Nope, it only blocks connections coming into the WAN sourced from a private IP address:

# block anything from private networks on interfaces with the option set block in log quick on $BT from 10.0.0.0/8 to any ridentifier 12006 label "Block private networks from BT block 10/8" block in log quick on $BT from 127.0.0.0/8 to any ridentifier 12007 label "Block private networks from BT block 127/8" block in log quick on $BT from 172.16.0.0/12 to any ridentifier 12008 label "Block private networks from BT block 172.16/12" block in log quick on $BT from 192.168.0.0/16 to any ridentifier 12009 label "Block private networks from BT block 192.168/16"

Thank you everyone, I figured it was safe to do so but wanted to ask before I committed, much appreciated!

And yes @keyser I am not talking about removing ix0, just the assignment for it.

@Jarhead I could go this route but I'd rather just remove it TBH.

@stephenw10 I'll get that submitted tonight. Thanks for talking through this with me. 🙂

For example using the Network tool in Firefox shows how long it took to open the page and which components took time:

Screenshot from 2024-04-05 13-04-54.png

Other browsers have similar tools.

Ok so only for file transfers? You can access the server correctly otherwise?

Do you see that traffic passed by the correct rule on WAN2?

@Gblenn The patch seems to be working here, as well. Thanks to you and @stephenw10 for your help. Much appreciated.

@stephenw10 --- After making the subnet change to the pfSense LAN, that resolved the connectivity issue. I now have an issue with the NordVPN config, but I'll create a separate thread for that. Thanks again for the help!

The problem lies in the router, I tried another Internetconnection and it works fine. I'll contact my ISP. Thank you for your help!

@stephenw10 I don't want to praise the day before sunset but the new RAM may have done the trick! So far, the router has been stably running for almost a day without crashing!

Thank you for your support and for deciphering the crash report.

@Willever Not sure what happened but reinstalling is probably the fastest way back in terms of clock time.

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4100/reinstall-pfsense.html
(Free ticket)

https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

Nope filter-reload doesn't clear existing states.

I'm saying if you use the kill states button in the state table page you should refresh the table afterwards to be sure the states were actually killed.

If you use the trash-can icon next to each states it kills by state ID which should always work.

@Wylbur

Again, things connected were continuing to work. Example. If duckduckgo were used for a search, that search would return hits. If clicking on a link in the hits -- would get message couldn't find that server.

So my connection to a mainframe (encrypted interactive session) continued to respond.

T-bird Email continued to fetch and send email.

Don't know what got hosed up.

[BTW did see where there is an SSH exploit -- pfsense susceptible to it?]

@fjmp24
Assuming all these devices are connected via wifi, my approach is to put all within a wifi SSID, which don't need to connect to any other. In this SSID I prohibit communication between stations on the AP.
Access to other network segments is restricted on pfSense, if even any needed.

The checksum is probably because you have hardware checksum offloading enabled. But if it's not that would be a problem.

Those clients are set to sync against stratum 1 only? Seems unlikely.

Yes, if you're using SWAP in 'normal' use there's probably a problem. The biggest use for SWAP in pfSense is to be able to store crash reports should you ever hit a kernel panic. So I would argue that having it mirrored should not really be that important. Should.

Yup, that will require a different bug ticket. We are just discussing how to handle both issues.

@antonioremigio1 said in Question About Network Performance:

How do I know if pfSense is supporting this traffic from connected users or if it is bottlenecking?

Check the graphs in Status > Monitoring. Are you seeing traffic close to the maximum bandwidth? Are you seeing CPU usage close to 100%?

@pnadd said in Errors(?) on bootup and constant errors with nvme:

fib_algo

That error is harmless.

If the issue started happening after installing a new PCIe device and you're using an NVMe drive then I'd suspect some low level PCIe issue. Probably nothing you can do about that in pfSense if so.

@Gblenn you sir, are a blessing!

I see now there was a diagnostic report in pi-hole that I missed ...

Too hyper-focused on the pfsense side of things.

Thank you <3

@stephenw10

Hi - hard to be sure, as there's not really any diagnostics or logging available on the camera UI's to test NTP, other than just setting the time to be wrong then trying to force an update, which I'm not keen to do manually on over 60 cameras...

The proof of the pudding will be if they start drifting out of time again, but that will take a while to find out.

I think in my specific use case of it only serving specific internal clients that disabling KoD is the best option.