@JKnott

I now have a stratum 2¹ server on my pfSense firewall. One thing I've noticed since switching from pool.ntp.org, is that the clock on my computer appears in closer agreement with a WWVB radio clock I have. When I was using pool.ntp.org, my computer seemed to lag the WWVB clock by a half second or so. Now it appears the same, at least as close as I can tell by eye.

pool.ntp.org provides stratum 2, which means pfSense provided stratum 3. TorIX provides stratum 1, so pfSense can be stratum 2.

@johnpoz said in Not all devices are listed in DHCP:

If you just pinged it from pfsense, it would be in the arp table!!

it worked
Thanks

if there are no other alternatives to edit xml file exported, e.g. with 'sed' command directly from the console, I can try only this way

best regards, thanks!

@fireix It seems that Ansible or Puppet is open source applications would work for you since it appears you're not shy to use CLI (like me). Ansible uses SSH whereas Puppet (from OpenStack) uses a user agent installed on client's box. Let's hope more senior members will follow-up.

My opinion is that FreeBSD is one of the best choices for NGFWs, due to the distinctive behavior of the OP system itself.
However, you can't run it cleanly on FreeBSD, so like pfSense, sticking to the parent basics (FreeBSD), you need to implement a different philosophy = pfSense.

NollipfSense /
I agree with you that the future belongs to the VM, but we still have a lot to learn in this area.
What is currently worrying is that only mirror solutions can create large stability systems.
I currently work for a world-wide insurance company, in the current unfortunate situation (COVID), more than 8,000 employees work from home on a VM basis.
It works, but 25 extra mirror servers have been set up in 15 countries to eliminate the any possible problems.
Virtualization is a wonderful part of the IT world, flexible and I hope there will be more and more serious availability.
(I started with Windows NT servers and Win 3.1 has changed a lot since then :-))

@bmeeks Thanks very much for the answer. I did try and download the patches and test, but, not apply and saw that it wasn't going to work from the patch test.
Hence the post asking.

2.4.5-p1 - I shall have to wait.

Thanks again.

@firerobin said in pfSense VM latency and WAP performance issues:

@bmeeks Thanks again for the info. I'll ask around in neighborhood forums to see if anyone else is having issues with their xfinity connection. Hopefully I can find someone as knowledgeable as the folks in this forum, but then they'd probably already be on top of the issue 😬

Would this problem be as noticeable if they have a higher bandwidth service plan?

If you have issues with the node you are served from, a higher speed tier is not likely to help. An overloaded or malfunctioning node would be expected to affect all speed tiers. The one exception might be if they moved you to another node for a higher tier, but that is extremely unlikely as the node serving you is usually fixed due to the realities of coax cable routing on the poles.

To test and make sure a saturated uplink is not your issue, play your game at a time when you are 100% certain nobody else is using your Internet connection but you and your gaming machine. No streaming or anything else going on. If you have problems then, it is likely to be an upstream ISP problem. If you have no issues, then somebody really loading up on downloads can hurt your gaming and ping times as all the ACKs from the busy downloads can eat up the upload bandwidth.

I think I'll just add a couple more interfaces and do it that way. I got to thinking about how I might be able to use the separate lans anyhow.

Thanks to all for the input.

Sure you can apply a schedule to a firewall rule so it only applies at certain times:
https://docs.netgate.com/pfsense/en/latest/book/firewall/time-based-rules.html

I'm not sure how that would help filtering different groups of users though.

Steve

Hello together again,
creepy. Two days ago my PFSense wasn't able anymore to connect in anyway to my CG VPN Service. Always "decompression failure" or something like that appeared.

The final solution was to change from adaptive LZO Compression to OMIT Preference. Then this connection worked again.

And what started to work as well? The VOIP Connections. I don't know how this belongs together, but now i can register like always my softphones and make calls. I think we would have searched years to find this out...But well, fortunately finally now it works again. That is the most important!

Thanks again anyway for the interesting information you posted here and the support you gave!

Have a nice weekend

@stephenw10 I just tried it again and it works. Looks like they finally updated their certs. Thanks for the help!

Hello..
If someone gets similar issue, please try disabling LACP strict mode.
It worked in our case.

All the best

Do not post them directly here! There is quite a lot of stuff in the config you probably don't want public.

You could use the redacted config from the status_output file. Go to <your firewall IP>/status.php to get that.

But even that has your public IP etc. We probably only need the interfaces and dhcp sections as I said. That should show any mismatch if it's happening.

Steve

The device must have came from those who has access to your LAN...either household or guest. I even believe your Alexa uses Android. For sure, pfSense has NOTHING to do with this issue.

@stephenw10 PFsense is definitely logging events (within the Firewall log view).

Currently, the log is only showing the denied traffic.

Based on the timestamps, it looks like I am not encountering a DoS attack.

Screen Shot 2020-05-07 at 4.32.04 PM.png

How are you testing? From Diag > Auth?

That's helpful, thanks. I am recreating the rules on pfSense B, rather than trying to import them.

pfSense B currently has two em NICs but I will be adding two vmxnet NICs in the next maintenance window, then two more in a future maintenance window. I will be watching for reordering as they are added.

Yes, I completely agree with that. Having pfBlocker create aliases only and assigning them yourself allows you to see exactly what's happening. That's how I use it.

Steve

Try a port test to the site from pfSense. That should work though if other clients behind it can access the site.

Run packet captures to see what's happening. Is traffic for the site actually arriving at the internal pfSense interface?

Is it leaving the WAN? If not where is it leaving, if anywhere?

I assume you do not have Snort or Suricata running?

Steve