The on-board NICs on the C2758 will use up 4 queues/cores. Running that top command will show what's happening.

Steve

Just happened today again

[2.4.4-RELEASE][Vetal@router.place.somedomain.com]/home/Vetal: pfSsh.php playback svc restart tinc Attempting to issue restart to tinc service... tinc has been restarted.

Nothing is added to the syslog, I did tail -f to it. Nothing related in tinc.log

Next time I'll check "ps aux | grep tinc", today's while in "stuck state" was not wide enough to fit "/usr/local/sbin/tincd" part. I already UI-restarted it

You can consider this problem solved.

Thanks

@farmwald said in 10G NAT/Firewall performance problems:

I'm quite serious about being willing to make financial contributions to Wireguard port to PFSense.

https://forum.netgate.com/category/30/bounties good luck.

No. ACB and local config backups are separate systems. A checkbox to allow vouchers syncs to be excluded from local backups might be a good idea. I'll look into that once v 2.5 is stable.

That same error keeps looping every minute or so.

Anther way that might make more sense when (possibly someone years from now) is reading the rule set would be to make four rules:

pass TCP 25
pass TCP 587
pass TCP/UDP 53
reject any

You could combine 25 and 587 into a port alias but not sure it's worth it for just two ports. Anyway, that's what I would do.

https://www.freebsd.org/cgi/man.cgi?rcorder(8)

https://serverfault.com/questions/527981/how-to-change-rc-d-startup-order-in-freebsd

Note that any changes you make will likely be blown away at every upgrade.

@stephenw10

Thanks for the reply. That completely makes sense. I'll experiment on upload traffic shaping to see if this solves my issue.

@ak-0 said in Internal routing of Vlans:

@Derelict
Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

Actually what i want to achieve is if traffic from Vlans goes out first it should reach
Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
Tracert should be
1.Vlan IP (192.168.100.1)
2.Lan IP (192.168.10.1)
3.Gateway IP (1.2.3.4)
instead of
1.Vlan IP (192.168.100.1)
2.Gateway IP (1.2.3.4)
I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

@tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

You are using a wireless router as an access point so this should still work if it is still routing (and NATing).

But it would be much better to configure it as an access point only and put everything in the same subnet.

https://docs.netgate.com/pfsense/en/latest/wireless/use-an-existing-wireless-router-with-pfsense.html

Steve

Can you show screenshots?
Normally you just open the properties of your VPN connection, security tab and set 'Type of VPN' to L2TP.

Also check
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html
and
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html#troubleshooting

-Rico

@grimson RDP is open just for 1 IP... this should be a way to monitor the blocked sessions.

I have installed three official Netgate pfSense boxes at three different small businesses (2 restaurants and manufacturing plant), including one at my home.

@averyfreeman said in Web gui slow - rest of system doing OK:

DNS appears to be working fine...

Pretty hard to monitor or adjust settings without web gui

What about console access? What happens when you run top?

@mohammad-0 said in Installing VIM on pfSense ¿Should I?:

Long story short, to install regular vim just do...

Tnx.

I've used vim for many years and much prefer it to the vi included with pfSense.

@gertjan

I don't see any traffic from the Amazon Echo when using Wireshark (this is very strange) with one caveat. It was in a failure mode. I fired up Wireshark to start debugging. I first filtered on the source IP address (ip.src == 192.168.1.162). I saw some records from the Amazon Echo that it is using MDNS protocol. A web search led me to these resources:

https://docs.netgate.com/pfsense/en/latest/packages/avahi-package.html
https://www.lawrencesystems.com/pfsense-and-rules-for-iot-devices-with-mdns/

Avahi is a system which facilitates service discovery on a local network. This means that a laptop or computer may be connected into a network and instantly be able to view other people to chat with, find printers to print to or find files being shared.

I installed Avahi and placed the Echo back in the VPN tunnel. Later on in the day, it stopped working again about 12 hours later. The Echo only appears to work consistently when assigned to the WAN iface. This morning, I assigned the Amazon Echo back to the VPN iface and will monitor some more. Based on my last experiment, I expect it to fail sometime within the next 12 hours.