89d-5921-495f-9dcd-8437fc2c0531-image.png

932e0062-0825-4902-8c0b-f44841651d5c-image.png

@jim0266-f said in Upgrading to 2.4.5 hosed my install:

Time blends...

Singing to the choir there buddy ;)

And the older you get the faster it goes too... I was like it can't be 20 years - can it??? NFW ;) hehehe Had to double check to be sure.. And I was like whew.. Ok it hasn't been that long. heheeh

Thsoe IPs are in the WAN subnet (assuming they are real or representative) they can't be used directly internally.

A WAN VIP and 1:1 NAT is the correct way to this if they need to have those downstream routers. They might insist on it if those are separate clients for example.

Otherwise you could just have separate VLANs weth pfSense handling the subnets and the clients there directly. Just use a different outbound NAT rule for each to get different public IPs.

Steve

@Farisse

you welcome 😉

@molepy,

Thanks for the reply. What I am currently using works, but is VERY KLUGE.

I hate that it kill all states, but that is the only way to make it work.

Phizix

#2 there sounds like the expected behaviour with the CSRF check. That has been present for a long time but it was not obvious what was happening. In 2.4.5 a custom page was added that provides feedback: https://redmine.pfsense.org/issues/9799

#1 Obviously should not happen. It can take a lot longer to complete tasks if the firewall has no WAN connection and is trying to use one, such as if you have ACB configured. I've never seen it take 15mins just to complete the wizard though.

#3 Is it possible you are doing that before completing or escaping the initial setup wizard?

Steve

No, I don't believe that's possible. If the user has sufficient privileges to access vtysh they will be able to access pfSense.
At least using the built in user priviledge management.

I guess I could imagine a user who's default shell spawned vtysh.... 🤔 It would probably be relatively easy to escape though.

Steve

That should work fine. I'm not sure if I've seen that specific switch but LACP to Microtik is quite common.

What about if you assign the lagg port dircetly? Can you pass traffic without the VLAN?

Steve

@StarsAndBars said in Buffer Bloat Mitigation w/o speed impact?:

@chpalmer Thanks for your response. The Cable Modem provided by the ISP is a Hitronic CGNM-2250 and as it is a business-class account, I do not have the luxury of selecting my own.

Since this is a Puma6 model modem keep in mind that it has some issues.. http://badmodems.com/

Make sure you have no UDP traffic going on while you are testing.. Some modems have various patches in place but depending on the ISP some do not.. UDP traffic can be quite the problem for these modems to handle.. VOIP, video, gaming ect..

If you are a Comcast customer then the only reason they will not let you use your own modem as a commercial customer is if you have purchased static IP's from them. Otherwise we do it all the time. I would bring up the Badmodems site to your ISP and see if they will give you another Broadcom based model..

Thank you! 'State Killing on Gateway Failure' was set and did not need to be. I'll have to wait for the next time the VPN goes down to be sure it solves my issue, but it looks like it should.

Yes, more information required.

Are you replacing the Microtik device with pfSense?

What is the WAN connection type?

Steve

Hey everyone.
So.
I've managed to get everything working.
I am using TalkTalk Faster Fiber
This is my setup now:

TalkTalk ISP wall box
-> RJ11
Draytek Vigor 130 Modem

Had to log onto it and manually configue it to be in Bridge mode)

-> RJ45
pfSense SG1100

IPv4 and IPv6 configured as DHCP

I hope in the future this will help people who had the same questions I did!
Cheers

@Raffi_ said in Losing WAN connection intermittently:

A can of compressed air held upside down does the same thing.

óóóó, the blessed physics and the expanding gases 😉

ok thanks i will just leave it.

cheers for the advice.