Sorry typo'd that; it shouldn't be under TNSR!

Also IIMB is already present in 23.09. You can just enable it.

Great. Yes there are a bunch of improvements there coming in 24.03.

Edit the entry then you will see that.

@stephenw10 Thanks for those suggestions. I will give it a shot.

@stephenw10 @Gertjan around 24 hours after switching off all of the power saving modes, and everything is chugging along perfectly with zero errors or logs on the console.
I thought I had configured something wrong and would have to do a fresh reinstall and reconfig. Thank you so much!

@MakOwner
I concur with @stephenw10 's recommendation to set up an IP-alias VIP (under Firewall/Virtual IPs) for each additional public IP address. I got my multi-address configuration set up in an hour or two using that approach, despite being a complete newbie with pfSense. Once the VIPs are in place you can either use 1:1 NAT to map one of those addresses to an internal server, or use individual port forward rules. If you do 1:1 NAT you'll still want firewall rules to block all server ports you don't want exposed, so it ends up about the same number of firewall rules either way --- which way you do it depends on how you'd rather think about the setup.

Probably because internal users are trying to use an FQDN to access it that resolves to the pfSense public IP address.

See: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Steve

Branch naming issue. The beta should be available to anyone who wants to test but should only show on the System > Updates screen when you navigate to it.

Steve

@bmeeks Thank you sir, should allow for much more streamline of upgrades for anyone running Suricata, especially remote updating. Hour away leaving the gas station took seconds from a cell phone to update and load 90,773 signatures/rules successfully without the need to be logged into the console ready on standby. PfSense updates for me at least should now be just as streamlined and fast from this one update alone. Gracias!!!

@JKnott

@JKnott said in 10gigabit routing performance, jumbo frames, intel x710 observations:

@PixieDust said in 10gigabit routing performance, jumbo frames, intel x710 observations:

As another tidbit, it looks like loop interface can be built with 131072 MTU support, but other parts of the network stack don't allow that to work. (MTU 49152 doesn't exceed 10Gb/sec either).

Everything on the LAN has to support the same MTU. You can't use different MTU unless there's a router in between.

I'm not referring to different network elements having incompatible MTU values.

I'll expand the loopback scenario listed above:

Loopback test
on pfSense node, run test at 48K MTU:
ifconfig lo0 127.0.0.1 netmask 255.0.0.0 mtu 49152
iperf3 -s -D -B 127.0.0.1
iperf3 -c 127.0.0.1 -B 127.0.0.1
Performance appears capped at about 9Gb/sec. Expected?
Same test on Ubuntu 22.04, I see > 30Gb/sec.

on pfSense node, run test at 1500B MTU
ifconfig lo0 127.0.0.1 netmask 255.0.0.0 mtu 1500
iperf3 -s -D -B 127.0.0.1
iperf3 -c 127.0.0.1 -B 127.0.0.1
Performance is about 3gb/sec, expected?
Same test on Ubuntu 22.04, I see > 30Gb/sec.

You cannot set the loopback (lo0) mtu to 131072, nor 65536.

I assume your LAN is using the 192.168.1.X subnet?

That config all looks good. But make sure the native VLAN is also a non-member on ports 2-4. Most switches will prevent you setting more than on VLAN unatgged (including native) on one port. But not all!

If that is the case make sure your switch doesn't have a separate PVID setting. If it does that would need to be set to 20 on ports 2-4.

@stephenw10 Not sure I missed it. Updated to 2.7.2. Packages are showing now. Thanks!

Ok, I'll wait to hear. This could be a confusing error caused by trying to access something that doesn't exist in DCO mode. Though I don't see that here on any instances so it would probably have to be some combination of settings.

Thank you both very much.

@ldl said in Newbie questions:

@Gblenn Replacing my asus router with something newer, as the Asus one is outdated (the main reason), sure still works but yeah.

Another reason as to why I want to replace it, is that if I'm going to use my own router, then other people in my house will obviously be on the same line, so I want to accommodate them as well, because currently, they're not on my router as that's in another room, they're on the ISP router,

I get that the it's outdated, and of course you should try to do 2.5G on the WAN. That all makes sense, but you should only have one router in use.
And it seems to me like you are using your routers as a way to connect peoples devices so they can get out on the internet. But that's what switches are for, and they are way cheaper per port.

I will be considering upgrading the NICs and switches in the future however if I feel the need for more than 1Gb

What's the cost of these routers you are looking at?
I'm guessing you could get a 2.5Gbit dual NIC card (to upgrade pfsense with) plus one or two managed Netgear or TPLink switches for the same price.

And if you want to segment your network to separate users from each other, use VLANs. You have your Cisco switch, and if you add more VLAN capable switches you have full control. And your dumb Netgear can still be used for extra ports towards users or devices that all belong to the same VLAN.

But you do all of this having pfsense as your one and only router, connected to the ISP ONT. And you can still use the Asus and even the old ISP router as wifi AP's. But then they are no longer routers they are just semi smart switches with wifi.

Either can work though if you want to address buffer bloat specifically I would use Limiters as shown here:
https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html

I doubt this is a config issue. However if you back it up you easily restore it so testing a default config would at least rule that out.

@Autourdupc No he means like some sort of tunnel, or something like PPPoE

Also keep in mind speed test is only showing you from and to your specific client and their servers.. while the interfaces on pfsense are going to show all traffic.. If your network is quiet while testing there shouldn't be much difference.. But its never going to be exactly the same - for starters on the wan there always going to be some noise level.. And same with lan you could have other traffic that doesn't even go out the wan or it might.

Also they are presenting you with 1 number, which is not the case with pfsense showing you a graph.. that data flow rate is going to fluctuate - they present just 1 number, which is never the case.. It doesn't jump to 100, and stay exactly at 100 for 30 seconds.

Also the graph on pfsense is going to do smoothing of what it presents of some different degrees..

I really wouldn't worry about it as long as your in the same ball park number.. But yeah you have to look at the numbers either both bits or both bytes and or do the math conversion in your head.. Because there is a 8X difference between B and b..

I can't believe I missed the config revision in the table! Doh! Thank you both that answered my question!

@elvisimprsntr said in sh script to create bootable USB-drive with LATEST OFFICIAL REL of pfSense CE:

@Sergei_Shablovsky said in sh script to create bootable USB-drive with LATEST OFFICIAL REL of pfSense CE:

Why you use pinging the remote host instead of checking if certain remote path exist (or checking the success of this remote path creating)?

I have two pfSense sites on a Tailscale MESH VPN, one behind double NAT.
I use the same script to backup the remote site to my local NAS.

I have decision that procedure of correct and flawless backup/restore pfSense configuration still are so called “headpain point” for most of all pfSense users

And even provided “rollback to last good configuration by using ZFS snapshots feature” - not so help with this: this ZFS-rollback” really good in the middle of working system, but not good if you need quick restore after hardware failure when needed to setup fresh on bare metal another server.

Several times I see how after disc crash in Netgate Appliance and replace disc on same Appliance, procedure of “complete restore from last good ACB configuration from remote Netgate servers” not flawless: sometime some packages not installed for unknown reasons, and hw rebooting between some packages still needed…

Sad bud true…

Sometimes it take a few pings before the NAS is reachable via Tailscale.

Why You not using FreeBSD famous net/rclone, backup/zapzend, backup/zfs_autobackup, backup/sanoid and syncoid?

Each of this solution give You more flexibility, because You not only need to backup one pfSense config.xml, but may be a bunch of other scripts and edited BSD system files with custom settings.