@fjmp24
Assuming all these devices are connected via wifi, my approach is to put all within a wifi SSID, which don't need to connect to any other. In this SSID I prohibit communication between stations on the AP.
Access to other network segments is restricted on pfSense, if even any needed.

The checksum is probably because you have hardware checksum offloading enabled. But if it's not that would be a problem.

Those clients are set to sync against stratum 1 only? Seems unlikely.

Yes, if you're using SWAP in 'normal' use there's probably a problem. The biggest use for SWAP in pfSense is to be able to store crash reports should you ever hit a kernel panic. So I would argue that having it mirrored should not really be that important. Should.

Yup, that will require a different bug ticket. We are just discussing how to handle both issues.

@antonioremigio1 said in Question About Network Performance:

How do I know if pfSense is supporting this traffic from connected users or if it is bottlenecking?

Check the graphs in Status > Monitoring. Are you seeing traffic close to the maximum bandwidth? Are you seeing CPU usage close to 100%?

@pnadd said in Errors(?) on bootup and constant errors with nvme:

fib_algo

That error is harmless.

If the issue started happening after installing a new PCIe device and you're using an NVMe drive then I'd suspect some low level PCIe issue. Probably nothing you can do about that in pfSense if so.

@Gblenn you sir, are a blessing!

I see now there was a diagnostic report in pi-hole that I missed ...

Too hyper-focused on the pfsense side of things.

Thank you <3

@stephenw10

Hi - hard to be sure, as there's not really any diagnostics or logging available on the camera UI's to test NTP, other than just setting the time to be wrong then trying to force an update, which I'm not keen to do manually on over 60 cameras...

The proof of the pudding will be if they start drifting out of time again, but that will take a while to find out.

I think in my specific use case of it only serving specific internal clients that disabling KoD is the best option.

Ok you're hitting this but with a slightly different underlying error: https://redmine.pfsense.org/issues/15157

In both cases the config file is somehow unreadable and the error/notice generated is calling badly creating those PHP errors. That's masking the real problem.

Try resaving the Sys > Adv > Notifications page so the config does have a notifications section if you can. That may workaround the error so you can see the real issue.

@stephenw10 said in pfsense dns redirect failure:

Otherwise you can add Alternate Hostnames it will accept in System > Advanced > Admin Access.

That worked thank you

I have a bunch of dns rewrites to blah.local so pfsense.local is just easy to remember

OK so everything is /24 and thus you have the same subnet at both ends on the tunnel. Hence, routing conflict with that iperf command and anything else sourced from the firewall itself.

Really you want those things is different subnets but because the remote WAN is using .132 you can't use /25 there.

I would try to set the gateway as outside the subnet. There's a setting for that in the advanced gateway settings: 'Use non-local gateway'

You can then set the remote WAN subnet to something much smaller, /32 even.

Then you can set the other IPs in a different subnet such as 185.113.141.208/28. You can add that as the static route on the remote pf and then use the IPs directly on the local pf.

The local pf LAN should use one of those IPs.

As an alternative to all of that you could just add all the IPs at the remote side as VIPs and then NAT the traffic to/from them and use private IPs at the local LAN.

Steve

@dennypage Hi Denny

Really great that you are willing to put this effort into providing more options with NtopNG on pfSense.

I already have a licensed NtopNG Enterprise Embedded running on a Raspberry Pi 4 collecting flows from Softflowd and a licensed nProbe Pro embedded I have (Portmirror on switch). I have been testing the difference between flows recorded by SoftflowD on pfSense and Nprobe Pro (portmirrored LAN to pfSense).
The difference is HUGE. NProbe does a lot of DPI analysis + records all DNS queries and fills alll that in as flow metadata to NtopNG. So in the UI you can the client sessions with domainnames instead of IP addresses and a lot of trafficanalysis of the sessions.
So it is much easier to dissect/analyze what happened in the nProbe flows than from SoftflowD.

I record this to a Clickhouse server on the same Pi. Runs great, and gives me 180 days history of all flows back in time.

I have decided to forego running the NtopNG package on pfSense as it cannot be licensed and work fully featured. I realize that one could perhaps avoid the licensing cost of a nProbe (And a port switchmirror) by setting up nTopNG like you suggested, but its a “heavy” package with lots of discwrites for nothing compared to nProbe. So I’ll stick with the nProbe Embedded as the deluxe flow generator, and look forward to testing the built-in pf flow exporter in 24.03 as the poormans flow solution.

But your work is still very much appreciated, and I’m sure it will be very well recieved in the community

@bmeeks
why the PHP shell i reach from menu point 12 does not give any hints?
All the examples given in the help commands don't work.

As this is the place, where I tested my scripts, I expected to get information about changes there.

Thanks for your link, I will dig from there.

It shouldn't be possible for anything external to reboot it. You might see a lo of logs or disconnections. Or potentially it could stop passing traffic entirely but it would still remain up. Or panic and log that.

@Gertjan How did you solve this error? I'm struggling with it on a couple of appliances

@stephenw10

Understood. Was more looking to follow his process and I would download manually and install

Because when you test from inside the firewall that traffic never hits the forwarding rules.

https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Tunables for FreeBSD will generally apply in pfSense but may not improve performance. On the page the default values should be fine for igc.

Well it would have to be a value that can be set in mpd5 since that's what the PPPoE server uses.

As a test you could try adding values to the conf file for the server in, for example, /var/etc/pppoe1-vpn/mpd.conf. You would need to manually kill the process and restart it like:
/usr/local/sbin/mpd5 -b -d /var/etc/pppoe1-vpn -p /var/run/pppoe1-vpn.pid -s poes poes

If you are able to find a value that works there most of that is created in /etc/inc/vpn.inc

Steve

@Patch yes, seeing the link for the earlier FR, I went to comment on that but couldn't as it was closed, hence the new FR with a link to the previous one. Not sure if that's the "right" way of doing it, but just wanted to bring it to their attention.
I'm hoping that if the new FreeBSD has it built-in, it requires minimal development on the pfSense side to include it as a feature - just a few Web UI tweaks?