@stephenw10 Thanks

@stephenw10
Thank you so much Steve. Completely explains what I was observing. I just did a test and confirmed that it is working as expected. I also had an error with how I had configured DNS which was confounding things even more.

Basically there is no need for me to doing anything other than the default behavior. As long as the connections eventually end up going out the Comcast gateway all is good

Thanks!

Agree with @stephenw10 - there are few issues with just certain models of Intel cards, but overall they are pretty solid it. Chelsio support is also quite good for FreeBSD - which card are you using? Also, have a look at this link:

https://bsdrp.net/documentation/technical_docs/performance

Next time you see the interrupt storm messages occurring, try running "vmstat -i" from the command line to track down the culprit device (interface).

Hope this helps.

Thanks for the fast response!!

@NogBadTheBad Thanks, for support

Well it is up to the ISP device to provide reasonable support for a customer-owned firewall device while still providing the necessary IPTV, etc functionality.

That blog post is wrong (at least partially 😉 ). You should add that to /boot/loader.conf.local to avoid it being overwritten.

See our intructions for that here: https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html?highlight=kern%20vty#upgrading-from-versions-older-than-pfsense-2-4-4

Steve

Yes, if you create a single interface bridge and use that as the VLAN parent you can set a MAC address for the bridge.

I've never tried more than one though.

Steve

I confirm. All virtual NICs were connected to one switch, this switch was not connected to physical NIC of course.

Now I have recreated the setup. Each virtual NIC is connected to separate virtual switch. Problem is gone.

Thank you for your help!

@johnpoz
ok, i didn't understand where to look.

but now i have new problem. the sg-1100 seems to have failed. i t seems to be completely dead. the pwr light comes on but none of the ports do anything. i tried connecting to the console via putty, no response. also it doesn't get warm any more.
i emailed support to see what to do.

It's not an nmap package problem, but a general problem that affects several packages the way they display output from certain utilities: https://redmine.pfsense.org/issues/8502

It's been a while but the Business Hub was BTs device they gave you if you ordered a subnet of static IPv4s as well as some other "business" features. But I think it used a numberless PPP connection or something similar to give you the entire subnet on the LAN which pfSense cannot replicate.
That may have changed, it was a few years ago I hit that.

Steve

I know I had some trouble with my DHCP address that if I made changes on the physical or hypervisor side, pfsense would not pick up the changes without a restart. Though I have since rebuilt the pfsense VM and am not having this issue on this install. I made the DHCP address as WAN1 instead of WAN2, not sure that it made a difference or not.

If you are using putty in Windows (or Linux) you can just enable logging there to get a file directly. Most terminal clients will have enough scroll back anyway to just copy and paste it out.
You would need to just leave it connected and wait for it to reboot unless you are able to predict when it will happen.

Steve

Here is a rule I setup (but it's currently disabled as you can see from the screenshot) to keep 1 single device from accessing anything off it's own subnet, thru the firewall. In my example, the host at 10.0.1.116 is blocked to any destination.

Screen Shot 2019-10-30 at 2.17.13 PM.png

Like @johnpoz says, you have to have this rule above the default allow any to any rule.

Jeff

Maybe if it's sending enough queries to be limited.