@stephenw10 I did some more detailed and precise testing this morning now that I'm not scrambling to close some holes due to over permissive rules. I was mistaken, so sorry for the false alarm. I've also learned something important about the 'This firewall (self)' target - that it has much wider scope than I had realised. Useful for block rules, somewhat less so for for pass rules! I've switched to XXX address or XXX subnet for a few rules and all is now good again. Guess I should have RTFM more carefully.

@bigsy I kept the tunables for now. CPU usage seems a bit lower when using Speedtest.net under max load and I seem to be achieving higher speeds. Especially upload was much higher. Will need to some more testing.

I provide a /24 subnet on IPv4 and /64 on IPv6. I also have the 3rd IPv4 octet match the IPv6 prefix ID. However, this is more for convenience than technical reasons. I also use the same number for the VLAN for my guest WiFi.

@stephenw10 surprisingly it's on both, however I only have to edit then save on the primary and the service starts on both

@johnpoz said in What rule blocks this ?!?: short block You mean an invalid short packet? Edit: Oh the log reason is 'short'. Hmm I don't think I've ever seen that before. Yeah it's doesn't have to match a rule so no id etc.

Thanks Guys... that explains everything. The other drive is a M.2 Samsung 250GB, worked OK on that.

So you're seeing the boot process on a screen attached to the device with a CVGA/HDLI cable ? The kernel boot probably switched over to the serial USB console from that point on, so nothing shows up on the screen anymore. This might help you : Troubleshooting Boot Issues. @basketball superstars said in Keyboard stops responding after booting: is due to needing to disable DHCP You disabled the DHCP server on LAN ? Thanks for your answer. I got it.

Hmm, so is that shown in the main system log? It may just not be in the console log.

Ah, that's fun*. Not currently there isn't, either source or a way to suppress it as far as I know. We are adding more refined logging output now.

Hmm, I'm not sure why you would need NAT there if each site is advertising the correct subnets. But yes that would be a problem if you needed to do it. In pfSense you need to assign an interface to apply NAT on it.

@stephenw10 Yeah that's what I'm thinking, maybe the ONT itself can't handle it or something along those lines. I know many ISPs do throttle torrents, but you'd usually see that as the torrent traffic itself having higher latency and stuff, not just dropped packets on the entire connection, though it doesn't appear the later is unheard of. Pretty confident at this point it isn't pfSense, so at least that's good. May also see if my ISP can get a tech out, after I test both VPNs and possibly direct fiber connectivity instead of the ONT.

@ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane

Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?

@stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.

They are still coming into the WAN just without the :5 octet?

@stephenw10 No it doesn't install a 3rd party repo. However... it could possibly Mess with shared libraries (libmd.so, libssl.so, etc.) getting replaced or misaligned. Create conflicts in /etc/rc.conf, init scripts, or pkg metadata. OS version expectations (pkg or pfSense-upgrade behaving strangely).

Hmm, well hard to be sure I'd guess that Unbound was restarted when pfBlocker updated and then failed to restart for some reason. However that wouldn't prevent pinging 8.8.8.8. So another possibility is that one of the pfBlocker feeds had some rogue entry blocking far too much when it updated.

@stephenw10 Thank you. I will do some research on this option

Skipping the untrusted certs there is expected in any install. CE is not supported in Azure.

Yes upgrading CE in Azure is not supported. And that includes to Plus. The only supported deployment in Azure is from the tested Netgate image.