@tdcockers said in Slow Download speed behind pfSense:

If you are running pfSense virtualised (I'm using xcp-ng) then you may need to disable tcp offloading on the VM. Fixed my problems when I had slow downloads and some inaccessible websites, while uploads appeared to be fine. If CPU usage is appears high for the amount of traffic you are moving, that's probably your culprit.

@tdcockers I'm thinking of using xcp-ng here shortly once my employers main server is decommissioned and they donate it to me. Anything I should know ahead of time? I have never worked with any virtualization, just something to try in my homelab.

Hello,

thank you, and yes, this was the only workaround I found: export the current config, remove the menu entry and reload the config. But since this leads to a re-installation of all installed packages, I was hoping for a more direct approach to simply correct the running system.

So long,
Marc

stephenw10 - I was just saying the same thing about SSL and STARTTLS then realized you had already clarified that!

In that example I gave above about the "test1" and test2" groups they were sitting side by side in the root domain which is why I don't at all understand why one works and one doesn't when my authentication container is the root domain itself. If it see's one OU it should see both right? Unless there's a way to make pfSense do a more detailed query when someone tries to log in I've about decided that this won't work.

One thing I have not tried yet because it seems kind of messy to deal with later on down the road is listing each individual OU in the authentication container field. This would be easy to do since it lets you select OU's with checkboxes but if for some reason I ran into a scenario where pfSense couldn't talk to AD and I couldn't pull up that list of checkboxes it would be hell to sift through all that data in that tiny field if an OU got deleted or something screwing the whole thing up. Hopefully that makes sense....

Thanks for the responses everyone!

Per Netgate Support, downgrading to 2.4.3_p1 until fixed.

@marvosa said in Problem with Static ARP entry for VLAN/Virtual Interface:

@joelones said in Problem with Static ARP entry for VLAN/Virtual Interface:

the switch port of my Mac OSX is trunked to VLAN10

Please clarify... cause none of this sounds right

What I meant to say, was the the port of the netgear switch on which my Mac OS X box is connected allows untagged as well as VLAN 10 traffic to pass.

But I suspect the Mac OS X update did something to affect this behaviour as it was working fine before the update and pfSense saw the VM's MAC address now it does not.

/etc/crontab - root's crontab for FreeBSD $FreeBSD$

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin

#minute hour mday month wday who command

#*/5 * * * * root /usr/libexec/atrun

Save some entropy so that /dev/random can re-seed on boot.

#*/11 * * * * operator /usr/libexec/save-entropy

Rotate log files every hour, if necessary.

#0 * * * * root newsyslog

Perform daily/weekly/monthly maintenance.

#1 3 * * * root periodic daily
#15 4 * * 6 root periodic weekly
#30 5 1 * * root periodic monthly

Adjust the time zone if the CMOS clock keeps local time, as opposed to UTC time. See adjkerntz(8) for details.

#1,31 0-5 * * * root adjkerntz -a

pfSense specific crontab entries Created: July 24, 2018, 8:39 pm

1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata
*/5 * * * * root /usr/local/bin/vnstat -u
1 0 * * * root /bin/pkill -HUP -F /var/run/bandwidthd.pid

If possible do not add items to this file manually. If done so, this file must be terminated with a blank line (e.g. new line)

Hope it helps you!

Ah, so that's an older version of the development package for ACB2.
That is now merged into the base in 2.4.4 so I don't think it's available as a package. At least 2.11 was though so it's likely that bug is fixed.
At this point I would either remove it and go back to the v1 ACB package or go to 2.4.4 snapshot if you're able to. The usual warnings apply though, don't run it in production etc...

Steve

Still waiting for :

ipconfig /all

Consider :

@bisssane said in pfsense work and after few days , it doesn't work:

for the DNS, it is not activated on Pfsense, I use the DNS server of the company

This can work, but is probably not setup correctly.

So, is this "DNS company server" on the same LAN as other devices ?
Do devices on LAN(s) obtain the correct IP address from pfSense as "the DNS server" ? (the ipconfig /all test)
If the DNS server is on a separate LAN, firewall rules permit traffic to reach the DNS server ?
Etc etc etc.

Detail your setup, and you'll have an answer right away.

( Btw : know that pfSense can handle DNS just fine and all that with zero config needed ^^)

It is the total number of entries allowed in firewall tables. This includes aliases as well as lists of hosts from features like URL table aliases, bogons, packages that make lists like pfBlocker, and anything else hooked into the aliases/tables function of pf.

You probably need to use the root user there.

Steve

Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...

You can setup pfSense bridged so it doesn't route anything.
https://www.netgate.com/docs/pfsense/interfaces/interface-bridges.html

If you don't use pfSense to route the traffic, and the USG is NATing, then you won't have any internal visibility from Snort. No way to see which internal IP is sending bad traffic if you get malware for example.

Steve

You can use Squid with Lightsquid to get a list of sites like that per internal IP.

Steve

Have you tried the commands in the "Update Troubleshooting" section of the release blog post(s)?

https://www.netgate.com/blog/pfsense-2-4-3-release-p1-and-2-3-5-release-p2-now-available.html

Okay thank you

@johnpoz said in One Update Time Per Day:

Cron package allows you to be very specific about when jobs run..

Okay, thank you, Johnpoz, I'll try that package.

Thank you for the replies. I was actually checking from my LAN. When I tried from outside, Firefox timed out; it wasn't able to connect.

Well, you might be closer to a solution as you think.
These Draytek router have Radius support, so, setup a centralized database - the one that among other captures the MAC - and your have what you want.
If the Draytel will consult this data base before login (on another portal device), that I don't know.