@tbattista Always power-cycle the modem, then connect the device you are testing with when doing these sorts of tests to flush anything the modem may have learned.
@stephenw10 having a managed switch that can mirror the traffic might be a great way to analyse where the problem is stemming from, although there would be some challenges as speeds approach 1Gbps, but given the low speeds reported, it should be sufficient to see what's really going on.

The entire running config can be backed up from Diag > Backup/Restore.

The file is /conf/config.xml if you're digging through the filesystem directly.

https://docs.netgate.com/pfsense/en/latest/backup/index.html

Steve

Hi Stephen. Thanks for your reply and interest.

How can I give the zabbix user rights to run nc? Anyway it looks like it already has permissions for that as I am able to get the nc help screen from the zabbix server. What I am not able to is to read the openvpn server socket. It also has permission to echo data as I am able to get the echo output from there too.

Is there any way to give the zabbix user limited permissions to the openvpn server socket? making zabbix root equivalent is not a good idea for a firewall so we should avoid this approach.

I had a Linksys CM3024 which became the star of a youtube video where we torched it. Way to flammable but I digress.. That was my first experience with the problems with the Puma6. I blamed the ISP for all our VOIP problems.

The original problem with traffic flow exhibited itself with UDP traffic. DNS suffered greatly. VOIP traffic also suffered as well as VPN connections over UDP. Many ISP's have pushed out updated firmware which has fixed those issues. But the other security issues still exist.

"It is a unpatched 0-day exploit that has no current mitigation with published code anyone can download and target other users."

"In addition to the DoS mentioned above, there's also a memory corruption DoS which causes a full modem reboot. The details of this attack have not yet been published while a patch is being worked on."

Yep. YMMV. :)

@netpok said in Detect missing IP address:

over 9000

😁

@stephenw10 Thanks, i found it under misc

Resolved. Thank you!

The old graphs worked just fine for me - while they were somewhat barren, they had the right information density and were fine to quickly figure out what was happening in the last day/week/month (and they didn't require me to set up and maintain yet another thing).

It would help a lot if the Monitoring page let me put multiple graphs on a single page (and maybe have a high contrast option, similarly to how VMWare ESXi's web UI has it - yes, the colours are ugly, but much easier to distinguish).

Ha, there's a reason that phrase is a meme! 😁

Steve

Not executable? What does ls -ls shown in /tmp?

Steve

heheheeh - this is true ;)

He posted his public IP, we could send him some - hehehe ROFL

There's no 100% safe way to do this, whatever you choose to run is untested and might have introduced issues. Only you will be able to test and fix that. Installing pkgs from other repos may replace a package we modify for pfSense with unexpected results.
If you really have to do this the safest way is probably to use bhyve.

Otherwise run pfSense and whatever else you need both as VMs in some other hypervisor.

Steve

Unless the ISP is routing the complete subnet to you, via some other IP, it's better to use individual VIPs.

Port forwarding is not necessarily any safer. By default it will add a linked firewall rule to pass the traffic defined in the forward. 1:1 NAT rules do not, you need to add firewall rules for the ports you need. So add only one port and the result is similar. 1:1 NAT also NATs traffic from the target outbound so if you need that internal host to appear to use that public IP for connection it initiates it can be the better option. You can also do that with a manual outbound NAT rule + a port forward.

Steve

Two main reasons besides simply; java 😬 :

You are increasing the attack surface of the firewall by running whatever that is you're running. Almost nobody else will be running that so any cracks it opens will be yours to find and fix.

That is not hosted on our repo so to install it you will be pulling packages from the main FreeBSD repo or worse some unknown 3rd party repo. Those may overwrite default packages with unintended consequences.
Will it upgrade to a new pfSense version? Who knows it will be completely untested.

As you say it's FreeBSD so you probably can do that but I wouldn't unless there was really no alternative. And there are alternatives.

Steve

It took a while, but I managed to make freeradius work, thank you all.

Netflix has asn of 2906 40029 55059 136292 and so on you can find it in .. then after that you can do the needed for that

@johnpoz

Given the steps required to install it, there's no way it could have been accidental and it's also not the first time it happened. There was another package that I hadn't installed for my UPS, IIRC. I also posted about that here.

Thank you. So many open items. Is it safe to assume that a production release will not be coming within the next six months?