@PnetG

To fact check this :

@stephenw10 said in PFBlockerng Filtering Issues:

pfBlocker-ng by itself does not do anything.

do this :

fea78bd9-9465-4d14-96c1-9c9489dafffa-image.png

and Save.
The goto pfSense package de install, and remove it.
Just for the fun, reboot pfSense.

First check : no more issues ? Right ? If wrong, the issue wasn't pfBlockerng, as it isn't there.

Now, install pfBlockerng. Just install - do not activate it.
( I can't remember if it is activated by default, though )

But test now again : no issues what so ever, right ?

Now, start adding changes, add a feed (one at the time / one per day !) to pfBlockerng.
As soon as you have issues, you'll know what to undo : your last step.

@matthewgcampbell I have never experienced a scenario where it passes traffic for a short amount of time then stops, at least not in the context of eapol auth related. It either passes or it doesn't. Then again I've never done any proxy bypasses either, can't really comment on odd behavior as a result.

I assume you're following this - https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html ?

You might want to give a try to one of the proxy scripts here - https://github.com/MonkWho/pfatt/tree/master . This is what we used before vlan0 compliant wpa_supplicant and dhclient.

Edit, one other idea to try is the old dumb switch bypass method.

I can't find a good write up but in essence you connect ethernet from ont and gateway to a dumb switch (preferably not netgear). Wait until the lights on the modem are all green and stop flashing. Disconnect gateway cable while leaving ONT/switch connected. Connect cable from the modem to your pfsense wan port (again, you're not touching the ONT/switch cable). Pfsense should be configured for dhcp on wan.

See if you experience the same disconnect issues after x amount of time. If you do, try a release /renew on the wan. If it doesn't pull an ip, try rebooting pfsense only. This whole time, the link between the ONT and switch should remain connect and as far as ONT concerned, remain authenticated.

If that happened I'd expect a bunch of 'xxxx is using my IP address' logs in pfSense. It's possible they have simply been rotated out though.

@michmoor It’s a package bug from a few pfSense versions ago so no real release notes. Anyone who saved (or changed and saved) the default settings is ok. But it was quite confusing. We changed several things but not that one page.

Upgrading the package triggers it also as I recall.

Ah, well that's a much better solution. Adding NAT in there is always a workaround.

That NAT looks like it should match and be applied though.

https://redmine.pfsense.org/issues/15516

@stephenw10 thanks. Using the rest button worked. Somehow I missed that in the reset instructions. I appreciate the help.

@SteveITS

And a simple solution without asking 10 questions in return and being told your doing things wrong.

Thanks !

@Cabledude said in SG-1100, outages, no DHCP, 10 days log missing:

So do you uncheck this one on your clients' devices?

We rarely use DNSBL at a client. I use it at home and it causes enough issues there because my wife works in search so "needs" the add links on her devices. :)

My thought is, turn on the logging if we are troubleshooting a problem that needs logging. Otherwise it's a few years of disk writes that no one looks at.

(At clients we have a few layers of protection... DNS forwarding, advanced a/v, etc.)

If you add that as a patch in the System Patches package that will be retained in the config and you can just reapply it.

@stephenw10 Thanks, that should be doable for me.

Yup, just looking for confirmation. Though this test setup was hitting it that doesn't mean it's fixed for all cases necessarily. There was a bunch of work went into the gateway/WAN handling in 24.03 though.

If we can confirm the fix we know that will work in CE.

Doesn't really matter what you have locally it's what you're connecting to. What is supported at the remote side?

Yes, run a test that's showing limited download speeds. Look at the traffic graphs and check if it's using the VPN.

About Plus specifically?
https://docs.netgate.com/pfsense/en/latest/general/plus.html

You had to remove the bogons fles?

It probably wasn't loading the new ruleset if that's what you saw.

Yup, that^.

It could be clearer on some pages though. https://redmine.pfsense.org/issues/14555

@stephenw10
I need to go on a dang course :) :)

I am great with Virt and Linux and MS - but I suck at firewalls :)

Thanks mate :)

@stephenw10 Great. Thank you. I'll have a play with that and see if I can up the frequency of renewals.

Thanks
Andrew

nice information