Did it work just connected directly behind pfSense then?

Steve

Very cool. I have a synology NAS. Thanks!!!

Just to report back, in our situation the upstream Zyxel modem had features to block ping, probably to mitigte DoS:

0_1551958166307_problemi_monitor.png

Disabling this stuff fixed gateway monitoring

Hello,

yes I edited manually by adding that to an <earlyshellcmd>

Anyway, now i created a new gateway via WebUI , i checked the box to say that gateway is not part of the wan network, deleted my earlyshellcmd, rebooted and yes now it is working.

I was used to put all my initial route and the way to reach the gateway onto the earlyshellcmd as i was not aware of this options, maybe this option is quite new.

Anyway before version 2.2 it was working find and never had this problem.

but pb is solved now. thanks.

Regards

One method:

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

Yeah you could do that - or you could do this for living and just now that .192 is /26

Just like
.248 is /29
and
255.255.255.252 is /30
etc. etc.

☺

I have never seen it working but I've tried to make it work myself. As far as I know the components are all there, Squid should be able to do it. However I believe Cisco rely on a GRE tunnel to the proxy and I think it's likely that is where the problems may be. Traffic is not going across it correctly in one direction, probably the outbound traffic from Squid.
It may be possible to make it work. If you can set it up we can look at it.

Steve

@stephenw10 There are no errors:

Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll ... igb3 1500 <Link#4> 00:1b:21:37:df:0d 1668697756 0 0 2484214267 0 0 igb3 - fe80::%igb3/6 fe80::21b:21ff:fe 0 - - 0 - - igb3 - 10.245.51.192 10.245.51.193 18159161 - - 44321347 - - ...

Regards.

@mitch_sullo said in PFSense Traffic Shaper Wizard:

I want to setup QoS / DSCP marking

Be aware that QoS on pfSense is performed based on connection states. Connection states are established by the first packet of a connection. To perform QoS based on DSCP, the expected DSCP code point must be present in the first packet of a connection visible to pfSense.

If that protocol uses a separate media stream that has the right tags it would be OK. For example if it performs signaling on port AAAA to setup a connection, DSCP on that doesn't matter if it makes a media (audio or video) connection on port YYYY and uses DSCP on the first packet there.

There are some ugly workarounds to match DSCP inside connections, but it involves making 'no state' rules which is ugly and unlikely to help.

many thanks Grimson
I want a pfsense product to deploy on my infrastructure i will use like a acces point wifi what do u suggest???

@Grimson I have been stuck with this problem for long time. You make my day. Thanks for the solution.

Ah, sorry, yes I thought you meant a complete re-install of pfSense.

That is probably the fastest way to resolve this.

Steve

Ok got their router and tried it and it wouldn't connect, so they did something on their end to get it to connect. After that and confirming the speed looked good there, switched back to pfsense box and speeds are where they are supposed to be. So looks like it was actually an ISP issue...

Thanks for all the suggestions!

Possibly because Squid is using the IPs directly to open connections to the servers and those certs don't have the internal IPs as SANs. Just a guess really, I've never dug too deep into that.

Steve

Yes pfSense works fine in most hypervisors. There are a number of guides here:
https://docs.netgate.com/pfsense/en/latest/virtualization/index.html

Steve

I am so glad I found this post. I have a very similar setup and could not wrap my head around why my gaming devices were going out through the VPN gateway even though all of my firewall rules looked like the connection should be going through WAN. This fixed the problem right away!

As for DNS leaks, I actually have rules set up so that the only port 53 connection that is allowed are to pfSense and all other requests sent out on port 53 are forwarded to pfSense. It's interesting to see the number of IOT devices with hard coded DNS servers.

@stephenw10

Got it. Will try that, once I get the other stuff sorted.

Yup, the only way I can see loss like that happening just be booting a VM is if it's trying to use the same IP pfSense is.

If that is happening the system log will be full of warnings.

Steve

@stephenw10 Understood. Thanks