@stephenw10 Thanks! I think this may work for what I need. I will experiment...

Jan 26 13:00:44 kernel re1: watchdog timeout Jan 26 13:00:44 kernel re1: link state changed to DOWN

Try the alternative Realtek driver. Since I assume you can't change the NICs.

FYI, here are the results of my investigation
https://forum.netgate.com/topic/185794/there-s-absolutely-no-useful-documentation-on-user-system-copy-files-to-home-directory-chrooted-scp/6
any improvements (and I wish there are) are welcome!

FYI, here are the results of my investigation
https://forum.netgate.com/topic/185794/there-s-absolutely-no-useful-documentation-on-user-system-copy-files-to-home-directory-chrooted-scp/6
any improvements (and I wish there are) are welcome!

It's unlikely you're using anything anywhere near 16GB unless there is a serious memory leak somehow. That should be pretty obvious from the monitoring graphs.

@guardian the instructions how to get to your modem have already been given multiple times.

I do it this way.. I have a 192.168.100.2 vip on my wan, that is connected to my modem..

vip.jpg

Do you have any outbound rules in floating that block rf1918? Do you have any rules on your lan where where your client is trying to access 192.168.100.1 that would block or policy route?

Also supports .webp it looks like: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/util.inc#L3735

@JonathanLee said in Is a VPN service really worth it?:

I have my VPN set up so that I have access to my private cloud (NAS) while not at home. I can remote into my VPN and access my files.

Same here. I've had my own VPN going back over 20 years, to when I was using a CIPE VPN.

@stephenw10 very true, using dot or doh to prevent interception is a valid use case for those 2 protocols.

I personally don't have any issues with the actual tech, what I have a problem with is doh, and your browser or app using it without your clear acknowledgement to the fact..

If the network your connected to is intercepting dns, then sure use of dot would be one way to actually forward to where you want without them intercepting it and redirecting it to their own dns.

But its going to be impossible for you to actually resolve in such a setup.. And if your not actually talking to the authoritative NSers then yeah dnssec is going to fail.. As it is designed too do.

So you can either get with the landlord or whoever has access to this isp router to turn off that intercept feature. Or you can just forward and let it be intercepted.. Or you can use forward via dot to circumvent their interception, or you could use doh on your clients directly as another method of circumventing their interception.

Or you could setup a vpn and resolve your dns via the vpn connection, which would also circumvent their interception of your dns.. But with their interception your not going to be able to directly resolve, nor is dnssec going to work.

Turning off dnssec and leaving it in "resolve" mode could work, but your dns is still being intercepted.. And most likely its going to fail, because the answers you get are not really going to be what the resolver is looking for when it resolves.

if it was me I would go the vpn route and resolve through that connection. You could get a cheap vps, couple of bucks a month and just route your dns traffic through that.. if you can not get the building your in to turn off that dns feature of the isp router is doing.

If that is too complicated for you.. Then just setup dot forwarding to some dns you trust to use, googledns, clouldflare, quad9, etc.. etc.. Not like there are not plenty to choose from.. They all have the best interests of everyone for their only motivation for wanting users to send them their dns queries ;) heheheh

I mean its not like these companies are out to make money or anything, I mean how much could it cost to setup a global dns infrastructure that can provide dns to the planet ;) Why not just do it for free.. I mean what else could their motivation be - if not to just provide free service to the planet ;) ehehhehe

Steve,

thanks for your feedback and the further information. My limiter settings to reduce bufferbloat might have caused the crashes.

I have changed the setting on AQM to Tail Drop on both, limiter (pipe) and child queue and scheduler to fq_codel on limiter (pipe) now.

I hope the errors:
"config_aqm Unable to configure flowset, flowset busy!" don't show up anymore and the system doesn't crash. Let's see!

Currently, I have no packages installed. There is no real reason, why I have not upgraded to 2.7.2. Well, the update does't show up in the GUI. But I'll try to do the update by command line.

Thanks. Daniel

@stephenw10 Thank you very much !!

If the ISP router is terminating the PPPoE session then none of that applies. It only applies if that is bridging the PPPoE traffic to pfSense.

If PPPoE is terminated on pfSense then:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics

PPPoE adds an 8 byte overhead so to carry the standard 1500B MTU the frames on the parent NIC must be 1508B. Those are referred to as mini-jumbo or baby-jumbo frames (RFC4638).

@stephenw10 Okay!

You shouldn't need to add a second connection.

You won't be able to if you have a local subnet including 192.168.100.1 on any other interface.

You may need to add an IP Alias VIP to the WAN of, say, 192.168.100.2/24 so that the firewall has an IP when the WAN is down. You might also need an outbound NAT rule for traffic from internal interfaces to the modem specifically.

Steve

@stephenw10 I ran MTR for ~24 hours, 1 second intervals, behind pfSense to the Verizon address pfSense is monitoring. There was very little packet loss.

The pfSense monitoring has improved also. So, I'm going to assume it was some change on Verizon's side and it has been resolved.

@stephenw10 thank you! I went ahead and put a new device in service for now. Going to try formatting and reinstalling the original one and let it sit and run to see if it does it again. If it does then it will get a new drive and put in place as the backup.

@stephenw10 said in Sorting of Firewall Alias settings:

You wanted the port in numerical order? The description in alphabetical order?

...alphabetically by number? (which I see occasionally and annoys my mild OCD)

@CreationGuy The brute force way would be to edit the config file and restore... I would think it's just in config file order.

Oke i tested it with a backuped VM of my OpenLDAP server and the memberOf overlay module is not needed it stil works without that module 💃🥳

So traffic from pfSense is being routed over OpenVPN on the host machine? I'm not sure WireGuard would be able to connect over OpenVPN to the same provider. I could imagine routing issues.