@jimp Roger....Thanks

@stephenw10 said in New User to pfSense - some doubts: I think there has been some confusion here. Steve Well look at his quote. Thus he can answer for himself I suppose.. :)

https://forum.netgate.com/topic/143183/solved-cant-seem-to-get-my-apt-get-working-on-vm/7

@NogBadTheBad said in Does pfSense support SNTP: You still have to XMODEM IOS to a Cisco switch if there's no IOS in flash :) I think I saw that mentioned in my search for firmware updates. However, that would be a bit difficult to do without a serial port on that box. However, what is does to is create a web server, if the firmware can't be found. That web server can then be used to upload the firmware. I wonder if that gets turned on, when http upload is selected. I was using tftp, where I had to specify the IP address and file, but the missing firmware web server was 192.168.1.254, IIRC. I'll have to look into that.

@stephenw10 said in Cant seem to get my apt-get working on VM: Disable IPv6 on the pfSense LAN Thanks - It's resolved - I've disable DHCP 6 server and uncheck in my LAN interface everything is perfect now.

Did you inspect the pfblockerng.log to see what is done during that period?

Yes, that will work. pfSense sees it as any other WAN connection then. Steve

@jimp said in Bootup: Fatal Error Uncaught Error Stack trace: You can use the boot menu to select single user mode if you need to make those kinds of changes. Thanks

@OpenWifi said in How to stop throttling by my ISP: @chpalmer So how can i circumvent that How can you get full bandwidth from your ISP when they aren't allocating it to you? You probably cannot. But if you're using any old hubs in your network, moving to switches might help. What you're experiencing I believe is very common. This might help..... TomsGuide - What to do when your bandwidth is throttled

Just happened again. Devices using the native WAN interface as a Gateway stay unaffected. Logs (System --> General) show ntopng crashing: May 7 17:38:10 kernel pid 15404 (ntopng), uid 0: exited on signal 11 (core dumped) May 7 17:38:10 kernel igb2: promiscuous mode disabled May 7 17:38:10 kernel igb3: promiscuous mode disabled May 7 17:38:32 ntopng [HTTPserver.cpp:924] ERROR: [HTTP] set_ports_option: cannot bind to 3000s: Address already in use May 7 17:38:32 ntopng [mongoose.c:4584] ERROR: set_ports_option: cannot bind to 3000s: No error: 0 May 7 17:38:32 ntopng [HTTPserver.cpp:1104] ERROR: Unable to start HTTP server (IPv4) on ports 3000s May 7 17:38:32 ntopng [HTTPserver.cpp:1110] ERROR: Either port in use or another ntopng instance is running (using the same port) Logs (System --> Gateways) May 7 17:37:55 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr REMOVED bind_addr REMOVED identifier "WAN " May 7 17:37:55 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr REMOVED bind_addr REMOVED identifier "VPN1 " May 7 17:37:55 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr REMOVED bind_addr REMOVED identifier "SITETOSITE1 " May 7 17:37:55 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr REMOVED bind_addr REMOVED identifier "SITETOSITE2 " May 7 17:37:55 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr REMOVED bind_addr REMOVED identifier "VPN2 " Bold Italics edited by me Edit: ntopng is the problem. Every time I restart a gateway tunnel, ntopng crashes and NAT stops working. Here is what the ntopng logs are filled with: [Mutex.cpp:46] WARNING: pthread_mutex_lock() returned 11 [Resource deadlock avoided][errno=0] RAM had ~1600M free so not running out of RAM. CPU as I said was 100% on one of four cores at the time of this happening. I uninstalled ntopng for now as it was unusable. Edit 2: Totally not fixed. Seems to happen when I restart VPN2 but not always I think. WAN and VPN1 gateways always register as Down in Status --> Gateways even when they are up. ntopgn not the problem! VPN2 has a NAT port forward rule with it's corresponding Firewall rule, will try to disable that and see if anything changes. Will investigate more and report back. Edit 3: Seems to be fixed by selecting System --> Advanced --> Misc --> Reset states on Gateway down. I also had to add VPN1 Gateway in LAN Firewall Rules as Gateway as it would still not work with the Gateway set to default. I would like some input from someone if this is correct.

@tim-mcmanus thanks for confirming that the NIC board is not likely to be the culprit. My setup was working flawlessly giving me 450+ Mbps speeds on the LAN side. Thinking of what I may have changed other than regular updates to pfsense releases, only one thing comes to mind. I attempted to turn on a VPN server. But never completed it and recently deleted all items related to VPN server. Not sure I left something in there that's slowing things down - I don't see any alarming consumption stats in the dashboard. Links were also not showing any errors.

@TheGOP said in Bridging: physical interface bridge and VLAN bridges: Aruba 2930M you would have to double check but I do not think the 2930M supports VSF, which then you could do a mc-lagg... Pretty sure the 2930Fs support vsf...

For the route table to be consulted it would have to pass through the firewall. It's better to drop the traffic at the firewall. And using -reject is bad because that sends back an ICMP unreachable. If it's a malicious network, you don't want to send anything back based on their requests. What you want is -blackhole. And you can still add those on BSD if you want, but you have to supply a gateway: route add -blackhole -net x.x.x.y/zz 127.0.0.1 Or use the GUI and pick Null4 or Null6 as the gateway. I'd still just block it in firewall rules and forget about it though.

spamming - ie sending emails is not dns queries.

I managed Check Point firewalls for years starting with Nokia IPSO-based appliances and then later Check Point branded appliances. No custom chips in any of them. All were pure software. The IPSO operating system owed its origins to FreeBSD and Check Point's SPLAT (Secure Platform OS) and later GAIA OS were both hardened versions of CentOS/RedHat Linux with a Check Point authored software package on top. No custom hardware anyplace. In fact, l frequently used both in VMware virtual machines in my lab although the IPSO VMs were a bear to configure because Nokia did use a custom NVRAM chip to hold some configuration info and you had to fake that out in the VM. I did it by using FreeBSD 7.1 to create a very basic setup and then copying the IPSO image on top of it using dd. The biggest difference I see between pfSense and the Check Point products is the Check Point stuff can suck a whole lot more money out of the corporate treasury each year for maintenance and support contracts and licensing fees ... . Later Edit: After thinking about it some more, it would be unfair to suggest pfSense and Check Point are identical in every way. Each offers its unique advantages. For a large corporate enterprise network, Check Point does have some nice management features that pfSense currently lacks -- mainly Check Point's SmartCenter server and all the firewall deployment, management and log consolidation functionality it offers. You can do some similar things with pfSense and third-party tools, but it's not as clean at the moment. Of course that Check Point functionality will cost you a rather substantial sum (very quickly rising into the 6-figures range in US dollars). pfSense costs you exactly zero US dollars if you support yourself, and still is very competitively priced if you purchase Netgate support. However, out of the things I mentioned above, nowhere did I say that expensive product was any more secure than the free one. In terms of security, when managed by a competent admin, the free product and the expensive one are identical. The expensive one just offers some management conveniences.

Thanks, KOM. I have some success, am able to access a machine on the LAN side of the firewall from the WAN side using the static IP. My test machine (the workstation on the LAN side, that runs a test web server) is a VirtualBox virtual machine running CentOS 7.6 I installed fresh, for this purpose. It gets its IP from the pfSense DHCP server as 192.168.200.10, which is aliased to one of my available static IPs as you describe. I have ports 80, 443, and 22 forwarded, and they all work. There is one thing I learned after several hours of beating my head against the wall, which might help any other newbies trying to get this to work... DON'T FORGET TO TURN OFF THE #%$%$& FIREWALL ON THE LINUX WORKSTATION ON YOUR LAN!!! or the equivalent (Windows firewalls?) on whatever else you're using as a workstation on your LAN. :-( CentOS 7.6 (and I suspect most Linux distros) installs iptables or firewalld by default, and turns it on with a default set of rules. If you installed it as a workstation rather than a server, the default rules block server stuff. So, all my attempts were getting through the pfSense firewall just fine, only to be blocked by the Linux firewall in the workstation VM on the LAN. I went in there and said "sudo service firewalld stop" and by magic, everything started to work. Yeah, I know, this should be obvious. It totally got past me. :-( So for now I think I'm all set, until the next roadblock :-). Thanks for all your help.

@fernandopf I have had no success either. I could be my configuration: Media Server on VLAN 20 (10.2.10.200) Trusted Wired Clients on VLAN 25 (10.2.25.0/24) Trusted Wireless Clients on VLAN 30 (10.2.30.0/24) IGMP snooping enabled on my UniFi switch for VLANs 20, 25 and 30 IGMP Proxy enabled with Upstream being the media server Downstream being 10.2.25.0/24 and 10.2.30.0/24 Firewall rules enabled for IGMP from 10.2.25.0/24, 10.2.30.0/24 and 10.2.20.0/24 to anywhere with "Allow packets with IP options to pass" enabled under advanced options for each IGMP rule I have downloaded the latest IGMP proxy binary (dated April 30) from https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/ Interestingly, the size difference from the latest pfSense 2.4.4-RELEASE-p2 (amd64) release and the snapshot is 130K (snapshot) to 39K (release). This has worked for some but no joy for me.

@jeff3820 Late post with no success either. I could be my configuration: Media Server on VLAN 20 (10.2.10.200) Trusted Wired Clients on VLAN 25 (10.2.25.0/24) Trusted Wireless Clients on VLAN 30 (10.2.30.0/24) IGMP snooping enabled on my UniFi switch for VLANs 20, 25 and 30 IGMP Proxy enabled with Upstream being the media server Downstream being 10.2.25.0/24 and 10.2.30.0/24 Firewall rules enabled for IGMP from 10.2.25.0/24, 10.2.30.0/24 and 10.2.20.0/24 to anywhere with "Allow packets with IP options to pass" enabled under advanced options for each IGMP rule I have downloaded the latest IGMP proxy binary (dated April 30) from https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/ Interestingly, the size difference from the latest pfSense 2.4.4-RELEASE-p2 (amd64) release and the snapshot is 130K (snapshot) to 39K (release). This has worked for some but no joy for me.