I agree if it shows that uptime it's not rebooting. Odd then that it's somehow losing link.

I also agree that check_reload_status should not get stuck like that. As you found we have had issues with it in the past and they are difficult to pin down because it's normally not repeatable on demand. If we can narrow it down to something like a link state change that would be very helpful.

@mer said in California and standard time:

But if they set start date to 1 jan and end date to 31 dec they sidestep the "law"

Nope. If a state uses any form of daylight savings time, they have to use the date schedule set forth by federal law. Originally states had the right to set their own schedules, but that was done away with in the Uniform Time Act. The only way around this is to use standard time year-around like Arizona and Hawaii.

Try starting igmpproxy in verbose mode at the CLI amd see what's shown when it fails. Compare that to what's shown in 2.6.

Use Lightsquid like it says in that guide. The sarg package was deprecated way back in 2.3.0.

@tedjackowestnet when pfsense only has a "wan" it allows for access to gui on wan.. When you add a lan, that allow will go away..

You should edit your wan rules to allow for gui access, setup your lan.. Then once your in on lan remove your wan rule that allows gui access.

or just setup lan from the console, or why did you not setup wan and lan when you first set it up?

@stephenw10 Thanks! I think this may work for what I need. I will experiment...

Jan 26 13:00:44 kernel re1: watchdog timeout Jan 26 13:00:44 kernel re1: link state changed to DOWN

Try the alternative Realtek driver. Since I assume you can't change the NICs.

FYI, here are the results of my investigation
https://forum.netgate.com/topic/185794/there-s-absolutely-no-useful-documentation-on-user-system-copy-files-to-home-directory-chrooted-scp/6
any improvements (and I wish there are) are welcome!

FYI, here are the results of my investigation
https://forum.netgate.com/topic/185794/there-s-absolutely-no-useful-documentation-on-user-system-copy-files-to-home-directory-chrooted-scp/6
any improvements (and I wish there are) are welcome!

It's unlikely you're using anything anywhere near 16GB unless there is a serious memory leak somehow. That should be pretty obvious from the monitoring graphs.

@guardian the instructions how to get to your modem have already been given multiple times.

I do it this way.. I have a 192.168.100.2 vip on my wan, that is connected to my modem..

vip.jpg

Do you have any outbound rules in floating that block rf1918? Do you have any rules on your lan where where your client is trying to access 192.168.100.1 that would block or policy route?

Also supports .webp it looks like: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/util.inc#L3735

@JonathanLee said in Is a VPN service really worth it?:

I have my VPN set up so that I have access to my private cloud (NAS) while not at home. I can remote into my VPN and access my files.

Same here. I've had my own VPN going back over 20 years, to when I was using a CIPE VPN.

@stephenw10 very true, using dot or doh to prevent interception is a valid use case for those 2 protocols.

I personally don't have any issues with the actual tech, what I have a problem with is doh, and your browser or app using it without your clear acknowledgement to the fact..

If the network your connected to is intercepting dns, then sure use of dot would be one way to actually forward to where you want without them intercepting it and redirecting it to their own dns.

But its going to be impossible for you to actually resolve in such a setup.. And if your not actually talking to the authoritative NSers then yeah dnssec is going to fail.. As it is designed too do.

So you can either get with the landlord or whoever has access to this isp router to turn off that intercept feature. Or you can just forward and let it be intercepted.. Or you can use forward via dot to circumvent their interception, or you could use doh on your clients directly as another method of circumventing their interception.

Or you could setup a vpn and resolve your dns via the vpn connection, which would also circumvent their interception of your dns.. But with their interception your not going to be able to directly resolve, nor is dnssec going to work.

Turning off dnssec and leaving it in "resolve" mode could work, but your dns is still being intercepted.. And most likely its going to fail, because the answers you get are not really going to be what the resolver is looking for when it resolves.

if it was me I would go the vpn route and resolve through that connection. You could get a cheap vps, couple of bucks a month and just route your dns traffic through that.. if you can not get the building your in to turn off that dns feature of the isp router is doing.

If that is too complicated for you.. Then just setup dot forwarding to some dns you trust to use, googledns, clouldflare, quad9, etc.. etc.. Not like there are not plenty to choose from.. They all have the best interests of everyone for their only motivation for wanting users to send them their dns queries ;) heheheh

I mean its not like these companies are out to make money or anything, I mean how much could it cost to setup a global dns infrastructure that can provide dns to the planet ;) Why not just do it for free.. I mean what else could their motivation be - if not to just provide free service to the planet ;) ehehhehe

Steve,

thanks for your feedback and the further information. My limiter settings to reduce bufferbloat might have caused the crashes.

I have changed the setting on AQM to Tail Drop on both, limiter (pipe) and child queue and scheduler to fq_codel on limiter (pipe) now.

I hope the errors:
"config_aqm Unable to configure flowset, flowset busy!" don't show up anymore and the system doesn't crash. Let's see!

Currently, I have no packages installed. There is no real reason, why I have not upgraded to 2.7.2. Well, the update does't show up in the GUI. But I'll try to do the update by command line.

Thanks. Daniel

@stephenw10 Thank you very much !!

If the ISP router is terminating the PPPoE session then none of that applies. It only applies if that is bridging the PPPoE traffic to pfSense.

If PPPoE is terminated on pfSense then:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics

PPPoE adds an 8 byte overhead so to carry the standard 1500B MTU the frames on the parent NIC must be 1508B. Those are referred to as mini-jumbo or baby-jumbo frames (RFC4638).

@stephenw10 Okay!

You shouldn't need to add a second connection.

You won't be able to if you have a local subnet including 192.168.100.1 on any other interface.

You may need to add an IP Alias VIP to the WAN of, say, 192.168.100.2/24 so that the firewall has an IP when the WAN is down. You might also need an outbound NAT rule for traffic from internal interfaces to the modem specifically.

Steve