Thank you! I think that will work for me.

You should usually see two lines one with ALARM when one of the thresholds is breached, 20% packet loss there, and a second with CLEAR when the line quality returns to normal, probably the 5% line you see there.

Steve

@provels said in PFSense on VM or dedicated T620?:

@cheapie408 You could just hook up a LAN port of your Asus AC1750 to your LAN net to expand your WiFi.

That's exactly what I don't want to do. I turned off the WiFi on the Asus so I can manage all my WiFi devices from the Unifi software.

What's funny is after posting this message, the Asus stalled and I lost all internet connection. I had to power cycle the damn thing. This happened at least 3 times in the past 2 months and one of those time was when I was away. A higher power is trying to convince me of PFSense. 😈

For sure.

Thank you to everyone here. I appreciate the assistance. You have helped my sanity for the time being. pfSense is great and by far the best experience I've had with a router in any setting I've worked in, which isn't a whole lot. Still, I always recommend pfSense to anyone that has the ability to install and work with it.

I don't know how easy that would be. You could open a feature request for it though: https://redmine.pfsense.org

Steve

@BailsBails

@BailsBails said in Is there work being done on bringing openvpn up to v 2.5 on pfsense?:

Hi

Is there work being done on bringing openvpn up to v 2.5 on pfsense?

I have a user on OSX using tunnelblick which has recently started mcdvoice receiving warnings and I'd just like to know if there is any work going on at present to bring the openvpn server up to 2.5.X

Thanks

Bails

being a user on OSX i used to wonder the same because i was having same problem some time before when i was using it

Download any crash reports you see. You can also check in /var/crash for old reports.

Ah, yes I'm running a different theme on the box I was checking on. The Filter icon does the same thing.

If you want a time range you need to use regex to specify it.

Steve

And still bad when putting the Verizon router back in line? Or testing directly with a single client?

Steve

That would do it if it was on the LAN interface.

However you do need to NAT the internal subnets to the WAN CARP VIP on the WAN interface. Without that when it fails over the states will no longer be valid and new states have to be created.
https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html#setup-manual-outbound-nat

Steve

If the ISP supports v6 is may have sent that ACK in repsonce to a config request. If your interface is not configured for v6 it would just have ignored it.
Unless you are actually seeing a connections problem there I would ignore that. I looks like a harmless response.

Steve

Why can you not just LDAP to auth to your AD?

It's strictly for a lab environment , on an inside segment.

Bingo

@stephenw10
yes it helped thanks for tip.
I started learning now about traffic shaping to see if i can do more to improve
performance and just to learn about it for fun :)

@stephenw10 is spot on. On the LOG MGMT tab are settings for controlling the size of each active log and for retention of rotated logs.

There is also a setting for controlling the maximum allowed size of the entire /var/log/suricata tree. Be sure to allow for some overrun when setting the size limit, though. This is because the log managment feature is handled by a cron task that runs periodically to check on and clean up logs. On a busy network, there can be a lot of log growth that happens in between the 5-minute checks the cron task performs.

Unless you have a quite large hard disk (say at least 30 GB or more), then enabling packet logging can be dicey on a busy network. You will need to limit the log size and particularly the retention (the number of old, rotated logs/files kept on disk).

Mmm, already watching. 🕵

Yes you can do that. pfSense can run the OpenVPN client and route all traffic through it.

But there are two issues that make it at least inconvenient to do this with pfSense.

There's no good way to search for and connect to a wifi network from the pfSense GUI. You would need to 'discover' the wifi network on something else and then manually configure pfSense to connect to it. Or use some other device to connect to the wifi network.

As you said pfSense will just try to connect to that network to bring up the VPN. You would need to have at least once device that is not routed over the VPN or maybe a particular site you can access by IP that is not routed in order to be redirected to the captive portal login.

Steve

@stephenw10 said in System Log:

Mmm, I can't answer that without more research but it logs like that on every firewall I see. So whilst it may be a bit ugly it's nothing to worry about.

Steve

Thank you - Nolli

@kiokoman thank you so much for this tutorial. I will try this setup. Once again, thank you so much I really appreciate your help. :)

If you WAN bandwidths are that different the first thing you should do is weight the gateways in the load-balance group so you get 5:1 connections using the ISP B gateway.

Then a great way to set equal bandwidth per user is to use dynamic limiters based on a /32 mask.
Unfortunately the screenshots have been lost from here:
https://forum.netgate.com/topic/57476/per-ip-traffic-shaping-share-bandwith-evenly-between-ip-addresses
The description is still good though.

Steve