Figure out why the state is being closed.

An established TCP state will not expire for 24 hours of ZERO traffic using the default firewall settings.

If the state is no longer there it is because either side has closed it.

More info here:

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

Thank you emammadov. I am glad to read that, the solution for adding my own modem works also on a pfSense device the way you describe. I have it set up with an old Thomson Speedtouch modem on my SG-1000 microfirewall. This thread ("How to access my Thomson Speedtouch modem web GUI through my SG-1000 microfirewall" <https://forum.pfsense.org/index.php?topic=144151.msg784762;topicseen#msg784762>) describes more of it.

I apologise if my original post was not clear enough. I own three modems and am amazed by the low quality of these devices. Of particular importance for a DSL modem sitting at my home and facing my ISP's understatements, is to be able to evaluate the quality and performance of the upstream DSL line, which my ISP will never tell or admit.

1 - They may not admit that the line is defective: if they do not want to correct it.

2 - They may not admit the line is excellent, to instead keep on deliberately throttling the bandwidth from their end in an attempt to lure the customer into a more expensive contract, with the ISP's supplied modem and stuff.

Currently, I am experiencing situation 2 after the installation by my ISP of a device in my village to reduce my DSL line's length from 4700 m down to 700 m.

My stats, today, are as follows:

Modulation:ADSL2 PLUS

Annex Mode:ANNEX_A

Downstream Upstream
SNR Margin: 17.3 7.8 db
Line Attenuation: 14.2 7.9 db
Data Rate: 10271 1022 kbps

Note the enormous SNR margin of 17.3 decibels. I would gladly bet my modem could synchronise at the SNR margin of 6 db, which is the normal target for SNR Margin at the ADSL2plus modulation. This could result in a stable downstream data rate of around 20000 kbps (almost double the current 10271 rate). But my ISP throttles the bandwidth from its place and denies doing so, possibly for commercial reasons. If I consent to purchase an expensive contract with VoIP and pay-TV, they swear the bandwith will magically be liberated. Legally, this stands for a tie-in contract: plain illegal where I live.

With such a line, with a VDSL modulation, which my line is now declared to be capable of, I could reach the 50000 kbps data rate. Worth doing something !

It may even be possible that other ISPs play the same dirty tricks to their customers (tie-in contracts), who knows ?

Rather that wasting my time in litigating, my desire is therefore accessing a good modem, ADSL and VDSL capable.

Hence my question 1 (is a pfSense appliance a modem or able to become so with a package);

Hence my question 2 is there an open source DSL modem project underway, capable of allowing a high level of security and capable of line-state-monitoring.

TIA for suggestions, even speculative.  8) 8) 8)

Thank you !
I try to set up this.

Well I started with the filter issue, and moved on to other issues, and now figured it out.

Looks like there was a small configuration issue on VMWare.
https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Needed to make sure the Net.ReversePathFwdCheckPromisc was changed.

The VMWare Hosts all have multiple trunk ports to the switch, so that was causing a layer 2 loop for the CARP advertisement traffic.

After changing that setting and bouncing the promiscuous mode on each vswitch, all is well.

Thank you for the help, and if anyone else is seeing the same, ther is a trail, from missing log filter entries to the actual root cause.

And a reminder for others, sometime we do read the manual and just need a little help from our fellow gurus on the web.

This was sorted out. I found out my issue. On my RADIUS server I was was trying to use the same network policy but just add in different ip address of my pfsense in the network policy Conditions

Removing the other IP address and adding its own network policy seems to fix that  ;D 8)

Why don't you simply whitelist "fncstatic.com" ?

You were close.  You were missing the proper subnet mask.

Leave IPv4 Local Networks(s) blank and add your custom stuff under IPv4 Tunnel Network like this:

a.b.c.d/30

For example, one of my users is set to 192.168.2.4/30 which means (I think) .4 for the network address, .5 for the gateway address, .6 for the actual IP address and .7 for the broadcast address.  My next user is 192.168.2.8/30 which gives him an IP address of 192.168.2.10.  Separate each user by 4.

Hi,

What about asking your drive, or more precis : the file systems ?
Enter console - go option 8 and type the max word :

df

If you can't understand the output of df, post it here, like :

[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: df Filesystem                  1K-blocks    Used    Avail Capacity  Mounted on /dev/ufsid/54ca20c41b3d50b0 298695208 1143932 273655660    0%    / devfs                              1      1        0  100%    /dev /dev/md0                        3484    180      3028    6%    /var/run /usr/local/lib/python2.7    298695208 1143932 273655660    0%    /var/unbound/usr/local/lib/python2.7 devfs                              1      1        0  100%    /var/dhcpd/dev procfs                              4      4        0  100%    /proc procfs                              4      4        0  100%    /proc

In my case : close to 0% and 6 % - the 100 % lines are special cases.

Btw : log files are circular and can't fill up the file system.
And a pfSense which a huge set op parameters (config) won't use more then a couple of Mega ….

So, no, if the dashboard isn't showing up, it must be something else.

@V3lcr0:

How would I do a "…host time.apple.com does it come back with 17.253.24.253 ?" where do I go for this?

Would a port forward as you provided: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense enhance my DNS security?

On the pfSense router, connect via ssh or via Diagnostics -> Command Prompt

Some devices could be hard coded for google, my Panasonic TV is, if I wanted to force my TV to use my pfSense box this would be the only method.

Got it working.. Thnx..

Well clearly from your output pfsense ntpd which is not ntpdate is not able to talk outbound.. Did you mess with outbound nat?  Do you have any floating rules..

If you configure a hardware RAID mirror ZFS will see that as a single logical drive. Also with a hardware RAID controller ZFS won't be able to monitor the SMART status of the drives attached to it.

With ZFS your choices for vdev's (virtual device) are mirrors, RAIDz (stripe - no redundency), RAIDZ1 (single drive redundency), RAIDZ2 (2 drive redundency) or RAIDZ3 (3 drive redundency). Your vdev's make up your pool. A pool can be a single drive or a combination of vdevs.

ZFS is pretty amazing but you need to do some research before you dive in.

Okay, I found the answer and it's working (/usr is been stored on newdisk)…it's just needs to be at 4GB to show up on the dashboard...see pic. I am still working on why I don't have permission to access it (newdisk) at the command line and I am the sole root user.


@ kpa
I do not want to run inetd, but xiinetd and I need it for check_mk.

@Gertjan

@Gertjan:

Hi,

What is your pfSense version ?

My version is:
2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6

@Gertjan:

Btw :

[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep xinetd 16284  -  Is      0:00.08 /usr/local/sbin/xinetd -syslog daemon -f /var/etc/xi 78340  0  S+      0:00.00 grep xinetd [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep xinetd 16284  -  Is      0:00.08 /usr/local/sbin/xinetd -syslog daemon -f /var/etc/xinetd.conf -pidfile /var/run/xinetd.pid 78733  0  S+      0:00.00 grep xinetd [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cat /var/etc/xinetd.conf service 6969-udp {         type = unlisted         bind = 127.0.0.1         port = 6969         socket_type = dgram         protocol = udp         wait = yes         user = root         server = /usr/libexec/tftp-proxy         server_args = -v }

This xinetd service is only listening to localhost, not LAN.

Note : as far as I know, I never installed a package that includes "xinetd" - actually, I don't know what it is - what it does.
I know it is there by default.

From the output of your ps-command I can see, that your config is in /var/etc. I too have a file there, but it is empty and has size 0.

I agree with you, that xinetd seems to be installed by default, but on my box it is not running. :-((

Can you please tell me how xinetd can be started, which config files are needed and where these need to be?

TIA, Karl

As an update I've tested removing the 192 address from the reject list and I've also switched to the "FreeBSD" preset for DHCP options, so far this appears to have resolved my original issue of not switching the wan IP from a 192 to public IP on a cold boot of both, i'll have to wait and see if a power blip occurs again to test the true results.

thanks

No traffic shaping set yet.

A few weeks back I did try using CODEL for the second time but ran into problems after trying to disable it for testing. Caused the router and pfsense to become unresponsive. I had to reboot the router to get things up and running again. The first time I tried CODEL and then disabled it, it caused a lockup so bad that my pfsense router would not fully reboot and keyboard would not even work. The only solution was to reinstall pfsense and set everything back up again as I didn't save a recovery backup beforehand.