Ah you actually have an interface group for the WANs with the rule on it?

Yes, if you do that reply-to tags cannot works because the rule applies to multiple interfaces. It cannot know which interface (gateway) to reply to.
For reply-to tagging to work incoming traffic must be passed on the interface itself. It's the same reason that OpenVPN traffic must be passed on an assigned interface for repy-to to work. The group openvpn interface will not tags it.

@Sergei_Shablovsky said in [SOLVED] NTP not answering on 2-nd uplink WAN:

And in System / Routing / Gateways this BALANCED group set as “Default Gateway IPv4”

That's still invalid. The system default gateway should only be a specific gateway or a failover group. You cannot load-balance traffic like that.

Steve

@NollipfSense said in Connecting to CloudFlare, surely its possible.:

@deanfourie I think a better question would be what about REST API that was promised for pfSense 2.6 but didn't make it? Has pfSense moved away from implementing that strategy? With REST API, it would be very easy to run containers and other micro-services...

Beside the Netgate promises, the idea to running micro-services and especially containers inside pfSense - very bad idea.

I prefer to look on pfSense as solid system with a fraction of 3-rd packages (but VERY WELL TESTED an bug-free!).

@stephenw10 Thanks sir!

@Gertjan said in Package list is empty:

@Gblenn said in Package list is empty:

Still don't understand why the package list is empty?

The pfSene Plus without license : you need the license to connect to package update system. No license means : no connection, and that can explain the empty package list.
Please take note : I presume it works like this (i'm just a pfSense user like you), and what I make of it while reading this.

The CE 2.7.2 is not the same product, and is free.

I've found "Issue with going from 2.7.0 to 2.7.2" which has probably a solution for you.

You may be right that there is no connection to the package update system without a license. But then I think it needs to be added to the current statement which sais: "the ability to get timely updates with bug fixes and improved features may be limited".
I don't really see that it would be necessary to remove the packages in order to limit updates?

BTW, the solution provided by SteveITS was also in the thread you found... so thanks for finding the link.

@Sergei_Shablovsky said in Speedtest (Ookla) on device? What’s the latest?:

BTW, does anyone actually get 1 Gb on a 1 Gb connection? Seems to me there should be some overhead accounted for. I also get around 920 with iperf over my LAN.

Please read (or look on YouTube) basic of networking, what is tcp/ip, ICMP, VPNs and other protocols, what is levels, datagrams, what is routers/switches, how ISP works etc. ;)

I guess you haven't noticed me on this forum for years providing advice to others. My comment was to point out that if you have a 1 Gb connection, you will not see 1 Gb because of the various overheads. We're also running into hardware limits that we didn't see before, because the bandwidth we received was less than what our hardware was capable of. In my own example, my account is supposed to be 1.5 Gb, but my firewall, switch and computers are only capable of 1 Gb. I also did a comparison on my network, with Speedtest from my computer to my ISPs server and also from my computer to firewall with iperf3 and got similar results, which showed I was being hardware limited, not Internet limited to the Speedtest server.

BTW, I have long worked in the telecom industry, mostly as a technician, going back to 1972, have worked with computers since 1977, first LAN experience in 1978, Cisco CCNA and more. I also had TCP/IP courses at a local college and IBM. I also spent almost 4 years at IBM Canada, providing software support (mostly 3rd level). So, I do have some idea about what happens with networks & the Internet.

You can see the rules in the rules.debug file, for example:

# allow our DHCPv6 client out to the BT pass in quick on $BT proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000005711 label "allow dhcpv6 client in BT" pass in quick on $BT proto udp from any port = 547 to any port = 546 ridentifier 1000005712 label "allow dhcpv6 client in BT" # Add Priority to dhcp6c packets if enabled pass out quick on $BT proto udp from any port = 546 to any port = 547 ridentifier 1000005713 label "allow dhcpv6 client out BT"

That is above the block bogons rule:

# block bogon networks (IPv6) # https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $BT from <bogonsv6> to any ridentifier 11004 label "block bogon IPv6 networks from BT"

Steve

@Malvazar Well, who cares, the important thing is that it works now!

@johnpoz said in Speed Test Panel Under Pfsense 2.7.0 Free BSD14:

@Unoptanio as to your values - I have been saying for years - depending on your hardware (pfsense) which isn't meant as a client running speed tests directly on it or too it can show varying results..

But this give understanding about whole ISP uplink bandwidth. (Of course this measurement must be doing WITHOUT any other “everyday normal work” net flow.
Better to measure at 10-11am, and 4:30-5:30pm daytime and 7:30-10:00pm (when ISP appliances are maximum loaded) WITHOUT any other “normal work” net activity.

While its fine for say a benchmark, he pfsense shows 100, and now its 50 - then something prob not right.. But when you route through pfsense you see your full say 200 speed.

If your going to run speedtest like this or iperf directly on pfsense - you need to understand that. The test of a firewall/router function for routing and firewalling - is through it, not to or from it..

You are right but 8 of 10 questions here on forum are ABOUT UPLINK BANDWIDTH!!! People not interested in “testing pfSense router”, but interested in “how fast my internet”.

Look at this not from router developer position (I understand clearly, pfSense are like Your child), but FROM ORDINARY USERS PERSPECTIVE.

Only 10-15% interested in measuring VPN connect, or how shaping/limiting working well. (And yes traffic generators and iperf3 are kings here).

I wouldn't put much stock in the values don't meet your expectations.. Test from a client through pfsense to see if your getting what you should be getting, etc.

@johnpoz Ok I will try give a second NIC
many thanks

@johnpoz said in Only getting half speed:

@swemattias that is not a valid test to be honest.. Pfsense not meant to be a client/server sending data - its firewall/router - it routes traffic..

Because of this:

in official docs directly point that Speedtest/Fast/Librespeed/iperf3 test need to be done ON SETUP PHASE, not on the top of normal workloads; in official docs put step-by-step instructions how to test with each of above instruments; provide pre-installed tools(in pfSense’s terms “Services” or “Diagnostic tools”) to testing bandwidth of uplinks and site-site connection, VPN connection;

There have been countless threads about this ;)

Not saying such a test might not have some value - but its not a good test for throughput.. Test through pfsense, not from pfsense.

Only knows what is uplink bandwidth, possible to go forward to measure “through pfSense”.
That’s RIGHT logic !

Why fighting with a hundreds of thousands of users?
Much better to give them instruments and instructions and questions about this “why my speed is so slow” on this forum decrease on 30-40%.

@johnpoz said in link-local addresses flooding logs - Plex on Synology:

setup a rule not to log it..

That is what I did.. I have a dummy switch between NAS and pfSense, so that is the only way to go.

31f13245-871f-4166-b30d-70cef63a50dd-image.png

@stephenw10
OK, done at https://redmine.pfsense.org/issues/15326

@santheerdas yes, Prometheus Node Exporter will be the service you need for all machine related stats, including running services etc.

Ok, thanks to all for answering

That sounds like something in the browser or some browser plugin. It's not something pfSense would show.

Yup I see it. Unfortunately the backtrace isn't particularly revealing:

db:0:kdb.enter.default> bt Tracing pid 1 tid 100002 td 0xfffffe0012117ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe00109b4820 vpanic() at vpanic+0x163/frame 0xfffffe00109b4950 panic() at panic+0x43/frame 0xfffffe00109b49b0 vm_fault() at vm_fault+0x15c5/frame 0xfffffe00109b4ac0 vm_fault_trap() at vm_fault_trap+0xb0/frame 0xfffffe00109b4b10 trap_pfault() at trap_pfault+0x1d9/frame 0xfffffe00109b4b70 calltrap() at calltrap+0x8/frame 0xfffffe00109b4b70 --- trap 0xc, rip = 0xffffffff836cd170, rsp = 0xfffffe00109b4c48, rbp = 0xfffffe00109b4db0 --- _end() at 0xffffffff836cd170/frame 0xfffffe00109b4db0 sys_reboot() at sys_reboot+0x29c/frame 0xfffffe00109b4e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe00109b4f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00109b4f30 --- syscall (55, FreeBSD ELF64, reboot), rip = 0x27291a, rsp = 0x820ec2408, rbp = 0x820ec2830 ---

However it looks like it panicked when it tried to make some change after shutdown was initiated:

<118>pfSense is now shutting down ... <118> <118>net.inet.carp.allow: 0 -> 0 <6>pflog0: promiscuous mode disabled Trying to mount root from ufs:/dev/ufsid/65b7583531b4716a [rw,noatime]... panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffff836cd000 cpuid = 2 time = 1706519642 KDB: enter: panic

Unclear why it did that but it you clear the crash report and reboot and it doesn't do that every time it's likely a quirk of having just run the initial setup.

You are still running 2.7.1. You should upgrade to 2.7.2 when you can.

Steve

After updating to recent version Netgate pfSense Plus 23.09-RELEASE (amd64) there were several weeks of stability. Nothing in the mean time has been changed in the config of this PF.

Recently again the machine had similar issue and behavior showing ' SIOCGIFGROUP: Device not configured ' message again along with some other messages.

The PF machine exhibited very similar behavior again and was no longer smoothly pushing packets through, it was significantly dropping packets and the sshing into the pf over wan or accessing the webgui over wan was extremely difficult. After logging into webgui the notifications greeted with the following (date and time removed):

I also made a post in another thread because of the other error messages displayed match the OP of that thread:
https://forum.netgate.com/topic/185386/there-were-error-s-loading-the-rules-pfctl-diocaddrulenv-device-busy/18?_=1709874330173

It's a privilege you can assign to a user or group:
https://docs.netgate.com/pfsense/en/latest/usermanager/privileges.html

Screenshot from 2024-03-07 15-18-07.png

I created a boot usb drive. Once I turned the 5100 on with that in, I was able to re-install with zfs and eventually apply my config xml.

Thanks again!

Yes it would only be triggered if the OpenVAS scanning process attempts to login to the firewall with bad credentials.
If you don't have Snort or Suricata running it's unlikely to be blocked by the firewall. Perhaps something upstream is blocking it? Do you see traffic arriving at the pfSense WAN?